[Courses] [Security] ARP (was: return RST)

Raven, corporate courtesan raven at oneeyedcrow.net
Mon Apr 1 19:36:34 EST 2002


Heya --

Quoth coldfire (Fri, Mar 29, 2002 at 08:44:51PM -0500):
> > > but if you're on the same network as a scanning machine, you can figure
> > > out whether a host is up or not regardless of it's firewall policy.
> >  
> > 	How?  Put your port in promiscuous mode and sniff the network
> > for traffic with that IP in general?  Or did you have something else in
> > mind?
> 
> arp requests and arp replies both have their own ethernet frame types
> (different than ip).  as far as i know, iptables only filters based on ip
> datagrams (correct me if i'm wrong, please :) ... therefore, if you
> attempt to ping a host that's on the same physical network, you can check
> the arp cache on your machine to see if you have recieved any arp replies
> (or just sniff for them).
 
	Ah, gotcha.  It's not Perl, but there is indeed "more than one
way to do it".  [grin]  If you've had any communication with that host
and it's on your local network, you may be able to figure out whether or
not it's up by looking at your arp tables.

	There are weird problems you can run into with ARP, though.
Proxy ARP is the most obvious.  This is when you have a local network
that's run through a device like a router, but wants to make separate
devices look like they share a LAN.  So,

Box 1 -----|        |-----------|       |----- Box 5
           |        |           |       |
Box 2 -----|   eth0 |           |eth1   |----- Box 6
           |--------|  Router   |-------|
Box 3 -----|        |           |       |----- Box 7
           |        |           |       |
Box 4 -----|        |-----------|       |----- Box 8  

If the router wants to make Box 1 think it's on the same local network
as Box 7, it will use proxy ARP.  When it recieves an ARP query for the
IP of Box 7, it will respond out eth0 with its own MAC address of eth0.
Likewise, if Box 5 sent an ARP query asking for the MAC of Box 3, the
router would respond with the MAC of its eth1 interface.  The router
doesn't forward ARP requests across interfaces (generally a bad idea),
but will forward packets to ensure communication.

	The upshot of all this is, if you are on Box 3 and you look in
your ARP table for an entry from Box 8, you may see one for the MAC of
eth0 on the router.  (If you have a lot of ARP replies for many
different IPs to the same MAC, that's an indication that proxy ARP may
be going on.)

	You can view the ARP table on your system with arp -a (to see
all entries).  Note that this will only show you the machines the box
has communicated with in the last (however long your arp cache is --
about 30 seconds plus some randomness by default).  So, from my Linux
box...

[raven at linuxbox raven]$ arp -a
gateway.example.org (10.1.1.17) at 00:60:47:50:2B:16 [ether] on eth0

[raven at linuxbox raven]$ ping dahlia
PING dahlia (10.1.1.19) from 10.1.1.18: 56(84) bytes of data.
64 bytes from 10.1.1.19: icmp_seq=0 ttl=255 time=0.6 ms
64 bytes from 10.1.1.19: icmp_seq=1 ttl=255 time=0.3 ms
64 bytes from 10.1.1.19: icmp_seq=2 ttl=255 time=0.3 ms

[raven at linuxbox raven]$ arp -a
dahlia (10.1.1.19) at 00:A0:CC:29:1D:13 [ether] on eth0
gateway.example.org (10.1.1.17) at 00:60:47:50:2B:16 [ether] on eth0

	So if the box is up and on your actual local network, you should
see an ARP entry for it after pinging it.  If there's a router doing
proxy ARP in the way, you should see an entry with the MAC address of
the router in there.  (Usually if it's the same as your gateway's MAC,
that's a tip-off.)  If there's no entry, then either the box is down or
ARP is being filtered.

	Iptables can do proxy ARP for you, if you like.  It can also
filter based on MAC address, so if that's going on, it can deny access
to machines on the local network.

linuxbox# iptables -I INPUT -p tcp -m mac --mac-source AT:TA:CK:0M:AC:00
-j DROP

for example, would deny any incoming tcp packets from the MAC address
AT:TA:CK:0M:AC:00.  ARP requests are broadcast (because you don't know
where the device that you're arping for is), and ARP replies are
unicast.  I would imagine that if you were really paranoid, you could
deny incoming packets from any MAC but your gateway's MAC.  That way
nothing else on your network would be able to talk to you at all.  They
could send you the ARP request, but it would be dropped since it's from
an unapproved MAC address, there would be no reply, and so you wouldn't
show up in the attacker's ARP table.

	I'd have to try it to be sure, but I *think* that's how it
should work.  Something like:

linuxbox# iptables -I INPUT -m mac --mac-source GA:TE:WA:Y0:MA:C0 -j
ACCEPT
linuxbox# iptables -I INPUT -m mac -j DROP

might do it.  Of course, this means you'd be dropping every other
layer-2-broadcast, too.

Cheers,
Raven



More information about the Courses mailing list