Date: Mon, 19 Apr 1999 15:09:51 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Rodrigo Campos <camposr@MATRIX.COM.BR> Cc: Liam Slusser <liam@tiora.net>, security@FreeBSD.ORG Subject: Re: poink attack (was Re: ARP problem in Windows9X/NT) Message-ID: <Pine.BSF.3.96.990419150534.9273Y-100000@fledge.watson.org> In-Reply-To: <Pine.BSF.4.05.9904191552130.9049-100000@speed.matrix.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 19 Apr 1999, Rodrigo Campos wrote: > On Mon, 19 Apr 1999, Liam Slusser wrote: > > > In a earlier email Chris <freebsd@hiway1.exit109.com> > > said his fbsd 3.x was affected...and also said arp errors in > > /var/log/messages in 2.2.5....but this looks like a WinNT/9x DoS from > > the geek-girl report here. Is fbsd affected..and if so..what versions? > > Thanks! ;) > > I tested it against freebsd 2.2.8 stable, 3.0 stable and 3.1 stable, all > they are vulnerable, it's not a big threat anyway, as you have to be on > the same ethernet to use the exploit. And mind you, we are only vulnerable in the sense that we use the arp service, which supports no security in any form. :) Is there a way to disable arp resolution (and also detection of other clients on the same IP) and just use hard coded arp entries? This would certainly not be the default, but it would be nice if it were an option. Unfortunately ipfw presumably can't do anything as arp is below IP level. I really don't think this is a very big issue personally, although I can see restricted instances where you'd want to do something about it (i.e., shared untrusted network environments, or if one of n servers in a server pool on a particular ethernet is broken into). If we do add a sysctl to disable arp collision detection, then you'd also need for all machines on the ethernet to use hard coded arp mappings, or they would just obey the other guy's arp message and send messages to him. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990419150534.9273Y-100000>