From owner-freebsd-questions@FreeBSD.ORG  Fri Sep 29 07:40:12 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C23F416A407
	for <freebsd-questions@freebsd.org>;
	Fri, 29 Sep 2006 07:40:12 +0000 (UTC)
	(envelope-from norgaard@locolomo.org)
Received: from strange.daemonsecurity.com
	(59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 118E143D46
	for <freebsd-questions@freebsd.org>;
	Fri, 29 Sep 2006 07:40:11 +0000 (GMT)
	(envelope-from norgaard@locolomo.org)
Received: from [192.168.7.193] (68.Red-80-34-55.staticIP.rima-tde.net
	[80.34.55.68])
	by strange.daemonsecurity.com (Postfix) with ESMTP id EA61B2E024;
	Fri, 29 Sep 2006 09:40:08 +0200 (CEST)
Message-ID: <451CCDD2.6050800@locolomo.org>
Date: Fri, 29 Sep 2006 09:40:02 +0200
From: Erik Norgaard <norgaard@locolomo.org>
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: Robin Becker <robin@reportlab.com>
References: <451C5270.1010404@jessikat.plus.net>
In-Reply-To: <451C5270.1010404@jessikat.plus.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-questions@freebsd.org
Subject: Re: IP address impersonation
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Sep 2006 07:40:13 -0000

Robin Becker wrote:

> 1) is this a recognized form of attack? I can see that it could be used 
> for password harvesting and traffic interception, but are there other 
> implications.

ip spoofing is a well known attack.

> 2) Are there ways to mitigate this kind of problem? We have other hosted 
> servers on machines with similar (root) access. They presumably could 
> also be impersonated. We found this out by inspection of our own log 
> files; could the provider be doing something more to prevent this?

All hosts and routers hold a local dynamic table of arp addresses and 
their corresponding ip addresses. Since the ip may change, these are 
held only for one minute and each node only keeps the addresses they 
actually communicate with.

When some node need to communicate with another node it does not know 
the arp address of it sends out an arp request "WHO-HAS" to all nodes on 
the network.

If two nodes uses the same ip, they will both respond and it is somewhat 
random who "wins". But one can use an attack called "arp cache 
poisoning" to make a particular arp address appear.

There is a solution to this problem: Static arp-tables. This requires 
that your provider in the router adds machines arp addresses and their 
ip addresses in a static table. Static by nature these are not flushed 
so the spoofing will fail.

Only the nodes that maintain a static arp table will ignore the 
spoofing, so if you need to communicate with other hosts on the network 
these need also to have the static table.

It is likely that your provider don't want to do the trouble of 
maintaining a static table. To prove the problem to them you can use 
arpwatch to monitor changes and document the problem.

You may also use arping to ping arp addresses, this may help you claim 
your ip - like the arp cache poisoning attack. This means that the other 
host will loose connection and maybe make the admin aware that there are 
problems.

But the real solution is to get to the administrator of the offending 
host and make him change the ip. Your provider should keep track of who 
has been assigned which ip. If someone else in error uses your ip, some 
other ip must be free and the provider should be able to identify who it is.

Unfortunately, AFIAK there is no way of identifying which machine is 
offending from analysing the network traffic, but the arp address is 
normally printed on the network interfaces so physical inspection will 
do it.

Things get complicated, because it is possible to change the arp 
address. This means that you can set your arp address to the same as the 
offending host.

If you're connected by a hub or a wireless network, both will get 
traffic to both hosts and it really becomes a mess if both try to 
respond. If you're on a switched network no one knows who gets the packets.

This arp spoofing is the ultimate way of hiding yourself behind someone 
else (or the other way round).

I once had ip's static assigned on a network, but users couldn't figure 
out what these numbers were and every once in a while someone would use 
the routers ip as their own ip taking down the entire network. That was 
when I learned about dhcp! (and all the arp spoofing stuff).

Note, ARP is the protocol, the network interface address is often called 
MAC.

Cheers, Erik
-- 
Ph: +34.666334818                      web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9