Subject: Re: arping for 127.0.0.1
To: Wolfgang Rupprecht <wolfgang@wsrcc.com>
From: Paul Goyette <paul@whooppee.com>
List: tech-net
Date: 06/12/1998 14:05:26
Yeah - I see now how this could be some sort of DoS attack.
And yes, you are correct - we certainly shouldn't be doing
proxy arp unless told to do so. For any given interface,
we should only respond to ARP requests for our IP address(es)
on _that_ interface.
Hmmm...
On Fri, 12 Jun 1998, Wolfgang Rupprecht wrote:
>
> Paul Goyette writes:
> > Seems to me that the real problem here is why the host at
> > 00:40:05:42:af:3b would even bother to ARP for 127.0.0.1...
> > After all, _every_ host on the network is supposed to be
> > able to reach itself at that address, so why would it need
> > to ARP? Unless, of course, the device is misconfigured and
> > thinks that 127.0.0.1 is the IP address assigned to its
> > Ethernet interface, rather than to its loop-back!
>
> No you are missing the problem. The arping could well be part of a
> denial of service attack. Right now, the ethernet this is happening
> on is the @HOME wide-area lan. It has 4k active hosts on it and one
> has to treat this as an unsecure ethernet. (If that is even possible.)
>
> I've been watching someone arp-reply for 127.0.0.1 for a few weeks now
> and though he was trying to pull some sort of man-in-the-middle
> attack. It was only when my machine started to arp-reply for
> 127.0.0.1 that I started to worry what others would report *me* as
> doing.
>
> One thing that doesnt' seem to work is to "ifconfig lo0 -arp". I'm
> surprised that the arp machinery doesn't either shutdown in the
> presense of the LOOPBACK flag or the NOARP flag.
>
> I can't think of any reason why we'd want the netbsd code to arp for a
> loopback local-address. Is there a hidden gotcha???
>
> In any case I would have thought that the netbsd would only arp-reply
> for the interface address that corresponed to the interface that the
> arp request came in on. Its not clear why my de0 is proxy arping for
> lo0.
>
> -wolfgang
> --
> Wolfgang Rupprecht <wolfgang@wsrcc.com> http://www.wsrcc.com/wolfgang/
> Never trust a program you don't have sources for.
>
-----------------------------------------------------------------------------
| Paul Goyette | Public Key fingerprint: | E-mail addresses: |
| Network Engineer | 0E 40 D2 FC 2A 13 74 A0 | paul@whooppee.com |
| and kernel hacker | E4 69 D5 BE 65 E4 56 C6 | paul.goyette@ascend.com |
-----------------------------------------------------------------------------