You are not logged in.

Pages: 1

#1 2016-04-14 20:33:25

koppts
Member
Registered: 2013-04-22
Posts: 6

[Solved] Measures vs. ARP poisoning (net.ipv4.conf.default.arp_accept)

Hi all,

I have had a two day company course in the last two days about it-security and have been quite active in this field before (private).

The guy doing the course came up with net.ipv4.conf.default.arp_accept=1 as measure vs. ARP poisoning and he stated that he thinks it's hilarious not all distributions use it for default.
He also stated that this parameter causes an arp entry not to be updated if there is no arp request for this reply (calling this authenticated arp).
Since I wanted to propose this as a default measure for standard clients vs. ARP poisoning I looked it up again (since it is configureable via sysctl in Arch).
Now I'm not sure if it really works ( looked it up e.g. https://support.cumulusnetworks.com/hc/ … lus-Linux)

Does it work ? And if why it is not default in Arch then?
Due to the level of network understanding I don't see this question in the Newbie's Corner.

I really appreciate your answers.

Kind regards,
Thomas

Last edited by koppts (2016-04-15 20:45:27)

Offline

#2 2016-04-15 20:22:28

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: [Solved] Measures vs. ARP poisoning (net.ipv4.conf.default.arp_accept)

I don't understand. From the kernel documentation:

/usr/lib/modules/4.5.0-1-ARCH/build/Documentation/networking/ip-sysctl.txt wrote:

arp_accept - BOOLEAN
        Define behavior for gratuitous ARP frames who's IP is not
        already present in the ARP table:
        0 - don't create new entries in the ARP table
        1 - create new entries in the ARP table

        Both replies and requests type gratuitous arp will trigger the
        ARP table to be updated, if this setting is on.

        If the ARP table already contains the IP address of the
        gratuitous arp frame, the arp table will be updated regardless
        if this setting is on or off.

And

: cat /proc/sys/net/ipv4/conf/default/arp_accept 
0

So, what's the point?

Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#3 2016-04-15 20:43:29

koppts
Member
Registered: 2013-04-22
Posts: 6

Re: [Solved] Measures vs. ARP poisoning (net.ipv4.conf.default.arp_accept)

Okay I got it. This param should be any mean 0 and for the attacking vector of updating an existing IP address by a gratuitous ARP reply packet I am just screwed as long as I don't just static MAC-IP pairs (which might be a problem in some scenarios). Only measure could be a lookup at the router (which is pointless if the poisoned MAC is for this IP) which MAC is stored there for the IP.

Guess I mark this as solved and wait for another solution.
And obviously write that guy a mail.

Greets

Offline

Pages: 1

Board footer

Powered by FluxBB