PDA

View Full Version : Howto: add static ARP table entry automatically (Ethernet, DHCP-configured interface)



aleph
1st May 2014, 06:40 AM
This is a guide about how you can add static entries to your ARP table once a network interface is up using DHCP under Fedora 20.

ARP stands for Address Resolution Protocol, which is the protocol responsible for mapping Network-layer (e.g. IP) address into Link-layer (e.g. Ethernet) ones. ARP spoofing (https://en.wikipedia.org/wiki/ARP_spoofing) is a security exploit that enables an attacker to misdirect traffic over the LAN. This is usually done by sending spurious ARP packets over the datalink, faking the address of the LAN gateway. In this way the attacker could intercept or manipulate Internet traffic of LAN users.

If you use DHCP to connect to the LAN, and ARP spoofing is a concern, you can write the ARP entry for your LAN gateway in a file, typically /etc/ethers, like this


00:11:22:33:aa:bb 10.0.1.1
Here, the `00:11:22:33:aa:bb' is the MAC (hardware) address of your LAN gateway, and the `10.0.1.1` part is its IP address. The two parts are separated by an arbitrary number of space or tab characters.

We assume that the gateway's MAC and IP addresses are not subjected to frequent change. If that is not the case, automatically setting static ARP could prove troublesome.

The MAC address of gateway can be obtained from your LAN administrator; it is crucial to use the right address. If you are sure that the current LAN is safe, you can query it from the command like using the arping tool:

$ arping -I em1 -c 4 10.0.1.1
Again, 10.0.1.1 should be substituted by your real gateway address, and the `em1` part should be your real interface name (check the output of `ifconfig` for a list of interfaces). The `-c` options sets the number of pings you will send (if omitted, the program loops infinitely until you Ctrl-C).

To set the record as "permanent" in your ARP cache, use the command

# arp -f /etc/ethers
as root.

To automatically source the /etc/ethers file on interface up (assuming DHCP), go to the /etc/dhcp directory as root and create the file `dhclient-{IFNAME}-up-hooks`, where `{IFNAME}` should be substituted by the real interface name (e.g. em1). Copy the following code into this file

#!/bin/sh
/sbin/arp -f /etc/ethers
Save it and set the executable permission:

# chmod +x dhclient-{IFNAME}-up-hooks

Next time the interface gets up, the static ARP table will be loaded automatically. To check the effect, run the command

$ arp
The output should look like this:


Address HWtype HWaddress Flags Mask Iface
10.0.1.1 ether 00:11:22:33:aa:bb CM em1
Notice the `M` flag in `Flags Mask` column indicating the permanent status of this record.

flyingfsck
1st May 2014, 07:12 AM
Howdy,

ARP spoofing is useful for network debugging through a switch. This can be done with ettercap. The above guidance, will provide protection against ettercap only if you don't have a switch between your server and the gateway.

ARP cache updates are useful when you have redundant servers and need to do a graceful fail over. This can be done with arping.

A guide for these is available here: http://www.aeronetworks.ca/2013/09/arp-mystery-protocol-that-makes-lan-work.html