TLDR; - Arpwatch new station alert showed arp spoofing attempt. Cloud hosting
provider is adamant that arpwatch is misinterpreting data.
OpenBSD 6.5 vm running in a cloud hosting provider:
WEB# uname -a
OpenBSD WEB 6.5 GENERIC.MP#3 amd64
Arpwatch installed:
WEB# pkg_info arpwatch | grep Information
Information for inst:arpwatch-2.1a15p19
Received arpwatch notification:
WEB# grep arpwatch /var/log/daemon
Aug 29 10:43:57 WEB arpwatch: new station 2.2.3.12 00:00:00:00:00:01
Checked arp table and found the mac address matched that of the default gateway.
WEB# arp -a
Host Ethernet Address Netif Expire Flags
2.2.2.1 00:00:00:00:00:01 vio0 9m30s
web 22:22:22:22:22:22 vio0 permanent l
I proceeded to look at pf (host firewall) logs. While I don't log drops there
were a number of requests to tcp80 and tcp443. Parsing relayd logs showed none
of the requests passed protocol security filtering.
Beyond this, I have no way to determine if this arp spoofing was successful.
Thus I reached out to my hosting provider with this information and their
response was:
"We have protections in place to defend against such things and therefore
this style of attack can not be performed on our network. The data you are
seeing here is a bit misleading. Thank you for your report."
I've only been a customer for a few months and during that time there have been
no alerts generated by arpwatch. However I don't understand how the data is
misleading. This is because arpwatch runs in an environment I manage and is
found to be quite useful. Thus I requested more context as to why the data is
misleading and their response was:
"It is misinterpreting data. This attack is not possible on our network and
arpwatch is not relevant to our platform or how it operates."
Support is clearly adamant that their hosting environment is impervious.
However none of this makes any sense to me. The host is a basic install with no
custom or one-off configurations.
Later watching arp traffic showed typical conversations between the host and
default gateway. No other arp traffic was observed.
WEB# tcpdump -lnettt -i vio0 arp
I'm interested to hear feedback from misc@ as I didn't get a response from the
arpwatch list. Is there a log or config I should check? Perhaps another utility
to consider? Is my cloud hosting provider misinterpreting data? Do you suppose
they had unplanned & unannounced maintenance? Anything else?
Thanks,
Paul
