These tools form the heart of UNIX routing configuration and observation. However, they provide far more features than can be discussed in this text. For details and operating system variations beyond the most important facilities, consult the manual pages. We will heavily rely on these tools and introduce features as we proceed.
Linux provides a new approach to unified administration via the iproute2 facility (see Example 7-10). The command itself is called ip. You can get help for the ip tool by typing ip help. This also works at sublevels. Example 7-10 prints the interface statistics equivalent to ifconfig, the link status, the routing table, and its neighbors from a MAC point of view.
Example 7-10. Linux ip Facility
[root@callisto:~#] ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
where OBJECT := { link | addr | route | rule | neigh | tunnel |
maddr | mroute | monitor }
OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] |
-f[amily] { inet | inet6 | ipx | dnet | link } | -o[neline] }
[root@callisto:~#] ip -s addr
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0:
link/ether 00:10:5a:d7:93:60 brd ff:ff:ff:ff:ff:ff
inet 192.168.14.1/24 brd 192.168.14.255 scope global eth0
3: eth1:
link/ether 52:54:05:e3:51:87 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
[root@callisto:~#] ip -s link
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
RX: bytes packets errors dropped overrun mcast
4834 66 0 0 0 0
TX: bytes packets errors dropped carrier collsns
4834 66 0 0 0 0
2: eth0:
link/ether 00:10:5a:d7:93:60 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
21850 265 0 0 0 0
3: eth1:
link/ether 52:54:05:e3:51:87 brd ff:ff:ff:ff:ff:ff
RX: bytes packets errors dropped overrun mcast
3246131 5550 0 0 0 151
TX: bytes packets errors dropped carrier collsns
609700 5029 0 0 0 78
[root@callisto:~#] ip -s route
192.168.1.0/24 dev eth1 scope link
192.168.14.0/24 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.1.254 dev eth1
[root@callisto:~#] ip -s neigh
192.168.1.2 dev eth1 lladdr 08:00:46:64:74:1b ref 1 used 19/0/18 nud reachable
192.168.1.254 dev eth1 lladdr 48:54:e8:8c:0a:3f ref 13 used 193/220/325 nud stale
Example 7-11 demonstrates several different approaches to print the routing table. Examples 7-11 through 7-18 present various examples of the netstat and route utilities and explain the abbreviations used in the UNIX routing tables (collected from different man pages). As usual, consult the command's manual pages for further details.
Example 7-11. Linux netstat and route in Action
[root@callisto:~#] netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1
192.168.14.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 40 0 0 eth1
[root@callisto:~#] route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.14.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
[root@callisto:~#] route -een
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 40 0 0
192.168.14.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 40 0 0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 40 0 0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1 40 0 0
Example 7-12. Possible Routing Table Flags (Linux)
U (route is up)
H (target is a host)
G (use gateway)
R (reinstate route for dynamic routing)
D (dynamically installed by daemon or redirect)
M (modified from routing daemon or redirect)
A (installed by addrconf)
C (cache entry)
! (reject route)
Example 7-13. Possible Routing Table Flags (FreeBSD)
1 RTF_PROTO1 Protocol specific routing flag #1
2 RTF_PROTO2 Protocol specific routing flag #2
3 RTF_PROTO3 Protocol specific routing flag #3
B RTF_BLACKHOLE Just discard pkts (during updates)
b RTF_BROADCAST The route represents a broadcast address
C RTF_CLONING Generate new routes on use
c RTF_PRCLONING Protocol-specified generate new routes on use
D RTF_DYNAMIC Created dynamically (by redirect)
G RTF_GATEWAY Destination requires forwarding by intermediary
H RTF_HOST Host entry (net otherwise)
L RTF_LLINFO Valid protocol to link address translation
M RTF_MODIFIED Modified dynamically (by redirect)
R RTF_REJECT Host or net unreachable
S RTF_STATIC Manually added
U RTF_UP Route usable
W RTF_WASCLONED Route was generated as a result of cloning
X RTF_XRESOLVE External daemon translates proto to link address
Example 7-14. Possible Routing Table Flags (OpenBSD)
1 RTF_PROTO1 Protocol specific routing flag #1.
2 RTF_PROTO2 Protocol specific routing flag #2.
3 RTF_PROTO3 Protocol specific routing flag #3.
B RTF_BLACKHOLE Just discard pkts (during updates).
C RTF_CLONING Generate new routes on use.
D RTF_DYNAMIC Created dynamically (by redirect).
G RTF_GATEWAY Destination requires forwarding by intermediary.
H RTF_HOST Host entry (net otherwise).
L RTF_LLINFO Valid protocol to link address translation.
M RTF_MODIFIED Modified dynamically (by redirect).
R RTF_REJECT Host or net unreachable.
S RTF_STATIC Manually added.
U RTF_UP Route usable.
X RTF_XRESOLVE External daemon translates proto to link address.
