Security Incidents mailing list archives
Re: Arp Warnings on @Home Network
From: "Forrester, Mike" <mforrester () HSACORP NET>
Date: Thu, 8 Feb 2001 10:24:13 -0700
And that's the way I interpret it to. I guess the part I don't understand is if this is normal behavior or not. I've never seen this sort of thing before, but then that could be because most OS'es just don't report this sort of thing by default. I'll have to run ethereal on my Win 98 and Solaris boxes on the same system and compare the results. It just seems way to it to re-route packets. If this wasn't a clueless user (which is my opinion), but someone with some real knowledge, it seems they could very easily mess with people, sniff passwords, etc. I imagine a lot of you are saying, "Well, duh, everyone knows that." I guess I kind of always did, but never thought it was this easy. Do most of you put static arp entries in your arp table on boot to prevent this sort of thing? I'm going to from now on. I'll just have to remember that the next time my cable modem is not working, I need to check and make sure they didn't change the router. I think I'll spend the next few weeks playing with arp (arpspoof and arpwatch). Unless I find some more interesting info regarding differences in the OS handling of this. I'll quit bothering you people (Your Welcome!). If anyone happens to have some good links to help me on my quest for arp, please send them to me off list. This is a request for links in particular that you have read and know contain really good info, not a dump of the 492,000 results from a search on 'arp' on google. Thanks everyone for you time and feedback! Mike
-----Original Message----- From: Mathias Wegner [mailto:mwegner () CS OBERLIN EDU] Sent: Wednesday, February 07, 2001 6:37 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: [INCIDENTS] Arp Warnings on @Home NetworkYeah I thought about putting in a static entry in the arptable, but rightnow this is more fun. Maybe not for those on the list, butit is for me. It is more fun by far... Here's the way I read this: your syslog says:Feb 6 22:51:10 ironman /bsd: arp info overwritten for 24.1.8.1 by 08:00:07:c4:28:53 on fxp0after it sees:[6]22:51:10.944844 8:0:7:c4:28:53 ff:ff:ff:ff:ff:ff 080660: arp who-has24.1.14.32 (ff:ff:ff:ff:ff:ff) tell 24.1.8.1(Apple NIC asking who is holding the IP address and requesting MAC address in order to send data to 24.1.14.32 - your machine sees that the MAC of the Apple NIC is supposed to be associated with 24.1.8.1 and so you have arp info overwritten) but then, after it sees:[10]22:51:10.952509 0:1:63:f1:d8:80 ff:ff:ff:ff:ff:ff 080660: arp reply24.1.8.1 is-at 0:1:63:f1:d8:80 (0:1:63:f1:d8:80)(someone has arped upstream for 24.1.8.1 and so the Cisco box responds - your machine sees that the Cisco NIC is supposed to be associated with 24.1.8.1 and so you have arp info overwritten - you may have this in part of the sniffer trace preceding what was excerpted in your last email) it changes your arp table, as seen here:Feb 6 22:51:10 ironman /bsd: arp info overwritten for 24.1.8.1 by 00:01:63:f1:d8:80 on fxp0The trick is to use all of this to find out who has the wrong config and call them and ask them tofix their config :) Mathias
Current thread:
- Arp Warnings on @Home Network Mike Forrester (Feb 06)
- Re: Arp Warnings on @Home Network Ryan Russell (Feb 07)
- Re: Arp Warnings on @Home Network Dragos Ruiu (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Jose Nazario (Feb 07)
- Re: Arp Warnings on @Home Network Gordon Messmer (Feb 07)
- <Possible follow-ups>
- Re: Arp Warnings on @Home Network Forrester, Mike (Feb 07)
- Re: Arp Warnings on @Home Network Mathias Wegner (Feb 07)
- Re: Arp Warnings on @Home Network Forrester, Mike (Feb 09)