Subject: Re: arping for 127.0.0.1
To: Paul Goyette <firstname.lastname@example.org>
From: Wolfgang Rupprecht <email@example.com>
Date: 06/12/1998 13:31:30
Paul Goyette writes:
> Seems to me that the real problem here is why the host at
> 00:40:05:42:af:3b would even bother to ARP for 127.0.0.1...
> After all, _every_ host on the network is supposed to be
> able to reach itself at that address, so why would it need
> to ARP? Unless, of course, the device is misconfigured and
> thinks that 127.0.0.1 is the IP address assigned to its
> Ethernet interface, rather than to its loop-back!
No you are missing the problem. The arping could well be part of a
denial of service attack. Right now, the ethernet this is happening
on is the @HOME wide-area lan. It has 4k active hosts on it and one
has to treat this as an unsecure ethernet. (If that is even possible.)
I've been watching someone arp-reply for 127.0.0.1 for a few weeks now
and though he was trying to pull some sort of man-in-the-middle
attack. It was only when my machine started to arp-reply for
127.0.0.1 that I started to worry what others would report *me* as
One thing that doesnt' seem to work is to "ifconfig lo0 -arp". I'm
surprised that the arp machinery doesn't either shutdown in the
presense of the LOOPBACK flag or the NOARP flag.
I can't think of any reason why we'd want the netbsd code to arp for a
loopback local-address. Is there a hidden gotcha???
In any case I would have thought that the netbsd would only arp-reply
for the interface address that corresponed to the interface that the
arp request came in on. Its not clear why my de0 is proxy arping for
Wolfgang Rupprecht <firstname.lastname@example.org> http://www.wsrcc.com/wolfgang/
Never trust a program you don't have sources for.