ARP(4) spoofing?

Ted Mittelstaedt tedm at toybox.placo.com
Mon Mar 17 09:59:27 UTC 2008 


> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Modulok
> Sent: Monday, March 17, 2008 1:29 AM
> To: Brent Jones
> Cc: freebsd-questions at freebsd.org
> Subject: Re: ARP(4) spoofing?
>
>
> > > Would this be ARP(4) spoofing, or is it just me? How would I
> > > confirm it?
> > >
> > > arp: 192.168.1.1 is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1
> > > This is on a FreeBSD router, em1 is Internet-facing. 192.168.1.1 (em0)
> > > is LAN facing and permanent entry in the arp cache. This happens
> > > constantly and is slowly filling my log files.
>
> > What does an "ifconfig -a" on your machine show? It looks like you've
> > configured your loopback interface to also have 192.168.1.1
>
> [-]Modulok> ifconfig -au inet
> em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         options=b<RXCSUM,TXCSUM,VLAN_MTU>
>         inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         options=b<RXCSUM,TXCSUM,VLAN_MTU>
>         inet 66.x.x.x netmask 0xffffff80 broadcast 66.x.x.255
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet 127.0.0.1 netmask 0xff000000
>
> Just for fun, the entry in the arp cache:
>
> [-]Modulok> arp -an | grep 192.168.1.1
> ? (192.168.1.1) at (myEthernetAddress) on em0 permanent [ethernet]
>
> Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:)
> "Physical connections exist to the same logical IP network on both if0 and
> if1."
>
> Doubtful: LAN---em0[FreeBSD]em1---modem---Internet
>
> "an entry already exists in the ARP cache ... and the cable has been
> disconnected from if0, then reconnected to if1."
>
> Nope.
>
> "This message can only be issued if the sysctl
> net.link.ether.inet.log_arp_wrong_iface is set to 1"
>
> While I could set the relevant sysctl variable to prevent it from
> being logged, (which I'll probably end up doing) when strange things
> happen, I usually like to know about them.
>
> Disable the dynamic ARP cache on the external interface and make
> permanent entries to the ISP's gateway and DNS servers? Perhaps.
> However, in the event they ever change hardware (and fail to spoof
> their previous ethernet address), I'd have to manually edit the ARP
> cache...at 3:00am...on a Sunday. Plus these ARP replies, while
> annoying, are not really harming anything as FreeBSD's ARP appears to
> prevent address takeover via gratuitous, un-solicited, impersonating
> ARP replies.
>
> Come to think of it, that might be it. I haven't looked into whether
> or not these are replies triggered by requests from the local host (If
> only I knew a way to do such a thing.) Logic initially rejects the
> notion. As why would this box be sending out a gratuitous ARP request
> every 10 minutes through the wrong interface for the given address?
>

You should have anti-spoofing firewall entries in any internet
router, check your ipfw entries.  I suspect the problem has to
do with a misconfiguration of your nat, frankly.  The error message
itself:

arp: X.X.X.X is on lo0

is nonsensical, because by definition the loopback (lo0) is not
connected to any network.  Under
correct configuration, a loopback cannot receive an arp.

The internal loopback address is exactly equivalent to a
physical ethernet interface that has a loopback plug inserted
into it.

I suspect your nat config is overloading on the looback rather than
on the physical interface.

Ted

More information about the freebsd-questions mailing list