From owner-freebsd-net  Sun Jul 14 21:56:30 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1CEE837B400
	for <net@freebsd.org>; Sun, 14 Jul 2002 21:56:28 -0700 (PDT)
Received: from boreas.isi.edu (boreas.isi.edu [128.9.160.161])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9A76A43E70
	for <net@freebsd.org>; Sun, 14 Jul 2002 21:56:27 -0700 (PDT)
	(envelope-from touch@ISI.EDU)
Received: from isi.edu (ras31.isi.edu [128.9.176.131])
	by boreas.isi.edu (8.11.6/8.11.2) with ESMTP id g6F4uJr07275;
	Sun, 14 Jul 2002 21:56:20 -0700 (PDT)
Message-ID: <3D3255CE.6000707@isi.edu>
Date: Sun, 14 Jul 2002 21:55:42 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.0) Gecko/20020530
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Lars Eggert <larse@ISI.EDU>
Cc: net@freebsd.org, Yu-Shun Wang <yushunwa@ISI.EDU>
Subject: Re: Denial-of-service through ARP snooping
References: <3D3305D1.5050103@isi.edu>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

PS - this is more than a DOS attack. It's also a misconfiguration DOS 
attack. Users who type the wrong address in will cause this. I.e., even 
on a friendly LAN, a single accident can pull the net down.

Joe

Lars Eggert wrote:
> Hi,
> 
> we've just stumbled over an interesting denial-of-service case at IETF. 
> I was playing with a custom startup script to auto-configure local 
> interfaces, part of which sent out an ARP request "borrowing" the IP 
> address of the gateway as source address (e.g. "who-has X tell X").
> 
> It seems that most/all BSDs do ARP snooping, and will happily add the 
> apparent "new" MAC address of the gateway to their ARP table, possibly 
> flushing the existing one of the default gateway. This of course causes 
> everybody's packets to fall on the floor until the fake ARP entry times 
> out. (RFC826 seems to imply that snooping is allowed, the "packet 
> reception" section doesn't seem to limit *how* packets are received.)
> 
> Maybe ARP entries should only be updated when replies are received in 
> response to locally originated requests? Initial latency might be a bit 
> higher, since the ARP table won't be pre-loaded, but it will add some 
> protection against this particular DOS attack.
> 
> Lars



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message