Subject: Re: arping for
To: Paul Goyette <>
From: Wolfgang Rupprecht <>
List: tech-net
Date: 06/12/1998 13:31:30
Paul Goyette writes:
> Seems to me that the real problem here is why the host at
> 00:40:05:42:af:3b would even bother to ARP for
> After all, _every_ host on the network is supposed to be
> able to reach itself at that address, so why would it need
> to ARP?  Unless, of course, the device is misconfigured and
> thinks that is the IP address assigned to its 
> Ethernet interface, rather than to its loop-back!

No you are missing the problem.  The arping could well be part of a
denial of service attack.  Right now, the ethernet this is happening
on is the @HOME wide-area lan.  It has 4k active hosts on it and one
has to treat this as an unsecure ethernet. (If that is even possible.)

I've been watching someone arp-reply for for a few weeks now
and though he was trying to pull some sort of man-in-the-middle
attack.  It was only when my machine started to arp-reply for that I started to worry what others would report *me* as

One thing that doesnt' seem to work is to "ifconfig lo0 -arp".  I'm
surprised that the arp machinery doesn't either shutdown in the
presense of the LOOPBACK flag or the NOARP flag.

I can't think of any reason why we'd want the netbsd code to arp for a
loopback local-address.  Is there a hidden gotcha???

In any case I would have thought that the netbsd would only arp-reply
for the interface address that corresponed to the interface that the
arp request came in on.  Its not clear why my de0 is proxy arping for

Wolfgang Rupprecht    <>
	  Never trust a program you don't have sources for.