ARP(4) spoofing?

Modulok modulok at
Mon Mar 17 09:29:05 UTC 2008

> > Would this be ARP(4) spoofing, or is it just me? How would I
> > confirm it?
> >
> > arp: is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1
> > This is on a FreeBSD router, em1 is Internet-facing. (em0)
> > is LAN facing and permanent entry in the arp cache. This happens
> > constantly and is slowly filling my log files.

> What does an "ifconfig -a" on your machine show? It looks like you've
> configured your loopback interface to also have

[-]Modulok> ifconfig -au inet
        inet netmask 0xffffff00 broadcast
        inet 66.x.x.x netmask 0xffffff80 broadcast 66.x.x.255
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet netmask 0xff000000

Just for fun, the entry in the arp cache:

[-]Modulok> arp -an | grep
? ( at (myEthernetAddress) on em0 permanent [ethernet]

Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:)
"Physical connections exist to the same logical IP network on both if0 and

Doubtful: LAN---em0[FreeBSD]em1---modem---Internet

"an entry already exists in the ARP cache ... and the cable has been
disconnected from if0, then reconnected to if1."


"This message can only be issued if the sysctl is set to 1"

While I could set the relevant sysctl variable to prevent it from
being logged, (which I'll probably end up doing) when strange things
happen, I usually like to know about them.

Disable the dynamic ARP cache on the external interface and make
permanent entries to the ISP's gateway and DNS servers? Perhaps.
However, in the event they ever change hardware (and fail to spoof
their previous ethernet address), I'd have to manually edit the ARP 3:00am...on a Sunday. Plus these ARP replies, while
annoying, are not really harming anything as FreeBSD's ARP appears to
prevent address takeover via gratuitous, un-solicited, impersonating
ARP replies.

Come to think of it, that might be it. I haven't looked into whether
or not these are replies triggered by requests from the local host (If
only I knew a way to do such a thing.) Logic initially rejects the
notion. As why would this box be sending out a gratuitous ARP request
every 10 minutes through the wrong interface for the given address?

Strange place, this Interweb.

More information about the freebsd-questions mailing list