>From: <bert_raccoon@freemail.ru> >Date: 3 Dec 2003 13:43:30 -0000 > Attached is patch to check old MAC address before changing > arp entry by sending unicast arp request to this MAC. If old MAC > replies, no changes to arp table is made and attack is logged. I feel this patch may be harmful when the two hosts are misconfigured as they have same IP address. Host X is a patched FreeBSD, and host Y and Z have same IP address. At first, only X and Y are connected to LAN, so X's arp entry is recorded as Y has IP address. When Z is connected to LAN, it sends arp reply to LAN. X receives it, and broadcasts arp request to LAN (according to the above explanation, the checking arp request will be sent as unicast, but actually it will be sent as broadcast by this patch). Y and Z receive the broadcasted arp request, and send the arp reply respectively. If Z's reply reached X first, it will be accept as valid one, and X record as Z has IP address. Later Y's reply will be treated as a poisoned one, and X will send checking arp request. This may be an infinite loop of arp request/reply. If Y's reply reached X first, X marks Y's entry as static, and neglects Z's reply. The loop will not occur. But, if the network administrator changed Y's IP address to fix the system, X and Z cannot communicate until static Y's entry in X deleted manually. Regards, Ryota Hirose
