ARP(4) spoofing?

Ted Mittelstaedt tedm at
Mon Mar 17 09:59:27 UTC 2008

> -----Original Message-----
> From: owner-freebsd-questions at
> [mailto:owner-freebsd-questions at]On Behalf Of Modulok
> Sent: Monday, March 17, 2008 1:29 AM
> To: Brent Jones
> Cc: freebsd-questions at
> Subject: Re: ARP(4) spoofing?
> > > Would this be ARP(4) spoofing, or is it just me? How would I
> > > confirm it?
> > >
> > > arp: is on lo0 but got reply from xx:xx:xx:xx:xx:xx on em1
> > > This is on a FreeBSD router, em1 is Internet-facing. (em0)
> > > is LAN facing and permanent entry in the arp cache. This happens
> > > constantly and is slowly filling my log files.
> > What does an "ifconfig -a" on your machine show? It looks like you've
> > configured your loopback interface to also have
> [-]Modulok> ifconfig -au inet
>         options=b<RXCSUM,TXCSUM,VLAN_MTU>
>         inet netmask 0xffffff00 broadcast
>         options=b<RXCSUM,TXCSUM,VLAN_MTU>
>         inet 66.x.x.x netmask 0xffffff80 broadcast 66.x.x.255
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet netmask 0xff000000
> Just for fun, the entry in the arp cache:
> [-]Modulok> arp -an | grep
> ? ( at (myEthernetAddress) on em0 permanent [ethernet]
> Concerning the arp(4) DIAGNOSTICS section (Just thinking aloud here:)
> "Physical connections exist to the same logical IP network on both if0 and
> if1."
> Doubtful: LAN---em0[FreeBSD]em1---modem---Internet
> "an entry already exists in the ARP cache ... and the cable has been
> disconnected from if0, then reconnected to if1."
> Nope.
> "This message can only be issued if the sysctl
> is set to 1"
> While I could set the relevant sysctl variable to prevent it from
> being logged, (which I'll probably end up doing) when strange things
> happen, I usually like to know about them.
> Disable the dynamic ARP cache on the external interface and make
> permanent entries to the ISP's gateway and DNS servers? Perhaps.
> However, in the event they ever change hardware (and fail to spoof
> their previous ethernet address), I'd have to manually edit the ARP
> 3:00am...on a Sunday. Plus these ARP replies, while
> annoying, are not really harming anything as FreeBSD's ARP appears to
> prevent address takeover via gratuitous, un-solicited, impersonating
> ARP replies.
> Come to think of it, that might be it. I haven't looked into whether
> or not these are replies triggered by requests from the local host (If
> only I knew a way to do such a thing.) Logic initially rejects the
> notion. As why would this box be sending out a gratuitous ARP request
> every 10 minutes through the wrong interface for the given address?

You should have anti-spoofing firewall entries in any internet
router, check your ipfw entries.  I suspect the problem has to
do with a misconfiguration of your nat, frankly.  The error message

arp: X.X.X.X is on lo0

is nonsensical, because by definition the loopback (lo0) is not
connected to any network.  Under
correct configuration, a loopback cannot receive an arp.

The internal loopback address is exactly equivalent to a
physical ethernet interface that has a loopback plug inserted
into it.

I suspect your nat config is overloading on the looback rather than
on the physical interface.


More information about the freebsd-questions mailing list