Full Disclosure mailing list archives
Re: Linux problem, steal of IP and traffinc redirection could bypass a firewall
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Sun, 07 Nov 2004 12:16:38 +0100
Le samedi 06 novembre 2004 à 21:35 +0100, NetExpress a écrit :
Because of this, If I have a gateway, with IP IPA, and set a desktop/server on the lan with the same ip IPA, when it start it will be the new gateway for the all network.
For this to work, you must assume gateway ARP entry (MAC/IP association) is not in targeted system ARP cache, which is a quite hasardous assumption as a system is supposed to interact quite often with it. Moreover, even if it is not present, you will have an ARP answer race on this very IP (yours and the gateway's one), which has to be solved in order to correctly achieve redirection.
If linux would send a gratious arp when it give up an IP real or virtaul this problem will not be possible, because it could not bind a IP that is already present on the net.
I really don't see why. If I want to spoof an IP the way you exposed, the _very_ simple way is to filter that very gratuitous ARP, using ebtables, so it will get droped. Moreover, there's more efficient ways to achieve network MiM attacks, especially ARP cache poisoning, that do not need to spoof an IP the way you exposed. See http://www.arp-sk.org/ as a one among all article on this technic. In addition to this, simply relying the assumption the _compromised_ host will just say "hello, I'm spoofing your IP" to everyone is blindly naive. MS Windows does send gratuitous ARP, and it really does not prevent anyone to spoof IPs from Windows system. What can prevent one from writing a program (relying on WinPCAP) that listens to ARP requests and answers them with its own IP, which achieve just the same than aliasing the IP ? Moreover, the way gratuitous ARP reception is handled by sending a "Hey man, I'm spoofed" window can be used a clear DoS for the guy logged who will spend his time closing such alerts... This raises the problem of "how would you treat a spoofed gratuitous ARP ?", which is to me an clear open boulevard to network DoS. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Linux problem, steal of IP and traffinc redirection could bypass a firewall NetExpress (Nov 06)
- Re: Linux problem, steal of IP and traffinc redirection could bypass a firewall Cedric Blancher (Nov 07)