ARP paranoia

[Felix Schroeter <felix_(_at_)_schlund_(_dot_)_de>]

Hello!

Perhaps we should catch some more ARP spoofing thingies in our system.
One possible attack is this:

I want to force host A into sending packets intended for host B to
me instead. For that, I send this packet:
Ether: me -> HW-Addr of A type ARP
ARP: request from hw me, IP B to hw ? IP A

(note that this packet doesn't make sense in normal ARP operation
because it shows that "me" already knows the hwaddr of A!)

A will enter the association IP(B) to hwaddr me into its ARP table
and send further packets intended for B to me instead.

Other hosts will not be affected.

The patch below could log those attempts; it just logs all ARP
requests which are not Ethernet broadcasts.

Another nice thing would be detecting and logging ARP responses
directed to the own host for which there was no recent ARP request,
but that seems more difficult.

Perhaps the patch should drop non-broadcast ARP requests instead
of just logging them, btw.

Regards,

Felix.

Index: if_ether.c
===================================================================
RCS file: /cvs/src/sys/netinet/if_ether.c,v
retrieving revision 1.12
diff -u -r1.12 if_ether.c
--- if_ether.c	1997/09/28 23:09:56	1.12
+++ if_ether.c	1998/08/19 13:56:21
@@ -490,6 +490,13 @@
 		itaddr = myaddr;
 		goto reply;
 	}
+#ifndef NO_ARP_PARANOIA
+	if (op == ARPOP_REQUEST && !(m->m_flags & M_BCAST))
+		log(LOG_INFO, "non-broadcast arp request from %s [%s]\n",
+		    ether_sprintf(ea->arp_sha), inet_ntoa(isaddr));
+	/* XXX perhaps we should log ARP responses for which we
+	 * didn't send requests, too */
+#endif
 	la = arplookup(isaddr.s_addr, itaddr.s_addr == myaddr.s_addr, 0);
 	if (la && (rt = la->la_rt) && (sdl = SDL(rt->rt_gateway))) {
 		if (sdl->sdl_alen &&
-- 
Felix Schröter                    Technik           felix_(_at_)_schlund_(_dot_)_de
Bei Schlund + Partner GmbH & Co.  Erbprinzenstr. 1  D-76133 Karlsruhe

Besuchen Sie unseren Automarkt http://www.webauto.de/