From: Tim (ccie2be@nyc.rr.com)
Date: Wed Dec 20 2006 - 18:33:21 ART
Koury,
You're confusing apples and oranges.
The router command "no ip gratuitous-arp" doesn't prevent a host on a
subnet from sending out grat-arp's, it only stops the router from sending
grat-arp's on behalf of another host that's connected to the router via ppp.
See
http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123tcr/123ti
p1r/ip1_l1gt.htm#wp1110181
A router's interface behaves like a host - it sends out arp requests when it
needs to send traffic to a host connected to that interface when it doesn't
have that host's mac address in it's own cache.
So, the router's arp cache can still be poisoned if it receives a grat-arp
from an imposter.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
koury@london.com
Sent: Wednesday, December 20, 2006 12:44 PM
To: ccielab@groupstudy.com
Subject: Re: RE: Re: no ip gratuitous-arp
Tim, thanks for your reply, but my question is: If the router (after
disabled gARP via "no ip gratuitous-arp") still received (not
send out) gARP, this device still don't continue vulnerable to fake
rARPs from a attacker?
Thanks!
Koury
Koury,
Just to refresh, ARP is used on an ethernet link by a host which knows the
ip address of the remote host on the same subnet but doesn't know the mac
address of that same remote host.
To find out the mac address of the remote host, the host with traffic to
send will Broadcast an ARP request. In the payload of this ARP request is
the ip address of the remote host.
Supposedly, only the "Real" host possessing that ip address will respond to
the ARP request so the sending host will now know the mac address to use.
But, suppose, an imposter responds to the ARP request and falsely claims
itself to be the owner of the ip address just ARP'ed for?
Assuming the imposter is believed, the sender will send traffic to the
imposter instead of the intended recipient.
A Gratuitous Arp is just an ARP reply but is sent without a preceding ARP
request. This is useful for when a host physically moves to different
subnet and gets a new ip address (think DHCP) or has a new NIC installed.
Since hosts, by default, will keep the info they get from ARP replies in
cache for a while, Gratuitous ARP allows old, no longer applicable ARP
entries to be overwritten with the new current info.
Keep in mind that ARP doesn't has any built-in method to verify that ARP
replies are indeed coming from the legit owner of the ip address.
Therefore, a clever hacker could fool 2 hosts into believing that his host
is the other host in the conversation.
For example, consider this scenario:
Host A ------- Host B -------- Host C
where A & C want to talk to each other and B is the imposter.
Host B corrupts A and C's ARP cache such that when A wants to send data to
C, it actually sends it to B and same happens to C.
For this attack to be useful, host B will have some sniffer software
configured to capture usernames and passwords.
There's more to this than I describe but that's the general idea.
HTH, Tim
That's the general idea.
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:38 ART