Re: RARP attack?

[adam () math tau ac il (Adam Morrison)]

> It looks as if someone broke into one of these other machines, then started
> sending out bogus RARP packets.  I had been experiencing a weird packet loss
> that I couldn't track down for the past few weeks, but today and yesterday
> several of our Suns were not reachable at all from the provider's Cisco.

Have you captured one of those packets?

> After a bit of noodling around, I cleared the ARP cache on their Cisco and
> things came back fine.  Replacing the cached entries for the boxes on our
> network with statics solidified the situation.
>
> The only question I have for the list is why someone would do this?  They hit
> some of our Suns, but not all of them, and none of our routers or terminal
> servers were affected.  I believe it wasn't a spoofing attack since the MAC
> addresses were bogus and didn't resolve to anything.  All I can think is that
> someone just wanted to bring us down, and nothing else.

Though ethernet-level spoofing isn't impossible, you're probably right.
But there is a problem with ARP.

You could redirect traffic between two hosts by stomping over an
existing ARP cache entry.  Just send an ARP request from your host,
with the sender IP address being that of the entry you want to override,
and the target host will start sending IP packets destined to that
host to your MAC address.


adam?