Date: Sun, 14 Jul 2002 23:00:43 -0400 From: Barney Wolff <barney@tp.databus.com> To: Lars Eggert <larse@ISI.EDU> Cc: net@FreeBSD.ORG, Joe Touch <touch@ISI.EDU>, Yu-Shun Wang <yushunwa@ISI.EDU> Subject: Re: Denial-of-service through ARP snooping Message-ID: <20020715030043.GA57525@tp.databus.com> In-Reply-To: <3D3305D1.5050103@isi.edu> References: <3D3305D1.5050103@isi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
I don't see that the risk is diminished by much. A hostile host will see any ARP requests, since they're sent to the broadcast addr, and can try to beat the real node's response - it probably has a faster cpu than the router. Besides, there are loads of ways to wreak havoc on your local subnet, including sending 64-byte frames at wirespeed to the broadcast address. It doesn't seem worthwhile to start closing holes unless there's a real chance to close all or nearly all, which I doubt. I recall seeing a syslog when the MAC address for an ARP table entry changes, so at least there's some evidence. A clever attacker who can fudge your ARP table can do better than DoS; he can forward the packets onward while snooping or playing MitM. So a hostile node on your subnet is a real disaster. On Mon, Jul 15, 2002 at 10:26:41AM -0700, Lars Eggert wrote: > Hi, > > we've just stumbled over an interesting denial-of-service case at IETF. > I was playing with a custom startup script to auto-configure local > interfaces, part of which sent out an ARP request "borrowing" the IP > address of the gateway as source address (e.g. "who-has X tell X"). > > It seems that most/all BSDs do ARP snooping, and will happily add the > apparent "new" MAC address of the gateway to their ARP table, possibly > flushing the existing one of the default gateway. This of course causes > everybody's packets to fall on the floor until the fake ARP entry times > out. (RFC826 seems to imply that snooping is allowed, the "packet > reception" section doesn't seem to limit *how* packets are received.) > > Maybe ARP entries should only be updated when replies are received in > response to locally originated requests? Initial latency might be a bit > higher, since the ARP table won't be pre-loaded, but it will add some > protection against this particular DOS attack. > > Lars > -- > Lars Eggert <larse@isi.edu> USC Information Sciences Institute -- Barney Wolff I never met a computer I didn't like. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020715030043.GA57525>