FreeBSD Mail Archives

Date:      Mon, 15 Jul 2002 10:26:41 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        net@freebsd.org, Joe Touch <touch@ISI.EDU>, Yu-Shun Wang <yushunwa@ISI.EDU>
Subject:   Denial-of-service through ARP snooping
Message-ID:  <3D3305D1.5050103@isi.edu>

next in thread | raw e-mail | index | archive | help


[-- Attachment #1 --]
Hi,

we've just stumbled over an interesting denial-of-service case at IETF. 
I was playing with a custom startup script to auto-configure local 
interfaces, part of which sent out an ARP request "borrowing" the IP 
address of the gateway as source address (e.g. "who-has X tell X").

It seems that most/all BSDs do ARP snooping, and will happily add the 
apparent "new" MAC address of the gateway to their ARP table, possibly 
flushing the existing one of the default gateway. This of course causes 
everybody's packets to fall on the floor until the fake ARP entry times 
out. (RFC826 seems to imply that snooping is allowed, the "packet 
reception" section doesn't seem to limit *how* packets are received.)

Maybe ARP entries should only be updated when replies are received in 
response to locally originated requests? Initial latency might be a bit 
higher, since the ARP table won't be pre-loaded, but it will add some 
protection against this particular DOS attack.

Lars
-- 
Lars Eggert <larse@isi.edu>           USC Information Sciences Institute

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
���0��0���G0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0��0
	*�H��
��0���������|\Pw��� �v����~��~�F�Do�o�ӦA��\-��	� ���Cˀ�4�.��)&��{�肋���,z�(ܷر��߈��T7�_'t�xGH^tt/ҹB8��%�t<#�ֲN��V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
����a�JP���M�Ւ�]cѭC+��kS��+wZ�1���gY"�,Y���T�41�
�j����6:~�℩��D���������~�Kؚ�l���=�u(Վ��M?cF��7@����}��T��0��0���G0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300
010824164000Z
020824164000Z0T10
UEggert1
0U*Lars10ULars Eggert10	*�H��
	
larse@isi.edu0��0
	*�H��
��0���������|\Pw��� �v����~��~�F�Do�o�ӦA��\-��	� ���Cˀ�4�.��)&��{�肋���,z�(ܷر��߈��T7�_'t�xGH^tt/ҹB8��%�t<#�ֲN��V0T0*+e!000L2uMyffBNUbNJJcdZ2s0U0�
larse@isi.edu0U�00
	*�H��
����a�JP���M�Ւ�]cѭC+��kS��+wZ�1���gY"�,Y���T�41�
�j����6:~�℩��D���������~�Kؚ�l���=�u(Վ��M?cF��7@����}��T��0�80���fEr��t��cvE��.�0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
000830000000Z
040827235959Z0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.300��0
	*�H��
��0�����32�c�	%E>�nx'g��ڈ���D)�c5*mp<�ܮ��to0�3��4q��m���O�e�
�K���a����U�5��u�'��r���װ�����|CBPQ��<�9��T������If-	��k�i�N0L0)U"0 �010UPrivateLabel1-2970U�0�0U0
	*�H��
��1�KG]�q��Sl]y�=��&b�"��"��I�'{9����$����
*8�PU�l�
�L����G�l�X�1B	l�i�+�@]j�y��.%݊���
��Z��<�D�&i�H�Υ����bb��1��0��0��0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30�G0	+��a0	*�H��
	1	*�H��
0	*�H��
	1
020715172642Z0#	*�H��
	1�~HyhH�u�4�@��)�P��0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��*�H��
	1�����0��10	UZA10UWestern Cape10U	Cape Town10
U
Thawte10UCertificate Services1(0&UPersonal Freemail RSA 2000.8.30�G0
	*�H��
��(��'��hcW�JK��u�>�͝��w�8�_m���7=��a&ў[ɍ��2���yK��������`�F�-���Ġ4��g�l�Y�����nL��$p-��N1���"�ڥjOÚq5�'W!�2c�6�

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D3305D1.5050103>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation