Re: Redir games with ARP and ICMP

Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Sat, 20 Sep 1997 00:11:10 +0100

> all connected by Ethernet in some simple way (i.e. no switches, no smart
> hubs). You're on cat, you have root and desire to break into dog. You know
> that dog trusts rat, so if you can successfully spoof rat, something can be
> gained.

Actually with a bit of care the arp spoofing attack you describe works
through simple mac filtering devices. Not only that but a switched network
allows you to make purely unicast address attacks that the monitoring
station won't see as the lan admin is himself switched from your packets...
See below.

> router's. If it works (I'm not sure it always will, router's ARP
> implementation may be tougher to fool, and since I don't want to try it on
> real routers, I don't know, but there's no simple reason why not) you can

You can generally fool routers fairly easily too.

> from usual 1 min to about 10 min. By that time, most or all TCP connections
> are screw up. Could be quite annoying. This way, one ARP packet can screw
> someone.

ARP is a poor choice for this IMHO. The 802.1 spanning tree algorithm used
by bridges and switches to avoid loops has no protection either and this
allows you to shut down entire ports when you can do MAC level attacks rather
than messing around host by host.

> screw up the entire network. It must be admitted, though, that gratuitous
> ARP is not really defined as a part of ARP, so it's up to vendor to (not)
> implement it, and it's becoming increasingly less popular.

Gratuitous ARP is a required part of IP mobile. It is an awkward case. The
linux approach is to always honour ATF_PERM flags. That is if you create
a permanent entry it will never be replaced by a learned one even temporarily.
That allows security concerned people to hardcode addressing.

> Host Requirements RFC states that system MUST follow ICMP redirects unless
> it's a router. And indeed all the systems I've tried happily accept it
> (except vanilla Linux 2.0.30, where it's broken, it works in 2.0.29 and
> 2.0.31pre9, according to Alan Cox).

Yep. Thats simply a quirk of a bug. A Linux host (as opposed to router) will
like everyone else honour ICMP redirect unless you firewall or turn them off.
A router never honours them (its strictly forbidden)

> ICMP redirects present a rather potent DoS. Unlike ARP cache entries, those
> host routes won't expire with time. And of course no access to local

No. ICMP redirect host routes expire after a few minutes. The host has to do
this so that a temporary situation does not cause a permanent change. If
you are lucky enough to be on a switched network with a big netmask (class B
or bigger) then you can also use ICMP host redirects against many boxes to
add 65000+ routes to their tables. Unixes generally eat ram and carry on as
they have good routing algorithms designed to cope with the backbones. Many
"desktop OS" products use linear searches for their routes.....

> The above ARP attack scheme work perfectly for plain old 10Base2 Ethernet.
> However, if machines are interconnected in some more advanced way,
> particularly using some smart hubs or switches, attack can be more visible
> or even impossible (same goes for passive attacks). So there's yet another
> reason to invest in a good piece of network equipment. A good deal of peace
> of mind may just come with it.

A filtering hub lets you perform this attack

ping the two hosts you wish to snoop between.

Using the mac address you learn via arp send both a unicast arp
giving yourself as the answer for the other IP address.

Route between the two yourself and log the frames.

Better yet, the admin on another port is filtered from your unicast frames.
Nothing they can see coming out of their hub is likely to show up the attack.

> compliant with RFC1122. Alas, it may not be easy. On Linux or any other OS
> with sources available, I can at least hack the kernel and #define it out.
> On Irix 6.2 and possibly other versions one can set icmp_dropredirects=1

On Linux you can firewall icmp redirect packets specifically - ditto Im sure
*BSD. That makes it a single line command option.

> permanent. As a bonus, this will reduce network traffic somewhat. Standard
> procedures can be used to distribute ARP map, e.g. rdist, rsync (I would say
> NIS, but if you use NIS, ARP is probably not your top security concern
> anyway). Old tradition of /etc/ethers can be brought back to life. But
> getting a kick-ass Ethernet switch still looks better to me (paying for it
> does not, though).

You have a fundamental problem, and this is why neither IPv6 or bootp are
any more secure to these forms of attack. Unless you burn keys into the roms
or onto the disks of hosts by a non IP method you will never be able to set
up the first secure session to learn the others - you have a problem akin
to a PGP web of trust with nobody else to trust. With IPv6 you can at least
theoretically implement IP-ESP (encryption headers) even on link layer
"neighbour discovery" packets. In IPv6 there is local IPv6 rather than ARP
thus one day we can crypt those too.

Alan