Date: Fri, 18 Sep 1998 20:14:28 -0400
From: Seth McGann <smm@WPI.EDU>
To: BUGTRAQ@netspace.org
Subject: Incorrect Linux ARP behavior
After further investigation it appears neped.c (the Linux sniffer detector
by savage@apostols.org ) operates due to a problem in
/linux/net/ipv4/arp.c. The function arp_rcv() controls when to send ARP
responses. The criteria for sending these responses is flawed, in that it
will respond to ARP requests regardless of the destination MAC address.
Normally only frames with a station's MAC address are processed so this is
not a problem. In promiscuous mode, all frames are processed, and without
checking the destination MAC address there is no way to discern if the
packet was really bound for listening station. To fix this problem all
that needs to be done is add the following check (pseudo code):
if(ether_header_destination != device_hardware_address) return;
Seth M. McGann / smm@wpi.edu "Security is making it
http://www.wpi.edu/~smm to the bathroom in time."
KeyID: 2048/1024/E2501C80
Fingerprint 3344 DFA2 8E4A 977B 63A7 19E3 6AF7 4AE7 E250 1C80
