[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.

Subject: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
From: Paul Gillingwater <paul@xxxxxxxxxxx>
Date: Tue, 14 Aug 2001 07:45:07 +0200 (CEST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Quoting cronus <cronus@xxxxxx>:

> If you are careful when using ssh you can avoid falling victim
> to this monkey-in-the-middle attack. Simply issue that command
> as follows;
> 
> ssh -l cronus -2 66.70.14.70
> 
> Rather than...
> 
> ssh -l cronus -2 www.whitedust.net
> 
> ARP poisoning can be made useless by using IP addresses over
> hostnames whenever possible. If I am wrong - someone please
> tell me

Sorry, but ARP poisoning is independent of whether you use the
host name or not.  It happens at a lower layer, i.e., L2 of
the ISO 7-layer model.  When you resolve a name, you end up
with one or more IP addresses anyway -- and if the ARP cache
is poisoned, there's not much you can do about it.

To see your ARP cache, type in arp -a from the command line 
interface.  Note that every router also has an ARP cache,
which could also be the point of attack.  There's a nice
utility called arpwatch, which keeps track of the ARP cache,
and e-mails you whenever something changes (like a new 
address found.)

For those who are still reading, ARP means Address Resolution
Protocol.  Basically, what happens is that when your host
tries to reach an IP address which isn't already in your local
ARP cache, then it does a broadcast on your local subnet, 
asking for someone to give it the correct MAC (machine)
address for a given IP address.  If the IP address you 
request is in a different subnet, then the default gateway
(usually your router or firewall) will respond with its 
own MAC address.  This means that different ARP caches will
have different MAC<->IP mappings, depending upon where they
are in your network.


*********************************
        Paul Gillingwater
        Managing Director
 CSO Lanifex Unternehmensberatung 
 & Softwareentwicklung G.m.b.H.
      NEW BUSINESS CONCEPTS

E-mail:  paul@xxxxxxxxxxx
Teleph:  +43/1/2198222
Mobile:  +43/699/1922 3085
Webhome: http://www.lanifex.com/
Address: Praterstrasse 60/1/2 
         A-1020 Vienna, Austria
*********************************

Follow-Ups:
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Mark Anderson
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Kevin D

References:
- RE: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Curtis Ross
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: Stuart Robinson
- Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
  - From: cronus

Prev by Date: RE: [cobalt-security] No telnet on saturdays??
Next by Date: RE: [cobalt-security] No telnet on saturdays??
Previous by thread: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.
Next by thread: Re: [cobalt-security] DANGER WILL ROBINSON!!! A tool for MIM/c*apfilt and poisoning listed on /.

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index