Publishing an ARP entry

Question

I'm experimenting with a spoofed IP connection, as described in section 7 of this article (IP SPOOFING with BSD RAW SOCKETS INTERFACE). Indeed, when a SYN is sent with no regard for ARP, there's no response. One of the two solutions presented in the article (should be the simpler) is to add a static ARP entry to the client host. My host is configured as 10.1.1.10 and I want the spoofed IP address to be 10.1.1.20.

To add the new entry, I ran:

# arp -i enp4s2 -Ds 10.1.1.20 enp4s2 pub

and when I run arp -n, it shows:

10.1.1.20     *      *          MP            enp4s2

From the server, I tried to arping 10.1.1.20 and there is no reply from the client host (with the published ARP entry).

Probably I didn't understand how ARP publishing works. Literature on the net seems to be very simplified on this matter.

My distro is an OpenSuSE and the kernel version is 3.16.7-21-desktop #1 SMP PREEMPT.

The spoofed IP also needs to be configured on an interface on the spoofer. — bahamat, May 08 '15 at 22:20
I'm not sure I'm following. Could you please answer the question with the missing steps (commands) ? So I could try them and things will be clear. — user666412, May 11 '15 at 16:23

perennialmind · Answer 1 · 2019-09-17T17:05:58.517

I don't know whether that command still works on *BSD, but seems to have been broken on linux for over a decade. These days arp_req_set_public() punts to arp_req_set_proxy(), which triggers the kernel proxy_arp mechanism. I gather that ARP publishing was intended as a means of implementing proxy ARP, later rendered obsolete by an easier, less accident-prone, and more capable implementation.

It's a shame though. ARP publishing would have had other uses - a convenient way to handle dedicated NAT pools, for one. If you really need the semantics that are promised by the arp manual, you could try a userland ARP daemon like honeynet arpd (a.k.a. farpd) or choparpd.

Publishing an ARP entry

1 Answers1