Quote:
Originally Posted by Linux.tar.gz
At this time, i had no clear idea what arp is.
Anyway, i always wonder if it's possible to "firewall" these .
|
Look at your arp table:
Then look at the volume of arp request flowing through that interface. I'm guessing it has _zero_ effect on the arp entries you see.
That interface you're monitoring will only answer for arp requests for whatever IP addresses are assigned to it. Otherwise, it just doesn't matter. In order for someone to start poking around that interface, they'll have to have access to something within the broadcast domain assigned to that network.
In reality, all that entity would have to do is put their interface in promiscuous mode, sniff traffic, and wait. They'll see your arp request flowing through at one point or another.
That interface looks like a WAN interface on a firewall. Here is the capture of just a few seconds on my firewall on the WAN:
Code:
thalna:~# tcpdump -nni eth1 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:54:59.382512 ARP, Request who-has 97.88.251.146 tell 97.88.251.145, length 46
20:54:59.552278 ARP, Request who-has 10.255.75.123 tell 10.255.75.113, length 46
20:54:59.743093 ARP, Request who-has 24.241.226.214 tell 24.241.224.1, length 46
20:54:59.862786 ARP, Request who-has 71.82.217.103 tell 71.82.217.1, length 46
20:55:00.476806 ARP, Request who-has 96.42.47.122 tell 96.42.44.1, length 46
20:55:00.613009 ARP, Request who-has 71.87.113.192 tell 71.87.112.1, length 46
20:55:00.789301 ARP, Request who-has 10.115.183.106 tell 10.115.180.1, length 46
20:55:00.965593 ARP, Request who-has 24.241.227.254 tell 24.241.224.1, length 46
20:55:01.114349 ARP, Request who-has 68.190.88.109 tell 68.190.88.1, length 46
20:55:01.554561 ARP, Request who-has 24.241.225.29 tell 24.241.224.1, length 46
20:55:01.560553 ARP, Request who-has 24.241.225.36 tell 24.241.224.1, length 46
20:55:01.616645 ARP, Request who-has 68.190.126.44 tell 68.190.126.1, length 46
20:55:01.965243 ARP, Request who-has 10.115.183.59 tell 10.115.180.1, length 46
^C
13 packets captured
13 packets received by filter
0 packets dropped by kernel
That doesn't concern me in the least.
Code:
thalna:~# arp -n
Address HWtype HWaddress Flags Mask Iface
10.178.23.111 ether 00:90:96:00:00:01 C eth0
23.233.126.1 ether 00:1b:d5:fe:c9:d9 C eth1
192.168.1.100 ether 00:1b:d5:fe:c9:d9 C eth1
192.168.23.20 ether 00:06:28:fa:32:e0 C eth3
That's been sanitized for my protection. Odd seeing the entry for the 192.168.1.100 host in there, that's on a IPSEC VPN tunnel. Guess I never really looked all that closely to the arp table.
Anyhow, there are considerably more important things to be concerned with. You could isolate accepted arp entries to the known gateway if you have a static IP and you never expect the network config to change, but that seems overboard. I'm paranoid. I don't like offering anything up via public services, because I've worked in the security sector, and know what can come of publicly available services.
But, to your credit, there are ways to poison arp entries, so there is some merit. I haven't looked at that vector in a while, but it is possible to inject bogus arp entries and set up a 'man in the middle' attack.
I dunno. I work now in a NOC that monitors a huge number of networks, and have seen the passwords on publicly accessible devices. They're not exactly challenging to guess. I'd be ashamed of the user/password combinations I've seen. For one of our clients, I'd say 50% of them are easily accessed. Nothing new, trust me, as those mindless practices have been around forever. Those devices would be a good platform from which one could devise a method, I suppose. Those devices are limited in their ability to capture traffic, but someone resourceful might be able to come up with something that would work. Might be able to devise a method of flashing a more capable firmware to do the job.
Hell. Yeah, definitely some merit.
But I'm paranoid. Big time.
Unfortunately, my paranoia isn't more common.
Oh, and something I thought I would add is that even though you see those arp request flowing in on that interface, the only ones your system will be the arp requests for your particular IP(s). It isn't responding to the rest of them. Also, even if you were filtering them, you will still see them coming in on the interface. There really isn't a way to stop them, well, if you don't have control over the upstream device. All the traffic I filter on my firewall inbound on the WAN still gets to it, it just drops it. That's just how they work.