From owner-freebsd-net Sun Jul 14 20: 0:47 2002 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0422437B401 for ; Sun, 14 Jul 2002 20:00:45 -0700 (PDT) Received: from tp.databus.com (p72-186.acedsl.com [66.114.72.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AA8943E58 for ; Sun, 14 Jul 2002 20:00:44 -0700 (PDT) (envelope-from barney@databus.com) Received: from databus.com (localhost.databus.com [127.0.0.1]) by tp.databus.com (8.12.5/8.12.5) with ESMTP id g6F30hBM057768; Sun, 14 Jul 2002 23:00:43 -0400 (EDT) (envelope-from barney@databus.com) Received: (from barney@localhost) by databus.com (8.12.5/8.12.5/Submit) id g6F30hoF057767; Sun, 14 Jul 2002 23:00:43 -0400 (EDT) Date: Sun, 14 Jul 2002 23:00:43 -0400 From: Barney Wolff To: Lars Eggert Cc: net@FreeBSD.ORG, Joe Touch , Yu-Shun Wang Subject: Re: Denial-of-service through ARP snooping Message-ID: <20020715030043.GA57525@tp.databus.com> References: <3D3305D1.5050103@isi.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D3305D1.5050103@isi.edu> User-Agent: Mutt/1.4i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't see that the risk is diminished by much. A hostile host will see any ARP requests, since they're sent to the broadcast addr, and can try to beat the real node's response - it probably has a faster cpu than the router. Besides, there are loads of ways to wreak havoc on your local subnet, including sending 64-byte frames at wirespeed to the broadcast address. It doesn't seem worthwhile to start closing holes unless there's a real chance to close all or nearly all, which I doubt. I recall seeing a syslog when the MAC address for an ARP table entry changes, so at least there's some evidence. A clever attacker who can fudge your ARP table can do better than DoS; he can forward the packets onward while snooping or playing MitM. So a hostile node on your subnet is a real disaster. On Mon, Jul 15, 2002 at 10:26:41AM -0700, Lars Eggert wrote: > Hi, > > we've just stumbled over an interesting denial-of-service case at IETF. > I was playing with a custom startup script to auto-configure local > interfaces, part of which sent out an ARP request "borrowing" the IP > address of the gateway as source address (e.g. "who-has X tell X"). > > It seems that most/all BSDs do ARP snooping, and will happily add the > apparent "new" MAC address of the gateway to their ARP table, possibly > flushing the existing one of the default gateway. This of course causes > everybody's packets to fall on the floor until the fake ARP entry times > out. (RFC826 seems to imply that snooping is allowed, the "packet > reception" section doesn't seem to limit *how* packets are received.) > > Maybe ARP entries should only be updated when replies are received in > response to locally originated requests? Initial latency might be a bit > higher, since the ARP table won't be pre-loaded, but it will add some > protection against this particular DOS attack. > > Lars > -- > Lars Eggert USC Information Sciences Institute -- Barney Wolff I never met a computer I didn't like. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message