Re: RE: Re: no ip gratuitous-arp

From: koury@london.com
Date: Wed Dec 20 2006 - 14:44:07 ART

• Next message: Nawaz, Ajaz: "RE: TTL"
• Previous message: Guyler, Rik: "RE: Router Boot"
• Maybe in reply to: Tim: "RE: Re: no ip gratuitous-arp"
• Next in thread: Tim: "RE: RE: Re: no ip gratuitous-arp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Tim, thanks for your reply, but my question is: If the router (after disabled gARP via "no ip gratuitous-arp") still received (not
 send out) gARP, this device still don't continue vulnerable to fake
 rARPs from a attacker?

Thanks!
Koury

Koury,

Just to refresh, ARP is used on an ethernet link by a host which knows the
ip address of the remote host on the same subnet but doesn't know the mac
address of that same remote host.

To find out the mac address of the remote host, the host with traffic to
send will Broadcast an ARP request. In the payload of this ARP request is
the ip address of the remote host.

Supposedly, only the "Real" host possessing that ip address will respond to
the ARP request so the sending host will now know the mac address to use.

But, suppose, an imposter responds to the ARP request and falsely claims
itself to be the owner of the ip address just ARP'ed for?

Assuming the imposter is believed, the sender will send traffic to the
imposter instead of the intended recipient.

A Gratuitous Arp is just an ARP reply but is sent without a preceding ARP
request. This is useful for when a host physically moves to different
subnet and gets a new ip address (think DHCP) or has a new NIC installed.
Since hosts, by default, will keep the info they get from ARP replies in
cache for a while, Gratuitous ARP allows old, no longer applicable ARP
entries to be overwritten with the new current info.

Keep in mind that ARP doesn't has any built-in method to verify that ARP
replies are indeed coming from the legit owner of the ip address.

Therefore, a clever hacker could fool 2 hosts into believing that his host
is the other host in the conversation.

For example, consider this scenario:

Host A ------- Host B -------- Host C

where A & C want to talk to each other and B is the imposter.

Host B corrupts A and C's ARP cache such that when A wants to send data to
C, it actually sends it to B and same happens to C.

For this attack to be useful, host B will have some sniffer software
configured to capture usernames and passwords.

There's more to this than I describe but that's the general idea.

HTH, Tim

That's the general idea.

• Next message: Nawaz, Ajaz: "RE: TTL"
• Previous message: Guyler, Rik: "RE: Router Boot"
• Maybe in reply to: Tim: "RE: Re: no ip gratuitous-arp"
• Next in thread: Tim: "RE: RE: Re: no ip gratuitous-arp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART