Re: ARP(4) spoofing?
Would this be ARP(4) spoofing, or is it just me? How would I confirm it? arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) is LAN facing and permanent entry in the arp cache. This happens constantly and is slowly filling my log files. What does an ifconfig -a on your machine show? It looks like you've configured your loopback interface to also have 192.168.1.1 [-]Modulok ifconfig -au inet em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 66.x.x.x netmask 0xff80 broadcast 66.x.x.255 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 Just for fun, the entry in the arp cache: [-]Modulok arp -an | grep 192.168.1.1 ? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet] Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:) Physical connections exist to the same logical IP network on both if0 and if1. Doubtful: LAN---em0[FreeBSD]em1---modem---Internet an entry already exists in the ARP cache ... and the cable has been disconnected from if0, then reconnected to if1. Nope. This message can only be issued if the sysctl net.link.ether.inet.log_arp_wrong_iface is set to 1 While I could set the relevant sysctl variable to prevent it from being logged, (which I'll probably end up doing) when strange things happen, I usually like to know about them. Disable the dynamic ARP cache on the external interface and make permanent entries to the ISP's gateway and DNS servers? Perhaps. However, in the event they ever change hardware (and fail to spoof their previous ethernet address), I'd have to manually edit the ARP cache...at 3:00am...on a Sunday. Plus these ARP replies, while annoying, are not really harming anything as FreeBSD's ARP appears to prevent address takeover via gratuitous, un-solicited, impersonating ARP replies. Come to think of it, that might be it. I haven't looked into whether or not these are replies triggered by requests from the local host (If only I knew a way to do such a thing.) Logic initially rejects the notion. As why would this box be sending out a gratuitous ARP request every 10 minutes through the wrong interface for the given address? Strange place, this Interweb. -Modulok- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ARP(4) spoofing?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Modulok Sent: Monday, March 17, 2008 1:29 AM To: Brent Jones Cc: freebsd-questions@freebsd.org Subject: Re: ARP(4) spoofing? Would this be ARP(4) spoofing, or is it just me? How would I confirm it? arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) is LAN facing and permanent entry in the arp cache. This happens constantly and is slowly filling my log files. What does an ifconfig -a on your machine show? It looks like you've configured your loopback interface to also have 192.168.1.1 [-]Modulok ifconfig -au inet em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 66.x.x.x netmask 0xff80 broadcast 66.x.x.255 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 Just for fun, the entry in the arp cache: [-]Modulok arp -an | grep 192.168.1.1 ? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet] Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:) Physical connections exist to the same logical IP network on both if0 and if1. Doubtful: LAN---em0[FreeBSD]em1---modem---Internet an entry already exists in the ARP cache ... and the cable has been disconnected from if0, then reconnected to if1. Nope. This message can only be issued if the sysctl net.link.ether.inet.log_arp_wrong_iface is set to 1 While I could set the relevant sysctl variable to prevent it from being logged, (which I'll probably end up doing) when strange things happen, I usually like to know about them. Disable the dynamic ARP cache on the external interface and make permanent entries to the ISP's gateway and DNS servers? Perhaps. However, in the event they ever change hardware (and fail to spoof their previous ethernet address), I'd have to manually edit the ARP cache...at 3:00am...on a Sunday. Plus these ARP replies, while annoying, are not really harming anything as FreeBSD's ARP appears to prevent address takeover via gratuitous, un-solicited, impersonating ARP replies. Come to think of it, that might be it. I haven't looked into whether or not these are replies triggered by requests from the local host (If only I knew a way to do such a thing.) Logic initially rejects the notion. As why would this box be sending out a gratuitous ARP request every 10 minutes through the wrong interface for the given address? You should have anti-spoofing firewall entries in any internet router, check your ipfw entries. I suspect the problem has to do with a misconfiguration of your nat, frankly. The error message itself: arp: X.X.X.X is on lo0 is nonsensical, because by definition the loopback (lo0) is not connected to any network. Under correct configuration, a loopback cannot receive an arp. The internal loopback address is exactly equivalent to a physical ethernet interface that has a loopback plug inserted into it. I suspect your nat config is overloading on the looback rather than on the physical interface. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ARP(4) spoofing?
