Bugtraq mailing list archives

Re: Redir games with ARP and ICMP

From: jgoerzen () SOUTHWIND NET (John Goerzen)
Date: Mon, 22 Sep 1997 09:32:44 -0500


Having anticipated such a problem already (in our envoronment, there are
many lab machines which have NFS access to user disks on a server.  These
machines may even be turned OFF which makes it easy for a spoofer to get
in.), I wrote a short Perl script designed to be run from the system
startup file.  Basically, it "primes" the ARP cache on Linux with the
IP and MAC addresses of known machines, setting a flag so that they are
never removed from the cache and can never be changed.

The config file format is simple -- IP address followed by MAC address,
separated by whitespace.  Pound at the beginning of a line indicates
comment.

This has only been tested on Linux -- people on other platforms may need
to adjust the parameters to arp in the system call.

It is a quick 'n' dirty program, but works -- maybe it will be useful to
somebody out there, too.

Note: you want to make sure that it is run after your network interface is
brought up but before any servers or clients are started; otherwise,
somebody may be able to sneak in a connection before the ARP tables are
"locked".

Here's the script:

#!/usr/bin/perl
# by John Goerzen <jgoerzen () cs twsu edu>
# Program: forcehwaddr
# Program to run ARP to force certain tables.

# Specify filenames to read from on command line, or read from stdin.

foreach (<>) {                  # For each input line....
  chomp;                        # Strip if CR/LF
  if (/^#/) { next; }           # If it's a comment, skip it.
  if (((($host, $hw) = /\s*(.+?)\s+(\S+)\s*/) == 2) &&
      !(/^#/)) {
     # The text between the slashes parses the input line as follows:
     # Ignore leading whitespace.  (\s*)
     # Then, start matching and put it into $host ($host, (.+?))
     # Skip over the whitespace after that (\s+)
     # Start matching.  Continue matching until end of line or optional
     # trailing whitespace.

     # Then, the if checks to see that both a
     # host and a hardware address were matched.
     # (2 matches).  If not, we skip the
     # line (assuming it is blank or invalid or something).
     # The second part of the if checks to see if the line starts with
     # a pound sign; if so, ignore it (as a comment).

     # Otherwise, run the appropriate command:
    printf("Setting IP %-15s to hardware address %s\n", $host, $hw);
    system "/usr/sbin/arp -s $host $hw\n";
  }
}


--
John Goerzen
Southwind Internet Access, Inc. Technical Support
Business e-mail: jgoerzen () southwind net

Personal e-mail: jgoerzen () complete org
Wichita State University e-mail: jgoerzen () cs twsu edu
Developer, Debian GNU/Linux    <http://www.debian.org>

Current thread:

Re: CERT Advisory CA-97.23 - rdist, (continued)
- - Re: CERT Advisory CA-97.23 - rdist Perry E. Metzger (Sep 16)
    - Re: CERT Advisory CA-97.23 - rdist Alex (Sep 16)
    - [IPD] Internet Probe Droid balif (Sep 16)
    - Re: [IPD] Internet Probe Droid Keith A. Watson (Sep 18)
    - Instresting practises of Oracle [Oracle Webserver] hurtta+zz () OZONE FMI FI (Sep 18)
    - Redir games with ARP and ICMP Yuri Volobuev (Sep 19)
    - Re: Redir games with ARP and ICMP Alan Cox (Sep 19)
    - Re: Redir games with ARP and ICMP Ulrich Flegel (Sep 20)
    - Blind Spoofing System Crasher (Sep 20)
    - SunOS4.1.X sockopt panic HAKNER JEFF (Sep 20)
    - Re: Redir games with ARP and ICMP John Goerzen (Sep 22)
    - Re: CERT Advisory CA-97.23 - rdist Simon Karpen (Sep 16)
    - Sun Security Bulletin #00154 Aleph One (Sep 17)
  - ipsend - version 2.0 - send arbitrary IP packets. Aleph One (Sep 16)