|
Previous | Table of Contents | Next |
Stop Using ARP
Machines extending trust to other machines on the local network based on an IP address should not use ARP to obtain the hardware address of the trusted machines. Instead, the hardware address of the trusted machines should be loaded as permanent entries into the ARP cache of the trusting machine. Unlike normal ARP cache entries, permanent entries do not expire after a few minutes. Sending a datagram to an IP address associated with a permanent ARP cache entry will never result in an ARP request. With no ARP request being sent, an attacker does not have the opportunity to send an ARP reply. It seems unlikely that any operating system would overwrite a permanent ARP cache entry with an unsolicited ARP reply.
With permanent ARP cache entries for trusted machines, the trusting host will not use ARP to determine the correct hardware address and will not be fooled into sending IP data to an ARP spoofer. Of course, it will also send IP data to the machine even if the machine has been down for some time. Another downside to permanent ARP entries is that the cache entries will need revising if the hardware address changes for a legitimate reason. Finally, ARP caches may be of limited size, limiting the number of permanent entries or further limiting the time a dynamic entry spends in the cache.
Displaying ARP Cache Entries
On Unix and Windows 95/NT machines, you use the arp command to manipulate and inspect the ARP cache. This command has several options.
arp -a
The -a option displays all ARP cache entries for all interfaces of the host. The following output is an example of what you would see on a Windows 95 machine:
Interface: 147.226.112.167 Internet Address Physical Address Type 147.226.112.1 aa-00-04-00-bc-06 static 147.226.112.88 08-00-20-0b-f0-8d dynamic 147.226.112.101 08-00-2b-18-93-68 static 147.226.112.102 08-00-2b-1b-d7-fd static 147.226.112.103 00-00-c0-63-33-2d dynamic 147.226.112.104 00-00-c0-d5-da-47 dynamic 147.226.112.105 08-00-20-0b-7b-df dynamic 147.226.112.106 08-00-20-0e-86-ef dynamic 147.226.112.124 08-00-2b-1c-08-68 dynamic 147.226.112.169 08-00-09-2a-3c-08 dynamic
Deleting an ARP Cache Entry
At some point you may want to delete a permanent ARP cache entry that is no longer valid or delete a dynamic entry that you suspect of being spoofed. The -d option deletes the entry with the given IP address from the ARP cache.
arp -d 147.226.112.101
Inserting a Permanent ARP Cache Entry
The -s option inserts a permanent (static) ARP cache entry for the given IP address. Typically, the Ethernet address would be obtained by displaying the entire ARP cache as shown previously.
arp -s 147.226.112.101 08-00-2b-18-93-68
To ensure that the address is in the ARP cache you can first use the ping command to send an ICMP/IP echo request to the IP address in question. A somewhat more secure, but tedious, method is to use an operating system dependent method for querying the machine in question for its own hardware address from its console. You can place a series of such commands into the startup script of the machine that will be extending trust to others.
Inserting Many Permanent ARP Cache Entries
The -f option loads permanent entries into the ARP cache from a file containing an IP address to a hardware address database.
arp -f arptab
In this example, the file is named arptab, but the name of the file is up to the system administrator using the command. The -f option to the arp command is not available on all systems. In particular, it is missing from the current versions of Windows 95 and Windows NT. However, it is really just a substitute for a series of arp commands with the -s option.
Use an ARP Server
The arp command outlined in the previous section also allows one machine to be an ARP server. An ARP server responds to ARP requests on behalf of another machine by consulting (permanent) entries in its own ARP cache. You can manually configure this ARP cache and configure machines that extend trust based on this IP address to use ARP replies coming from the ARP server rather than ARP replies from other sources. However, configuring a machine to believe only in the ARP server is a difficult task for most operating systems.
Even if you do not configure other machines to trust only the ARP server for ARP replies, the type of server may still be beneficial. The ARP server will send out a reply to the same requests as a potential ARP spoofer. When machines process the ARP replies, there is at least a fair chance that the ARP spoofers replies will be ignored. You cannot be sure because as you have seen, much depends on the exact timing of the replies and the algorithms used to manage the ARP cache.
Warning: If the attacker in the case study had assumed both the same IP address and the same hardware address as the trusted host he shut down, then none of the techniques mentioned so far would have detected nor prevented the NFS mount of the mission-critical file system to his laptop. This underscores a serious potential problem for environments that allow physical access to trusted hosts and network connections.
Previous | Table of Contents | Next |