From owner-freebsd-security  Mon Apr 19 14:17:45 1999
Delivered-To: freebsd-security@freebsd.org
Received: from phk.freebsd.dk (phk.freebsd.dk [212.242.40.153])
	by hub.freebsd.org (Postfix) with ESMTP id 1CB7D14D11
	for <security@FreeBSD.ORG>; Mon, 19 Apr 1999 14:17:23 -0700 (PDT)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.40.131])
	by phk.freebsd.dk (8.9.1/8.8.8) with ESMTP id XAA05984;
	Mon, 19 Apr 1999 23:14:56 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
Received: from critter.freebsd.dk (localhost [127.0.0.1])
	by critter.freebsd.dk (8.9.2/8.9.2) with ESMTP id XAA20358;
	Mon, 19 Apr 1999 23:14:50 +0200 (CEST)
	(envelope-from phk@critter.freebsd.dk)
To: Warner Losh <imp@harmony.village.org>
Cc: Rajit Manohar <rajit@csl.cornell.edu>, security@FreeBSD.ORG
Subject: Re: poink and freebsd 
In-reply-to: Your message of "Mon, 19 Apr 1999 14:54:56 MDT."
             <199904192054.OAA27522@harmony.village.org> 
Date: Mon, 19 Apr 1999 23:14:50 +0200
Message-ID: <20356.924556490@critter.freebsd.dk>
From: Poul-Henning Kamp <phk@critter.freebsd.dk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <199904192054.OAA27522@harmony.village.org>, Warner Losh writes:
>In message <199904191854.OAA02778@mozart.csl.cornell.edu> Rajit Manohar writes:
>: about a minute, everything returned to normal (AFAIK).  I'd guess that
>: a repeated-poink, or a poink of an nfs server would be a more serious
>: problem.
>
>Sounds like your typical "Let's claim to be someone else and confuse
>everybody" DOS that has been well know since at least the late 80's,
>if not before.  arp has no authentication in it, so short of hard
>wiring the arp cache on all your machines, I don't think there is much
>that can be done about this.

Actually there is.  Instead of bailing in this case, send the originator
an arp packet and ask if they're serious.  If the don't answer ignore
the entire event.

--
Poul-Henning Kamp             FreeBSD coreteam member
phk@FreeBSD.ORG               "Real hackers run -current on their laptop."
FreeBSD -- It will take a long time before progress goes too far!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message