Re: Arp Warnings on @Home Network

["Forrester, Mike" <mforrester () HSACORP NET>]

And that's the way I interpret it to.  I guess the part I don't understand
is if this is normal behavior or not.  I've never seen this sort of thing
before, but then that could be because most OS'es just don't report this
sort of thing by default.  I'll have to run ethereal on my Win 98 and
Solaris boxes on the same system and compare the results.  It just seems way
to it to re-route packets.  If this wasn't a clueless user (which is my
opinion), but someone with some real knowledge, it seems they could very
easily mess with people, sniff passwords, etc.  I imagine a lot of you are
saying, "Well, duh, everyone knows that."  I guess I kind of always did, but
never thought it was this easy.

Do most of you put static arp entries in your arp table on boot to prevent
this sort of thing?  I'm going to from now on.  I'll just have to remember
that the next time my cable modem is not working, I need to check and make
sure they didn't change the router.  I think I'll spend the next few weeks
playing with arp (arpspoof and arpwatch).

Unless I find some more interesting info regarding differences in the OS
handling of this.  I'll quit bothering you people (Your Welcome!).  If
anyone happens to have some good links to help me on my quest for arp,
please send them to me off list.  This is a request for links in particular
that you have read and know contain really good info, not a dump of the
492,000 results from a search on 'arp' on google.

Thanks everyone for you time and feedback!

Mike

> -----Original Message-----
> From: Mathias Wegner [mailto:mwegner () CS OBERLIN EDU]
> Sent: Wednesday, February 07, 2001 6:37 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: [INCIDENTS] Arp Warnings on @Home Network
>
>
> > Yeah I thought about putting in a static entry in the arp
> table, but right
> > now this is more fun.  Maybe not for those on the list, but
> it is for me.
>
>       It is more fun by far...
>
>
>       Here's the way I read this:
>
> your syslog says:
> > Feb  6 22:51:10 ironman /bsd: arp info overwritten for 24.1.8.1 by
> > 08:00:07:c4:28:53 on fxp0
>
> after it sees:
> > [6]22:51:10.944844 8:0:7:c4:28:53 ff:ff:ff:ff:ff:ff 0806
> 60: arp who-has
> > 24.1.14.32 (ff:ff:ff:ff:ff:ff) tell 24.1.8.1
>       (Apple NIC asking who is holding the IP address and
> requesting MAC
> address in order to send data to 24.1.14.32 - your machine
> sees that the
> MAC of the Apple NIC is supposed to be associated with
> 24.1.8.1 and so you
> have arp info overwritten)
>
> but then, after it sees:
> > [10]22:51:10.952509 0:1:63:f1:d8:80 ff:ff:ff:ff:ff:ff 0806
> 60: arp reply
> > 24.1.8.1 is-at 0:1:63:f1:d8:80 (0:1:63:f1:d8:80)
>       (someone has arped upstream for 24.1.8.1 and so the Cisco box
> responds - your machine sees that the Cisco NIC is supposed to be
> associated with 24.1.8.1 and so you have arp info overwritten
> - you may
> have this in part of the sniffer trace preceding what was excerpted in
> your last email)
>
> it changes your arp table, as seen here:
> > Feb  6 22:51:10 ironman /bsd: arp info overwritten for 24.1.8.1 by
> > 00:01:63:f1:d8:80 on fxp0
>
>       The trick is to use all of this to find out who has the wrong
> config and call them and ask them tofix their config :)
>
>
> Mathias