Bugtraq mailing list archives
Re: FreeBSD arp poison patch
From: Ryota Hirose <hirose () comm yamaha co jp>
Date: Thu, 04 Dec 2003 10:32:02 +0900 (JST)
From: <bert_raccoon () freemail ru> Date: 3 Dec 2003 13:43:30 -0000
Attached is patch to check old MAC address before changing arp entry by sending unicast arp request to this MAC. If old MAC replies, no changes to arp table is made and attack is logged.
I feel this patch may be harmful when the two hosts are misconfigured as they have same IP address. Host X is a patched FreeBSD, and host Y and Z have same IP address. At first, only X and Y are connected to LAN, so X's arp entry is recorded as Y has IP address. When Z is connected to LAN, it sends arp reply to LAN. X receives it, and broadcasts arp request to LAN (according to the above explanation, the checking arp request will be sent as unicast, but actually it will be sent as broadcast by this patch). Y and Z receive the broadcasted arp request, and send the arp reply respectively. If Z's reply reached X first, it will be accept as valid one, and X record as Z has IP address. Later Y's reply will be treated as a poisoned one, and X will send checking arp request. This may be an infinite loop of arp request/reply. If Y's reply reached X first, X marks Y's entry as static, and neglects Z's reply. The loop will not occur. But, if the network administrator changed Y's IP address to fix the system, X and Z cannot communicate until static Y's entry in X deleted manually. Regards, Ryota Hirose
Current thread:
- FreeBSD arp poison patch bert_raccoon (Dec 03)
- Re: FreeBSD arp poison patch Ryota Hirose (Dec 04)