Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

Re: Buggy ARP handling in Windoze
From: Michael.Wojcik () MERANT COM (Michael Wojcik)
Date: Fri, 30 Jun 2000 19:29:36 -0700

This is more suited to VULN-DEV than to BUGTRAQ, since it's not about an
existing exploit.  This stupid MUA won't let me set reply-to, so I'll trust
the goodwill of those who respond (if there are any) to direct their notes
to the right place.


-----Original Message-----
From: Steven Alexander [mailto:steve () CELL2000 NET]
Sent: Thursday, June 29, 2000 5:29 PM



Paul's post brings up an interesting issue.  Static ARP entries aren't
actually regulated by RFC 826 (The ARP specification).  Static can be
interpreted in two ways in the context of the ARP cache.  It can be seen

as

unchangeable vs. changeable (for security), or it can be seen as permanent
vs. temporary (for performance).


Frankly, I've always used static entries for (manual) proxy ARP, not for
security or performance.  Permanence was important only because I didn't
want to have to re-establish the proxy ARP entry every so often due to
timeouts.  The inventors of static ARP may not have had security *or*
performance in mind; they may have just been looking to provide an
administrative feature that would be useful in a variety of unusual
situations.


Unfortunately, network environments are much less friendly than when ARP

was

designed (1982) and they are also much faster.  The performance gain that
results from static entries is miniscule compared with the security risk
that results from being able to poison the ARP cache.


ARP's pretty fast even over a 2 Mb/s LAN.  I'm not convinced static ARP was
ever much of a performance boost.  And your second sentence strikes me as
non sequitur: static ARP doesn't introduce the ARP poisoning problem.  If an
ARP implementation makes static entries immutable, that may help defend
against ARP poisoning, but normal transient ARP entries are just as
vulnerable to poisoning as static ones are.


It would probably be beneficial in an ARP implementation to be able to set
two seperate attributes to the ARP cache, both permanent (no timeout) and
unchangeable (without manual intervention anyway).  What does everyone

else

think?


More control is always welcome, but the security advantage of immutable ARP
entries seems fairly slim.  Everything helps, but I wouldn't recommend
treating ARP as safe just because you have an immutable flag.

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University

  By Date           By Thread  

Current thread:
  • Re: Buggy ARP handling in Windoze Michael Wojcik (Jun 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]