Date: Sun, 14 Jul 2002 21:55:42 -0700 From: Joe Touch <touch@ISI.EDU> To: Lars Eggert <larse@ISI.EDU> Cc: net@freebsd.org, Yu-Shun Wang <yushunwa@ISI.EDU> Subject: Re: Denial-of-service through ARP snooping Message-ID: <3D3255CE.6000707@isi.edu> References: <3D3305D1.5050103@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
PS - this is more than a DOS attack. It's also a misconfiguration DOS attack. Users who type the wrong address in will cause this. I.e., even on a friendly LAN, a single accident can pull the net down. Joe Lars Eggert wrote: > Hi, > > we've just stumbled over an interesting denial-of-service case at IETF. > I was playing with a custom startup script to auto-configure local > interfaces, part of which sent out an ARP request "borrowing" the IP > address of the gateway as source address (e.g. "who-has X tell X"). > > It seems that most/all BSDs do ARP snooping, and will happily add the > apparent "new" MAC address of the gateway to their ARP table, possibly > flushing the existing one of the default gateway. This of course causes > everybody's packets to fall on the floor until the fake ARP entry times > out. (RFC826 seems to imply that snooping is allowed, the "packet > reception" section doesn't seem to limit *how* packets are received.) > > Maybe ARP entries should only be updated when replies are received in > response to locally originated requests? Initial latency might be a bit > higher, since the ARP table won't be pre-loaded, but it will add some > protection against this particular DOS attack. > > Lars To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D3255CE.6000707>