From: Bill Davidsen <davidsen@tmr.com>
To: Willy Tarreau <willy@w.ods.org>
Cc: Jad Saklawi <jad@saklawi.info>,
linux-kernel@vger.kernel.org, hisham@hisham.cc,
llug-users@greencedars.org
Subject: Re: Fwd: MAC / IP conflict
Date: Mon, 29 Mar 2004 17:09:25 -0500 [thread overview]
Message-ID: <40689E95.7010108@tmr.com> (raw)
In-Reply-To: <20040329045942.GC1276@alpha.home.local>
Willy Tarreau wrote:
> Hi,
>
> On Sun, Mar 28, 2004 at 10:58:16PM -0500, Bill Davidsen wrote:
>
>>Jad Saklawi wrote:
>>
>>>----- Forwarded message from Hisham Mardam Bey -----
>>> Date: Sun, 21 Mar 2004 13:52:59 +0200
>>>
>>>In short, I need to detect when someone on the network uses my MAC and
>>>my IP address.
>>>
>>>Longer story follows. I am on a LAN which might have some potentially
>>>dangerous users. Those users might spoof my MAC address and additionally
>>>use my IP address, thus forcing my box to go offline, and not be able to
>>>communicate with my gateway. What I need is a passive way to check for
>>>something of the sort, and perhaps a notofication into syslog (the
>>>latter is not very important).
>>
>>Use arpwatch, it detects ALL changes of IP<=>MAC mapping.
>
>
> It won't tell him when someone else uses both IP and MAC. The real solution
> is to lock the MAC on the switch if possible. Another one is to use a second
> host to launch regular ARP requests and count how many replies it gets. Note
> that it is also possible to do this from his host, but he will need arping
> and tcpdump in promiscuous mode, because the reply address will have to be
> a fake one (MAC and IP) so that the switch forwards the reply on all ports.
If he sees the packet it should alert on the local MAC or IP on an
external packet. As noted you won't get the external packet in all cases.
>
> Completely passive solution will not always detect the event. The attacker
> might send packets to another host or even to the switch itself, which will
> not propagate to other ports (eg: ethernet loopback with SA=DA= his MAC).
> But if they make a mistake, then listening to all incoming packets and logging
> their source MAC when it's the same as his host might work. This can be
> implemented very easily with arptables but just for ARP requests. ebtables
> might be better suited, but needs to configure a bridge which is dangerous.
I like the idea of sending ARP after changing the MAC. I would hope to
have an option in the switch which prevents MAC takeover by locking the
MAC to a port as long as the link is up. This doesn't prevent sending a
packet to another host with the real (evil) MAC and spoofed IP, to set
the arptable in a single host. In the long run help from the switch is
probably needed to do it right.
--
-bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me
prev parent reply other threads:[~2004-03-29 22:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-21 5:09 Fwd: MAC / IP conflict Jad Saklawi
2004-03-21 17:48 ` Filippo Carone
2004-03-29 3:58 ` Bill Davidsen
2004-03-29 4:59 ` Willy Tarreau
2004-03-29 22:09 ` Bill Davidsen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40689E95.7010108@tmr.com \
--to=davidsen@tmr.com \
--cc=hisham@hisham.cc \
--cc=jad@saklawi.info \
--cc=linux-kernel@vger.kernel.org \
--cc=llug-users@greencedars.org \
--cc=willy@w.ods.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox