Subject: Re: arp info overwritten ???
To: None <netbsd-users@NetBSD.ORG>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: netbsd-users
Date: 06/09/1998 14:13:03
mcmahill@mtl.mit.edu writes:
> and see if someone on the cable modem side tried to use 10.0.0.1
> and if so who they really are?
This is par for the course. Some twit on my cable modem segment is
sending out arps for 127.0.0.1 hundreds of times a day.
Jun 7 13:08:00 capsicum /netbsd: duplicate IP address 127.0.0.1 sent from link address 00:40:10:0c:00:79
Jun 7 17:37:12 capsicum /netbsd: duplicate IP address 127.0.0.1 sent from link address 00:40:10:0c:00:79
Whats interesting is this could be a penetration attempt against
machines that aren't filtering packets from "localhost" that just
happen to meander in via an ethernet interface.
Running a machine on an untrusted ethernet is certainly an interesting
security exercise. Eg. How do you prevent someone from arping for the
main gateway? How do you prevent someone from running a DHCP server
handing out phony leases? How about mrouted? The list goes on and
on.
-wolfgang
--
Wolfgang Rupprecht <wolfgang+gnus@spam.free.or.die.wsrcc.com>
http://www.wsrcc.com/wolfgang/