The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Incorrect Linux ARP behavior


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 18 Sep 1998 20:14:28 -0400
From: Seth McGann <[email protected]>
To: [email protected]
Subject: Incorrect Linux ARP behavior

After further investigation it appears neped.c (the Linux sniffer detector
by [email protected] ) operates due to a problem in
/linux/net/ipv4/arp.c.  The function arp_rcv() controls when to send ARP
responses.  The criteria for sending these responses is flawed, in that it
will respond to ARP requests regardless of the destination MAC address.
Normally only frames with a station's MAC address are processed so this is
not a problem.  In promiscuous mode, all frames are processed, and without
checking the destination MAC address there is no way to discern if the
packet was really bound for listening station.  To fix this problem all
that needs to be done is add the following check (pseudo code):

if(ether_header_destination != device_hardware_address) return;


Seth M. McGann / [email protected]        "Security is making it
http://www.wpi.edu/~smm              to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7  19E3 6AF7 4AE7 E250 1C80

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру