HostedDB - Dedicated UNIX Servers
-->
Internet Security Professional Reference:IP Spoofing and Sniffing
Previous Table of Contents Next


Stop Using ARP

Machines extending trust to other machines on the local network based on an IP address should not use ARP to obtain the hardware address of the trusted machines. Instead, the hardware address of the trusted machines should be loaded as permanent entries into the ARP cache of the trusting machine. Unlike normal ARP cache entries, permanent entries do not expire after a few minutes. Sending a datagram to an IP address associated with a permanent ARP cache entry will never result in an ARP request. With no ARP request being sent, an attacker does not have the opportunity to send an ARP reply. It seems unlikely that any operating system would overwrite a permanent ARP cache entry with an unsolicited ARP reply.

With permanent ARP cache entries for trusted machines, the trusting host will not use ARP to determine the correct hardware address and will not be fooled into sending IP data to an ARP spoofer. Of course, it will also send IP data to the machine even if the machine has been down for some time. Another downside to permanent ARP entries is that the cache entries will need revising if the hardware address changes for a legitimate reason. Finally, ARP caches may be of limited size, limiting the number of permanent entries or further limiting the time a dynamic entry spends in the cache.

Displaying ARP Cache Entries

On Unix and Windows 95/NT machines, you use the arp command to manipulate and inspect the ARP cache. This command has several options. 

arp -a

The -a option displays all ARP cache entries for all interfaces of the host. The following output is an example of what you would see on a Windows 95 machine: 

Interface: 147.226.112.167
Internet Address      Physical Address      Type
147.226.112.1         aa-00-04-00-bc-06     static
147.226.112.88        08-00-20-0b-f0-8d     dynamic
147.226.112.101       08-00-2b-18-93-68     static
147.226.112.102       08-00-2b-1b-d7-fd     static
147.226.112.103       00-00-c0-63-33-2d     dynamic
147.226.112.104       00-00-c0-d5-da-47     dynamic
147.226.112.105       08-00-20-0b-7b-df     dynamic
147.226.112.106       08-00-20-0e-86-ef     dynamic
147.226.112.124       08-00-2b-1c-08-68     dynamic
147.226.112.169       08-00-09-2a-3c-08     dynamic

Deleting an ARP Cache Entry

At some point you may want to delete a permanent ARP cache entry that is no longer valid or delete a dynamic entry that you suspect of being spoofed. The -d option deletes the entry with the given IP address from the ARP cache. 

arp -d 147.226.112.101

Inserting a Permanent ARP Cache Entry

The -s option inserts a permanent (static) ARP cache entry for the given IP address. Typically, the Ethernet address would be obtained by displaying the entire ARP cache as shown previously. 

arp -s 147.226.112.101 08-00-2b-18-93-68

To ensure that the address is in the ARP cache you can first use the ping command to send an ICMP/IP echo request to the IP address in question. A somewhat more secure, but tedious, method is to use an operating system dependent method for querying the machine in question for its own hardware address from its console. You can place a series of such commands into the startup script of the machine that will be extending trust to others.

Inserting Many Permanent ARP Cache Entries

The -f option loads permanent entries into the ARP cache from a file containing an IP address to a hardware address database. 

arp -f arptab

In this example, the file is named “arptab,” but the name of the file is up to the system administrator using the command. The -f option to the arp command is not available on all systems. In particular, it is missing from the current versions of Windows 95 and Windows NT. However, it is really just a substitute for a series of arp commands with the -s option.

Use an ARP Server

The arp command outlined in the previous section also allows one machine to be an ARP server. An ARP server responds to ARP requests on behalf of another machine by consulting (permanent) entries in its own ARP cache. You can manually configure this ARP cache and configure machines that extend trust based on this IP address to use ARP replies coming from the ARP server rather than ARP replies from other sources. However, configuring a machine to believe only in the ARP server is a difficult task for most operating systems.

Even if you do not configure other machines to trust only the ARP server for ARP replies, the type of server may still be beneficial. The ARP server will send out a reply to the same requests as a potential ARP spoofer. When machines process the ARP replies, there is at least a fair chance that the ARP spoofer’s replies will be ignored. You cannot be sure because as you have seen, much depends on the exact timing of the replies and the algorithms used to manage the ARP cache.

Warning:  If the attacker in the case study had assumed both the same IP address and the same hardware address as the trusted host he shut down, then none of the techniques mentioned so far would have detected nor prevented the NFS mount of the mission-critical file system to his laptop. This underscores a serious potential problem for environments that allow physical access to trusted hosts and network connections.


Previous Table of Contents Next