Example 7-15. OpenBSD route in Action
[root@ganymed:~#] route -nv show
Routing tables
Internet:
Destination Gateway Flags
default 111.11.117.1 UG
127.0.0.0 127.0.0.1 UG
127.0.0.1 127.0.0.1 UH
192.168.1.0 link#1 U
192.168.1.1 52:54:5:e3:51:87 UH
192.168.1.2 8:0:46:64:74:1b UH
192.168.2.0 link#2 U
192.168.2.7 0:10:5a:c4:2c:4 UH
192.168.44.1 192.168.44.1 UH
192.168.45.0 link#1 U
111.11.117.0 link#3 U
111.11.117.1 0:5:9a:5b:23:fc UH
111.11.117.206 127.0.0.1 UGH
Example 7-16. OpenBSD netstat
[root@ganymed:~#] netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 111.11.117.1 UGS 3 7564 1500 ne5
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 0 33224 lo0
192.168.1/24 link#1 UC 0 0 1500 ne3
192.168.1.1 52:54:5:e3:51:87 UHL 0 5450 1500 ne3
192.168.1.2 8:0:46:64:74:1b UHL 1 2840 1500 ne3
192.168.2/24 link#2 UC 0 0 1500 ne4
192.168.2.7 0:10:5a:c4:2c:4 UHL 0 652 1500 ne4
192.168.44.1 192.168.44.1 UH 0 0 33224 lo1
192.168.45/24 link#1 UC 0 0 1500 ne3
111.11.117/24 link#3 UC 0 0 1500 ne5
111.11.117.1 0:5:9a:5b:23:fc UHL 1 0 1500 ne5
111.11.117.206 127.0.0.1 UGHS 0 0 33224 lo0
Example 7-17. FreeBSD netstat
[root@castor:~#] netstat –rn –f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 192.168.2.254 UGSc 4 1064 xl0
127.0.0.1 127.0.0.1 UH 0 0 lo0
192.168.2 link#1 UC 1 0 xl0
192.168.2.254 52:54:05:e3:e4:2f UHLW 5 27 xl0 603
192.168.7 link#2 UC 1 0 ed0
192.168.7.254 00:00:0c:1a:a9:a8 UHLW 1 28 ed0 396
Example 7-18. Effect of Interfaces/Line Protocols Going Down
[root@callisto:~#] ifconfig eth0 down
[root@callisto:~#] route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
ARP-Related Tools
ARP is an important protocol both from a networking and a security point of view. From a practical point of view, it often becomes an issue when changing network adapters, dealing with HSRP/VRRP (Virtual Router Redundancy Protocol), and dealing with static NAT entries of firewalls. Modern ARP sniffers and spoofing utilities can cause havoc even in switched environments. Note that due to the lack of security within the ARP protocol, ARP replies are generally accepted without hesitation.
Among the most interesting tools are iptraf (see Figure 7-1) and ettercap (Figure 7-2). iptraf includes a LAN station (MAC) monitor, traffic statistics, and helpful statistics about protocol families (TCP/UDP/IP/ICMP) and packet sizes. ettercap is a versatile tool in switched and nonswitched environments. You can use it for ARP poisoning, man-in-the-middle attacks, OS fingerprinting, sniffing, and other tasks.
Other interesting standard command-line utilities are discussed in the following list and demonstrated in Example 7-19.
arpwatch/arpmonitor
arpoison
arpspoof (part of the dsniff package)
arping
arp-sk
For details, consult the man pages. Example 7-19 presents the arping tool, which combines the well-known ping behavior with ARP information. arp-sk is a flexible and versatile tool to dig deep into ARP statistics and ARP simulation. Finally, arpwatch and arpmonitor turn your workstation into a monitoring station for ARP traffic.
