Snort mailing list archives

Unicast ARP Request: Considered Harmful?

From: Kevin Le Gouguec <kevin.le-gouguec () insa-lyon fr>
Date: Sun, 18 May 2014 12:32:04 +0200 (CEST)

Hi all,

I'm playing around with Snort's downloadable rules and I found one which is easy to activate: sending a unicast ARP 
request. Okay, so I start injecting ARP requests, making sure the destination is not set to broadcast. And sure enough, 
Snort picks it up. Great, let's move on and do more complex stuff.

Though, I'm not sure I understand why this rule exists at all. From what I've read most ARP spoofing/cache poisonning 
attacks make use of ARP replies; requests do not seem to cause anyone any trouble (here[1] for example, unicast 
"keep-alive" requests are even said to be a problem when implementing attacks).

I found a thread[2] where Jeff Nathan explains what the ARP preprocessor does, but not why. He points at TCP/IP 
Illustrated's chapter 4; I skimmed through it, but I could not find a justification for this rule.

So why is it suspicious for an ARP request to be unicast, when apparently in a lot of implementations this is 
considered a feature (e.g. ARP polling in RFC 1122 provides cache validation) ? There's a book[3] on intrusion 
detection focusing on Snort that says "ARP requests that are sent to a Unicast address are often the sign of an attack 
designed to modify ARP caches". I... can't see how?

Then again, I don't have much experience with network security so I guess I'm not thinking creatively enough.



[1] http://insecure.org/sploits/arp.games.html ("What can be done", paragraph 5)
[2] http://sourceforge.net/p/snort/mailman/message/15537465/
[3] 
http://books.google.fr/books?id=sVqEFXjbcRoC&pg=PA162&lpg=PA162&dq=arpspoof+unicast&source=bl&ots=D3LwL4dWB8&sig=FTkey-EGTw7s5e9Uhlf4mS_fjVw&hl=en&sa=X&ei=HTl2U67xNJDR4QTt7YHYAw&ved=0CEwQ6AEwBw#v=onepage&q=arpspoof%20unicast&f=false

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

Unicast ARP Request: Considered Harmful? Kevin Le Gouguec (May 18)
- Re: Unicast ARP Request: Considered Harmful? Joel Esler (jesler) (May 18)
- <Possible follow-ups>
- Re: Unicast ARP Request: Considered Harmful? Kevin Le Gouguec (May 18)
  - Re: Unicast ARP Request: Considered Harmful? Kevin Le Gouguec (May 18)
    - Re: Unicast ARP Request: Considered Harmful? Jeff Kell (May 18)
    - Re: Unicast ARP Request: Considered Harmful? Kevin Le Gouguec (May 18)
    - Re: Unicast ARP Request: Considered Harmful? Patrick Mullen (May 19)
    - Re: Unicast ARP Request: Considered Harmful? Kevin Le Gouguec (May 19)
    - Re: Unicast ARP Request: Considered Harmful? Jamie Riden (May 19)