Re: FreeBSD arp poison patch

[Ryota Hirose <hirose () comm yamaha co jp>]

> From: <bert_raccoon () freemail ru>
> Date: 3 Dec 2003 13:43:30 -0000

> Attached is patch to check old MAC address before changing 
> arp entry by sending unicast arp request to this MAC. If old MAC 
> replies, no changes to arp table is made and attack is logged.  

I feel this patch may be harmful when the two hosts are misconfigured
as they have same IP address.  

Host X is a patched FreeBSD, and host Y and Z have same IP address.
At first, only X and Y are connected to LAN, so X's arp entry is
recorded as Y has IP address.  When Z is connected to LAN, it sends
arp reply to LAN.  X receives it, and broadcasts arp request to LAN
(according to the above explanation, the checking arp request will be
sent as unicast, but actually it will be sent as broadcast by this
patch).  Y and Z receive the broadcasted arp request, and send the arp
reply respectively.

If Z's reply reached X first, it will be accept as valid one, and X
record as Z has IP address.  Later Y's reply will be treated as a
poisoned one, and X will send checking arp request.  This may be an
infinite loop of arp request/reply.

If Y's reply reached X first, X marks Y's entry as static, and
neglects Z's reply.  The loop will not occur.  But, if the network
administrator changed Y's IP address to fix the system, X and Z cannot
communicate until static Y's entry in X deleted manually.

Regards,

Ryota Hirose