Subject: Re: arping for
To: Wolfgang Rupprecht <>
From: Paul Goyette <>
List: tech-net
Date: 06/12/1998 14:05:26
Yeah - I see now how this could be some sort of DoS attack.

And yes, you are correct - we certainly shouldn't be doing
proxy arp unless told to do so.  For any given interface, 
we should only respond to ARP requests for our IP address(es)
on _that_ interface.


On Fri, 12 Jun 1998, Wolfgang Rupprecht wrote:

> Paul Goyette writes:
> > Seems to me that the real problem here is why the host at
> > 00:40:05:42:af:3b would even bother to ARP for
> > After all, _every_ host on the network is supposed to be
> > able to reach itself at that address, so why would it need
> > to ARP?  Unless, of course, the device is misconfigured and
> > thinks that is the IP address assigned to its 
> > Ethernet interface, rather than to its loop-back!
> No you are missing the problem.  The arping could well be part of a
> denial of service attack.  Right now, the ethernet this is happening
> on is the @HOME wide-area lan.  It has 4k active hosts on it and one
> has to treat this as an unsecure ethernet. (If that is even possible.)
> I've been watching someone arp-reply for for a few weeks now
> and though he was trying to pull some sort of man-in-the-middle
> attack.  It was only when my machine started to arp-reply for
> that I started to worry what others would report *me* as
> doing.
> One thing that doesnt' seem to work is to "ifconfig lo0 -arp".  I'm
> surprised that the arp machinery doesn't either shutdown in the
> presense of the LOOPBACK flag or the NOARP flag.
> I can't think of any reason why we'd want the netbsd code to arp for a
> loopback local-address.  Is there a hidden gotcha???
> In any case I would have thought that the netbsd would only arp-reply
> for the interface address that corresponed to the interface that the
> arp request came in on.  Its not clear why my de0 is proxy arping for
> lo0.
> -wolfgang
> -- 
> Wolfgang Rupprecht    <>
> 	  Never trust a program you don't have sources for.

| Paul Goyette      | Public Key fingerprint:    | E-mail addresses:        |
| Network Engineer  |   0E 40 D2 FC 2A 13 74 A0  |       |
| and kernel hacker |   E4 69 D5 BE 65 E4 56 C6  | |