ARP Flood?
Results 1 to 10 of 10

Thread: ARP Flood?

  1. #1
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165

    Question ARP Flood?

    I've just been reading up on the ARP protocol and from what I understand, the source and destination IP's are never verified in any manner. Consider a scenario like this:

    1. I write a program that sends spoofed ARP packets to the universal broadcast address (255.255.255.255) or perhaps even a particular range such as 124.255.255.255 .

    2. The program sends packets that say, "Who has <some IP>? Tell <target IP>" to a whole IP range (like a whole country or something).

    3. Those computers that the packets reach, reply in good faith to <target ip>, thus tying up all it's bandwidth and DoSsing it.

    4. The best part of an attack like this is that it'd be close to impossible to trace the origins, because the real source ip is not part of the packet. A clever hacker could even change the MAC address in the packet, thus making it even more difficult to trace him.

    Has this been done before or am I missing something? Is it even possible to do something like this?

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  2. #2
    Banned
    Join Date
    May 2003
    Posts
    210
    ARP flooding has been done before, so i gues it is possible. To my knowledge, most OS's have safeguards against it now; though i may be wrong.

    I see in the 'similar threads' section at the foot of this page there is a thread on ARP flooding (http://www.antionline.com/showthread...hreadid=248049), it's an interesting read - might clear up some of your queries. Google returns many results as well.

    Regards,

  3. #3
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    That particular problem deals with flooding on a LAN. I'd like to know if it would be possible on the internet.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    As far as I know its not possible on the internet as the target MAC address changes at each hop. The MAC address is used once the packet hits the final LAN in order to find the target machine. So if you are at point A and want to use the MAC address of router C the router you hit first won`t know what that MAC is so how would you route to it?
    Quis custodiet ipsos custodes

  5. #5
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Are you sure that's how it'll behave? Or will it just say, let me send this to everyone I can (broadcast).

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    314
    RFC 1433 specified that routers will not forward ARP requests that are not directed at themselves (section 3.3) so your router isn`t going to allow you to send the request and will instead send it back to the ARP Helper address in the routing table. So unless you have routers that allow ARP forwarding it isn`t going to work.
    Quis custodiet ipsos custodes

  7. #7
    Originally posted here by R0n1n
    RFC 1433 specified that routers will not forward ARP requests that are not directed at themselves (section 3.3) so your router isn`t going to allow you to send the request and will instead send it back to the ARP Helper address in the routing table. So unless you have routers that allow ARP forwarding it isn`t going to work.
    Ok. so that begs the odvoius question (pardon my spelling)...Can you program a CISCO router to foward ARP requests, thus bypassing the Standard?

  8. #8
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    You could program it to do so, If you really wanted to.

    Most new routers are now using BGP instead of ARP, partly for this very reason.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tempest: Yes, there's a command that forwards broadcast messages in Cisco routers but I don't recall it off the top of my head since I don't use it. There's a command that forwards DHCP requests across WAN links too for anyone interested:

    ip helper-address xxx.xxx.xxx.xxx

    where xxx.xxx.xxx.xxx is the IP address of the remote DHCP server.

    That having been said if you try forwarding ARP requests from your border router you are only going to get the packets as far as the first router you don't control.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,018
    Originally posted here by TheTempest
    Ok. so that begs the odvoius question (pardon my spelling)...Can you program a CISCO router to foward ARP requests, thus bypassing the Standard?
    What difference does it make, unless you can program all the routers on the route to the IPs you are sending the request to, and the route back from them to the target for the DDoS.

    Steve

    edit:

    Sorry Tiger, didn't catch the end of your post !
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •