[Pardon for the lengthy reply. I just finished composing it, and scrolled
up to see how much babble had found its way into the body.. =)]
> M$ farts out prodigeous numbers of broadcast packets and expects
> to seen prodigeous numbers of broadcast packets. It spots the fact that
> someone else sends out a packet with your IP address in the src address.
It seems like if we see a packet src'd from our own ip, but not from us,
we should report it though, doesn't it? It's either a spoof [bad] or a
conflict [bad]. Either way, bad|bad = bad -> I want to know about it :)
> (at least that's one way they detect it). Amusing random acts of terrorism
> can result including some spectacular denial of service attacks (think
> about it for a second).
Been there, done that. Laughed hard, ran fast. =) [wouldn't recommend
trying it unless you can 'create' a temporary mac address :)]
It made me question the wisdom of automagically ifconfig'ing the int
down.. but I still want to know when this happens :)
> > linux does not seem to indicate if anyone else answers arp requests for
> > its own ip's (correct me if i am wrong); how does one tell if the ip is in
> > use [short of unplugging the box or querying someone else's arp tables :)
> > :)]?
>
> Detecting the arp replies would not work on a switched network.
Yeah, but consider this. I am not asking to know for sure if the ip is NOT
in use (you assume that when you ifconfig the int with an ip!). I am
asking to know under *some* conditions that it IS in use..
Those people with winblows boxen =) DO feel they have as much of a right
to use the network as you, and their magically disabled boxen point
fingers back at your linux box :)
Say there is a switched network, and the switch gets confused, and only
keeps the most recent arp entry. Somebody doesn't work, and it has to be
tracked down. Say one of the boxes is a winbox, sending out broadcasts.
In that case, we would realize from our syslog/etc that we are hearing the
other machine's broadcasts, and maybe the operator should be notified.
So, I guess ip collision detection wouldn't work if:
- the machines are separated by a switch
AND
- both are not sending out broadcast [both non-ms, no samba]
Wouldn't you say that in most cases it WOULD work, though?
> You generally need to see another system (one with a MAC address you
> don't own) claiming to be an IP address which you claim. On a switched
> network, this generally must be a broadcast packet and you examine the
> source IP and source MAC (consider the case where YOU have two network
> cards on the same cable - this can be a non-trivial exercise with
> unexpected surprises).
Well.. ok, so we have to walk down a list and try to match against our own
MAC's. Big performance hit per every packet we tx that we also rx. Well,
does every packet we tx come back into rx? I thought that would only
happen if you have ipaliases setup.. maybe vlans..
> Keying off of arp replies or broadcast packet source addresses
> opens up some nasty DoS attacks. I could just flood the network with
> fake packets claiming to be different MAC addresses and IP addresses of
> systems I want to shut down. Do it with Windows named datagrams (UDP port
> 137) and older windows systems just fall over very nicely and hit the floor.
> It's tougher to do with newer Windows systems and there are much more fun
> games you can play with the name caches instead.
Yeah, but this isn't about a creating a DoS. This is about detecting a
possible DoS (that we either created unintentionally by using the same ip
as someone else, or that someone else created by using our ip), detecting
a real DoS (someone on a network sourcing packets to net_broadcast using
every ip in the subnet, as you indicated), or just helping save the
forehead of some sysadmin (like my friend) that can't figure out why his
box is acting wacky :)
I also wouldn't suggest ifconfig'ing the int down upon receipt of a
flagged packet, but like I said.. see next line :)
> > I would think a syslog entry would be most helpful to a lot of people on
> > dhcp-run networks!
>
> Dhcpd (at least the ISC one) attempts to ping the address before
> assigning a lease. If it gets a ping response, the address is flagged
> as "abandoned" in the leases file. Hijacked addresses are thus avoided
> and not leased out. Then, when you find your leases file full of abandoned
> entries, you get to track down the guilty parties and deliver a rubber hose
> IP release datagram to them. Repeatedly. :-)
Yeah, but on a college network, you can't expect to win an argument, even
if you are right. Not everyone has the luxury of power, or ISC dhcpd :)
[How many embedded/network appliances have built-in dhcp servers now?]
-g
|