T
TekMason
Hi Guys,
I have a relatively simple question that I have not been able to find an
answer to yet.
How can you prevent Windows from accepting gratuitous ARPs and adding them
to it's arp cache table?
This seems like it would be a very simple solution to prevent
man-in-the-middle attacks that use ARP cache poisoning. I am baffled as to
why the bright engineers at MS would make this a default let alone not give
users/admins the ability to disable it. I can't imagine it being that
difficult to implement it in the TCP/IP stack.
The only downsides that I can think of are:
1) Duplicate IP Address detection on PC bootup.
Not an issue because the stack could listen only for it's own MAC and
respond back accordingly.
2) Clustering and HA systems where gratuitous ARP is use to notify clients
of updates to fail-overed hosts.
In this case MS stack engineers could build a mechanism that allows
gratuitous ARP acceptance for specific IPs.
The way that MS handles gratuitous ARP brings this analogy to mind:
Some guy you have never seen before (cracker) knocks at your door (NIC),
unsolicited (gratuitous), and giving you a card with a "new" phone number
(MAC) for the bank. And then you (Windows IP stack) updating your phone
directory with that number.
Thx,
TekMason
I have a relatively simple question that I have not been able to find an
answer to yet.
How can you prevent Windows from accepting gratuitous ARPs and adding them
to it's arp cache table?
This seems like it would be a very simple solution to prevent
man-in-the-middle attacks that use ARP cache poisoning. I am baffled as to
why the bright engineers at MS would make this a default let alone not give
users/admins the ability to disable it. I can't imagine it being that
difficult to implement it in the TCP/IP stack.
The only downsides that I can think of are:
1) Duplicate IP Address detection on PC bootup.
Not an issue because the stack could listen only for it's own MAC and
respond back accordingly.
2) Clustering and HA systems where gratuitous ARP is use to notify clients
of updates to fail-overed hosts.
In this case MS stack engineers could build a mechanism that allows
gratuitous ARP acceptance for specific IPs.
The way that MS handles gratuitous ARP brings this analogy to mind:
Some guy you have never seen before (cracker) knocks at your door (NIC),
unsolicited (gratuitous), and giving you a card with a "new" phone number
(MAC) for the bank. And then you (Windows IP stack) updating your phone
directory with that number.
Thx,
TekMason