Bugtraq mailing list archives
Re: Redir games with ARP and ICMP
From: jgoerzen () SOUTHWIND NET (John Goerzen)
Date: Mon, 22 Sep 1997 09:32:44 -0500
Having anticipated such a problem already (in our envoronment, there are many lab machines which have NFS access to user disks on a server. These machines may even be turned OFF which makes it easy for a spoofer to get in.), I wrote a short Perl script designed to be run from the system startup file. Basically, it "primes" the ARP cache on Linux with the IP and MAC addresses of known machines, setting a flag so that they are never removed from the cache and can never be changed. The config file format is simple -- IP address followed by MAC address, separated by whitespace. Pound at the beginning of a line indicates comment. This has only been tested on Linux -- people on other platforms may need to adjust the parameters to arp in the system call. It is a quick 'n' dirty program, but works -- maybe it will be useful to somebody out there, too. Note: you want to make sure that it is run after your network interface is brought up but before any servers or clients are started; otherwise, somebody may be able to sneak in a connection before the ARP tables are "locked". Here's the script: #!/usr/bin/perl # by John Goerzen <jgoerzen () cs twsu edu> # Program: forcehwaddr # Program to run ARP to force certain tables. # Specify filenames to read from on command line, or read from stdin. foreach (<>) { # For each input line.... chomp; # Strip if CR/LF if (/^#/) { next; } # If it's a comment, skip it. if (((($host, $hw) = /\s*(.+?)\s+(\S+)\s*/) == 2) && !(/^#/)) { # The text between the slashes parses the input line as follows: # Ignore leading whitespace. (\s*) # Then, start matching and put it into $host ($host, (.+?)) # Skip over the whitespace after that (\s+) # Start matching. Continue matching until end of line or optional # trailing whitespace. # Then, the if checks to see that both a # host and a hardware address were matched. # (2 matches). If not, we skip the # line (assuming it is blank or invalid or something). # The second part of the if checks to see if the line starts with # a pound sign; if so, ignore it (as a comment). # Otherwise, run the appropriate command: printf("Setting IP %-15s to hardware address %s\n", $host, $hw); system "/usr/sbin/arp -s $host $hw\n"; } } -- John Goerzen Southwind Internet Access, Inc. Technical Support Business e-mail: jgoerzen () southwind net Personal e-mail: jgoerzen () complete org Wichita State University e-mail: jgoerzen () cs twsu edu Developer, Debian GNU/Linux <http://www.debian.org>
Current thread:
- Re: CERT Advisory CA-97.23 - rdist, (continued)
- Re: CERT Advisory CA-97.23 - rdist Perry E. Metzger (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Alex (Sep 16)
- [IPD] Internet Probe Droid balif (Sep 16)
- Re: [IPD] Internet Probe Droid Keith A. Watson (Sep 18)
- Instresting practises of Oracle [Oracle Webserver] hurtta+zz () OZONE FMI FI (Sep 18)
- Redir games with ARP and ICMP Yuri Volobuev (Sep 19)
- Re: Redir games with ARP and ICMP Alan Cox (Sep 19)
- Re: Redir games with ARP and ICMP Ulrich Flegel (Sep 20)
- Blind Spoofing System Crasher (Sep 20)
- SunOS4.1.X sockopt panic HAKNER JEFF (Sep 20)
- Re: Redir games with ARP and ICMP John Goerzen (Sep 22)
- Re: CERT Advisory CA-97.23 - rdist Perry E. Metzger (Sep 16)
- Re: CERT Advisory CA-97.23 - rdist Simon Karpen (Sep 16)
- Sun Security Bulletin #00154 Aleph One (Sep 17)