Recently I came across some advisories on a new (to me) hack tool called
dsniff (IIRC). The basic operation is as follows:
* enemy spoofs an ARP reply to a target host/client for the victim's
IP, but supplies it's own MAC address.
* target stashes this in it's ARP table, subsequent IP packets are
sent to the enemy's MAC.
* enemy copies the packet and forwards on to the victim.
It is a bit scary, and gets down to the bit-level of various TCP
stacks. On paper it sounds rather simple, and I'm trying to devise some
means of protection against this. Among my concerns about the
attack:
* do all stacks accept and cache 'unsolicited' ARP replies? Routers?
Windows? NT? Various unix flavors?
* will this overwrite any existing ARP entry in the cache?
* will this overwrite a static ARP entry?
To insure a "sniff-proof" connection between yourself and a host, can
you define static ARPs on the client, host, and endpoint router(s) if on
different subnets and protect yourself from such an attack?
Sorry if somewhat off-topic, but it does get to the way ARP works (is it
stateful - request and wait on reply, or they two events handled
asynchronously?)
Jeff Kell <[EMAIL PROTECTED]>
___________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
