tech-net: Re: arping for 127.0.0.1

Subject: Re: arping for 127.0.0.1
To: Wolfgang Rupprecht <wolfgang@wsrcc.com>
From: Paul Goyette <paul@whooppee.com>
List: tech-net
Date: 06/12/1998 14:05:26
Yeah - I see now how this could be some sort of DoS attack.

And yes, you are correct - we certainly shouldn't be doing
proxy arp unless told to do so.  For any given interface, 
we should only respond to ARP requests for our IP address(es)
on _that_ interface.

Hmmm...

On Fri, 12 Jun 1998, Wolfgang Rupprecht wrote:

> 
> Paul Goyette writes:
> > Seems to me that the real problem here is why the host at
> > 00:40:05:42:af:3b would even bother to ARP for 127.0.0.1...
> > After all, _every_ host on the network is supposed to be
> > able to reach itself at that address, so why would it need
> > to ARP?  Unless, of course, the device is misconfigured and
> > thinks that 127.0.0.1 is the IP address assigned to its 
> > Ethernet interface, rather than to its loop-back!
> 
> No you are missing the problem.  The arping could well be part of a
> denial of service attack.  Right now, the ethernet this is happening
> on is the @HOME wide-area lan.  It has 4k active hosts on it and one
> has to treat this as an unsecure ethernet. (If that is even possible.)
> 
> I've been watching someone arp-reply for 127.0.0.1 for a few weeks now
> and though he was trying to pull some sort of man-in-the-middle
> attack.  It was only when my machine started to arp-reply for
> 127.0.0.1 that I started to worry what others would report *me* as
> doing.
> 
> One thing that doesnt' seem to work is to "ifconfig lo0 -arp".  I'm
> surprised that the arp machinery doesn't either shutdown in the
> presense of the LOOPBACK flag or the NOARP flag.
> 
> I can't think of any reason why we'd want the netbsd code to arp for a
> loopback local-address.  Is there a hidden gotcha???
> 
> In any case I would have thought that the netbsd would only arp-reply
> for the interface address that corresponed to the interface that the
> arp request came in on.  Its not clear why my de0 is proxy arping for
> lo0.
> 
> -wolfgang
> -- 
> Wolfgang Rupprecht    <wolfgang@wsrcc.com>     http://www.wsrcc.com/wolfgang/
> 	  Never trust a program you don't have sources for.
> 

-----------------------------------------------------------------------------
| Paul Goyette      | Public Key fingerprint:    | E-mail addresses:        |
| Network Engineer  |   0E 40 D2 FC 2A 13 74 A0  |  paul@whooppee.com       |
| and kernel hacker |   E4 69 D5 BE 65 E4 56 C6  |  paul.goyette@ascend.com |
-----------------------------------------------------------------------------