Example 7-19. Some Examples of ARP Monitoring
[root@callisto:~#] arping
Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination
-f : quit on first reply
-q : be quiet
-b : keep broadcasting, don't go unicast
-D : duplicate address detection mode
-U : Unsolicited ARP mode, update your neighbours
-A : ARP answer mode, update your neighbours
-V : print version and exit
-c count : how many packets to send
-w timeout : how long to wait for a reply
-I device : which ethernet device to use (eth0)
-s source : source ip address
destination : ask for what ip address
[root@callisto:~#] arping -I eth1 192.168.1.254
ARPING 192.168.1.254 from 192.168.1.1 eth1
Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.941ms
Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.871ms
Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.882ms
Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.889ms
Unicast reply from 192.168.1.254 [48:54:E8:8C:0A:3F] 0.877ms
Sent 5 probes (1 broadcast(s))
Received 5 response(s)
[root@callisto:~#] arp-sk
arp-sk version 0.0.15 (Sun Dec 1 18:35:24 CET 2002)
Author: Frederic Raynal
Usage: arp-sk
-w --who-has send a ARP Who-has
-r --reply send a ARP Reply
-p --arping (bad) RARP emulation (NOT YET IMPLEMANTED)
-m --arpmim Man in the Middle (NOT YET IMPLEMANTED)
-d --dst dst in link layer (
-s --src dst in link layer (
--rand-hwa set random addresses in link header
--rand-hwa-dst set random dst in link header
--rand-hwa-src set random src in link header
-D --arp-dst dst in ARP message ([hostname | hostip][:MAC])
-S --arp-src dst in ARP message ([hostname | hostip][:MAC])
--rand-arp set random addresses in ARP message
--rand-arp-dst set random dst addresses in ARP message
--rand-arp-src set random src addresses in ARP message
--rand-arp-hwa-dst set random dst MAC address in ARP message
--rand-arp-log-dst set random dst IP address in ARP message
--rand-arp-hwa-src set random src MAC address in ARP message
--rand-arp-log-src set random src IP address in ARP message
-i --interface specify interface (eth0)
-c --count # of packets to send (infinity)
-t --time wait the specified number of seconds between sending \
each packet (or X micro seconds with -t uX)
--rand-time randomize the sending period of the packets
--beep beeps for each packet sent
-a --addr-spaces addresses to use in the ARP packet (eth/ip)
-n --network broadcast address to use for icmp-timestamp
--use-ts an icmp-timestamp is sent to resolve MAC to IP
-N --call-dns force address resolution in outputs (default is off)
-V --version print version and exit
-h --help this help :)
[root@callisto:~#] arp-sk -i eth1 192.168.1.254
- Warning: no mode given, using default.
+ Running mode "reply"
+ Ifname: eth1
+ Source MAC: 52:54:05:e3:51:87
+ Source ARP MAC: 52:54:05:e3:51:87
+ Source ARP IP : 192.168.1.1
+ Target MAC: ff:ff:ff:ff:ff:ff
+ Target ARP MAC: ff:ff:ff:ff:ff:ff
+ Target ARP IP : 255.255.255.255
--- Start classical sending ---
TS: 18:48:45.447550
To: ff:ff:ff:ff:ff:ff From: 52:54:05:e3:51:87 0x0806
ARP For 255.255.255.255 (ff:ff:ff:ff:ff:ff):
192.168.1.1 is at 52:54:05:e3:51:87
TS: 18:48:50.445497
To: ff:ff:ff:ff:ff:ff From: 52:54:05:e3:51:87 0x0806
ARP For 255.255.255.255 (ff:ff:ff:ff:ff:ff):
192.168.1.1 is at 52:54:05:e3:51:87
--- 255.255.255.255 (ff:ff:ff:ff:ff:ff) statistic ---
To: ff:ff:ff:ff:ff:ff From: 52:54:05:e3:51:87 0x0806
ARP For 255.255.255.255 (ff:ff:ff:ff:ff:ff):
192.168.1.1 is at 52:54:05:e3:51:87
Total time: 10 sec
[root@callisto:~#] arpwatch -?
Version 2.1a11
usage: arpwatch [-dN] [-f datafile] [-i interface] [-n net[/width]] [-r file]
###### arpwatch running in debug mode without detaching from terminal ######
[root@callisto:~#] arpwatch -i eth1 -d
From: arpwatch (Arpwatch)
To: root
Subject: new station (callisto)
hostname: callisto
ip address: 192.168.1.1
ethernet address: 52:54:5:e3:51:87
ethernet vendor:
timestamp: Saturday, January 31, 2004 19:02:40 +0100
[root@callisto:~#] arpmonitor
-i ????
Usage mode:
./arpmonitor -i
-i
-s or -e , output:
-p setup promisc mode (auto clean on ctrl-C) - default: no promisc mode
[root@callisto:~#] arpmonitor -i eth1 -e
eth1ArpMonitor: Initializing...
ArpMonitor: HW address: 52:54:05:E3:51:87
ArpMonitor: IP address: 192.168.1.1
ArpMonitor: Netmask : 255.255.255.0
ArpMonitor: Broadcast : 192.168.1.255
ArpMonitor: received SIGINT, giving up
Lab 7-1: ARP Security Issues
This lab's task is to experiment with networking and security issues of the various manifestations of the ARP protocol. As already mentioned, this book pretty much excludes security discussions and has a different focus. However, every aspect of networking and systems administration has related security aspects as well. Equipped with tools such as ettercap, arping, arp-sk, and the toolbox of Chapter 6, try to get a feeling of how easy or difficult it is to do the following:
MAC spoofing
ARP spoofing
ARP cache poisoning
MAC-based DoS (denial of service)
Man-in-the-middle attacks
Proxying and hijacking
Study networking aspects such as proxy ARP behavior of your operating system and derive a security policy to cope with threads and weaknesses originating from the ARP suite of protocols. For hints, inspiration, and guidance, look at the sources mentioned in the "Recommended Reading" section at the end of this chapter.