-
February 4th, 2004, 08:43 AM
#1
ARP Flood?
I've just been reading up on the ARP protocol and from what I understand, the source and destination IP's are never verified in any manner. Consider a scenario like this:
1. I write a program that sends spoofed ARP packets to the universal broadcast address (255.255.255.255) or perhaps even a particular range such as 124.255.255.255 .
2. The program sends packets that say, "Who has <some IP>? Tell <target IP>" to a whole IP range (like a whole country or something).
3. Those computers that the packets reach, reply in good faith to <target ip>, thus tying up all it's bandwidth and DoSsing it.
4. The best part of an attack like this is that it'd be close to impossible to trace the origins, because the real source ip is not part of the packet. A clever hacker could even change the MAC address in the packet, thus making it even more difficult to trace him.
Has this been done before or am I missing something? Is it even possible to do something like this?
Cheers,
cgkanchi
-
February 4th, 2004, 09:29 AM
#2
ARP flooding has been done before, so i gues it is possible. To my knowledge, most OS's have safeguards against it now; though i may be wrong.
I see in the 'similar threads' section at the foot of this page there is a thread on ARP flooding (http://www.antionline.com/showthread...hreadid=248049), it's an interesting read - might clear up some of your queries. Google returns many results as well.
Regards,
-
February 4th, 2004, 09:34 AM
#3
That particular problem deals with flooding on a LAN. I'd like to know if it would be possible on the internet.
Cheers,
cgkanchi
-
February 4th, 2004, 01:26 PM
#4
As far as I know its not possible on the internet as the target MAC address changes at each hop. The MAC address is used once the packet hits the final LAN in order to find the target machine. So if you are at point A and want to use the MAC address of router C the router you hit first won`t know what that MAC is so how would you route to it?
Quis custodiet ipsos custodes
-
February 4th, 2004, 01:36 PM
#5
Are you sure that's how it'll behave? Or will it just say, let me send this to everyone I can (broadcast).
Cheers,
cgkanchi
-
February 4th, 2004, 02:02 PM
#6
RFC 1433 specified that routers will not forward ARP requests that are not directed at themselves (section 3.3) so your router isn`t going to allow you to send the request and will instead send it back to the ARP Helper address in the routing table. So unless you have routers that allow ARP forwarding it isn`t going to work.
Quis custodiet ipsos custodes
-
February 11th, 2004, 04:10 AM
#7
Member
Originally posted here by R0n1n
RFC 1433 specified that routers will not forward ARP requests that are not directed at themselves (section 3.3) so your router isn`t going to allow you to send the request and will instead send it back to the ARP Helper address in the routing table. So unless you have routers that allow ARP forwarding it isn`t going to work.
Ok. so that begs the odvoius question (pardon my spelling)...Can you program a CISCO router to foward ARP requests, thus bypassing the Standard?
-
February 12th, 2004, 02:20 PM
#8
You could program it to do so, If you really wanted to.
Most new routers are now using BGP instead of ARP, partly for this very reason.
Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.
-
February 12th, 2004, 02:23 PM
#9
Tempest: Yes, there's a command that forwards broadcast messages in Cisco routers but I don't recall it off the top of my head since I don't use it. There's a command that forwards DHCP requests across WAN links too for anyone interested:
ip helper-address xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the IP address of the remote DHCP server.
That having been said if you try forwarding ARP requests from your border router you are only going to get the packets as far as the first router you don't control.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 12th, 2004, 05:35 PM
#10
Originally posted here by TheTempest
Ok. so that begs the odvoius question (pardon my spelling)...Can you program a CISCO router to foward ARP requests, thus bypassing the Standard?
What difference does it make, unless you can program all the routers on the route to the IPs you are sending the request to, and the route back from them to the target for the DDoS.
Steve
edit:
Sorry Tiger, didn't catch the end of your post !
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|