In freebsd-questions Digest, Vol 207, Issue 2 On Mon, 17 Mar 2008 03:29:04 -0600 Modulok [EMAIL PROTECTED] wrote: Would this be ARP(4) spoofing, or is it just me? How would I confirm it? arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) is LAN facing and permanent entry in the arp cache. This happens constantly and is slowly filling my log files. What does an ifconfig -a on your machine show? It looks like you've configured your loopback interface to also have 192.168.1.1 [-]Modulok ifconfig -au inet em0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 192.168.1.1 netmask 0xff00 broadcast 192.168.1.255 em1: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=bRXCSUM,TXCSUM,VLAN_MTU inet 66.x.x.x netmask 0xff80 broadcast 66.x.x.255 lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 16384 inet 127.0.0.1 netmask 0xff00 Just for fun, the entry in the arp cache: [-]Modulok arp -an | grep 192.168.1.1 ? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet] You've omitted even obfuscated ether addresses, and haven't said if xx:xx:xx:xx:xx:xx is one of yours or one of your LAN's or an unknown, so I'm assuming the latter, and that address isn't shown by arp -an? Does 'netstat -finet -rn' show anything useful re MACs connected? Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:) Physical connections exist to the same logical IP network on both if0 and if1. Doubtful: LAN---em0[FreeBSD]em1---modem---Internet What sort of modem? cable/DSL? using PPPoE? Router or bridge? I'm wondering if the modem might sometimes? think it was 192.168.1.1 too? Or the ISP could be misconfigured, depending on how you're connected. From the above, looks like em1's on a /25 public subnet? Best way to find out might be watching something like: # tcpdump -pen -i em1 adding such as 'not tcp and not udp' and/or 'and not port blah' and/or 'not host blah and ..' until it's not too busy. If this is happening every 10 minutes, maybe there's a ping or udp packet or such associated too? an entry already exists in the ARP cache ... and the cable has been disconnected from if0, then reconnected to if1. Nope. This message can only be issued if the sysctl net.link.ether.inet.log_arp_wrong_iface is set to 1 While I could set the relevant sysctl variable to prevent it from being logged, (which I'll probably end up doing) when strange things happen, I usually like to know about them. Yeah, usually best not swept under the carpet. Disable the dynamic ARP cache on the external interface and make permanent entries to the ISP's gateway and DNS servers? Perhaps. What arp entries have you for these now? (obscure at will, though the first 3 octet manuf/product codes might be interesting/useful). Still don't get what your 'modem' is, if both/all these servers are visible. However, in the event they ever change hardware (and fail to spoof their previous ethernet address), I'd have to manually edit the ARP cache...at 3:00am...on a Sunday. Plus these ARP replies, while annoying, are not really harming anything as FreeBSD's ARP appears to prevent address takeover via gratuitous, un-solicited, impersonating ARP replies. Sure, but it's (at least) misconfiguration, somewhere, by someone .. Come to think of it, that might be it. I haven't looked into whether or not these are replies triggered by requests from the local host (If only I knew a way to do such a thing.) Logic initially rejects the Again, tcpdump, running in as many terms as needed (here, two) notion. As why would this box be sending out a gratuitous ARP request every 10 minutes through the wrong interface for the given address? Smells more like incoming so far, on em1 .. did I mention tcpdump? :) cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: ARP(4) spoofing?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Modulok Sent: Monday, 17 March 2008 4:36 p.m. To: freebsd-questions@freebsd.org Subject: ARP(4) spoofing? Would this be ARP(4) spoofing, or is it just me? How would I confirm it? arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1 last message repeated 18 times This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0) is LAN facing and permanent entry in the arp cache. This happens constantly and is slowly filling my log files. Thoughts? Suggestions? -Modulok- What does an ifconfig -a on your machine show? It looks like you've configured your loopback interface to also have 192.168.1.1 Cheers, Brent ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
