[ovs-discuss] Q. about IP-, MAC-, arp-spoofing

Oliver Francke Oliver.Francke at filoo.de
Thu Jul 26 17:31:09 UTC 2012 

We are to yet in sync ;) …

Am 26.07.2012 um 19:21 schrieb Jesse Gross <jesse at nicira.com>:

> On Thu, Jul 26, 2012 at 9:40 AM, Oliver Francke <Oliver.Francke at filoo.de> wrote:
>> Hi,
>> 
>> Am 26.07.2012 um 18:07 schrieb Jesse Gross <jesse at nicira.com>:
>> 
>>> On Thu, Jul 26, 2012 at 8:30 AM, Oliver Francke <Oliver.Francke at filoo.de> wrote:
>>>> Hi Jesse,
>>>> 
>>>> Am 26.07.2012 um 17:17 schrieb Jesse Gross <jesse at nicira.com>:
>>>> 
>>>>> On Thu, Jul 26, 2012 at 2:38 AM, Oliver Francke <Oliver.Francke at filoo.de> wrote:
>>>>>> Hi *,
>>>>>> 
>>>>>> as there are many guys around here with OVS and qemu-virtualization I think
>>>>>> it's the right place to ask ;)
>>>>>> 
>>>>>> Currently I have some basic rulesets ala:
>>>>>> 
>>>>>> # --- 8-< ---
>>>>>> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0
>>>>>> nw_dst=224.0.0.0/24 priority=40000 action=drop"
>>>>>> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 dl_src=${MAC}
>>>>>> nw_src=${IP} priority=39000 action=resubmit("${PORT}",1)"
>>>>>> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" ip idle_timeout=0 priority=100
>>>>>> action=drop"
>>>>>> 
>>>>>> ovs-ofctl add-flow vmbr0 "in_port="${PORT}" table=1 priority=100
>>>>>> action=normal"
>>>>>> # --- 8-< ---
>>>>>> 
>>>>>> that is: drop some broadcasts, allow VM's configured MAC + IP to jump to
>>>>>> next table, and there place some additional rules, if any.
>>>>>> 
>>>>>> This works, I see no more traffic if I do some changing of eth0's
>>>>>> MAC-address or changing my VM's IP. Fine.
>>>>>> 
>>>>>> Now there are evil characters around :-\
>>>>>> My enemy is arp-poisoning via ettercap or arpspoof. Programs that are
>>>>>> available in deb-packages.
>>>>>> 
>>>>>> Well, what do you do against mangled payload:
>>>>>> 
>>>>>> # --- 8-< ---
>>>>>> Hardware type: Ethernet (0x0001)
>>>>>> Protocol type: IP (0x0800)
>>>>>> .
>>>>>> .
>>>>>> Sender MAC address: 00:f1:70:00:38:b0 (00:f1:70:00:38:b0)
>>>>>> Sender IP address: 192.168.1.30 (192.168.1.30)
>>>>>> # --- 8-< ---
>>>>>> 
>>>>>> whereas the senders MAC is correct, and the IP is faked, it's from the VM I
>>>>>> want to attack.
>>>>>> 
>>>>>> Is there any way in OVS to detect via offset/pattern/whatever such a mess?
>>>> 
>>>>>> 
>>>>>> Or administer a static table in OVS with valid MACs <-> IPs?
>>>>> 
>>>>> Well you can match on the IPs and MACs in the payload of ARP packets
>>>>> using flows and drop anything that doesn't hit.
>>>> 
>>>> Well sir, I cannot, at least I tried to go through man-pages etc. My plan was to add a flow for all arp-packets, then handle all things in a second table. But I have no idea _how_, hence this mail ;)
>>>> If its something obvious, excuse my blind 8-)
>>> 
>>> ovs-ofctl add-flow BR
>>> priority=1,in_port=X,arp,dl_src=Y,nw_src=Z,arp_sha=Y,actions=resubmit(TABLE)
>> 
>> yeah, done that already. was my first thought, problem continues, as the MAC-address is correct ( matches arp_sha), but the IP is "poisoned" ( wireshark-excerpt above), the evil wants to inject his MAC with IP of target to attack.
>> Or my thinking is wrong at this point…
> 
> To hit a flow you must match all fields so if you specify both MAC and
> IP and the IP is spoofed then the flow won't match.
> 

the snipplet above is the payload. Packet Ethernet-MAC-address is correct, so is packet IP-address ( 192.168.1.32). In the packet itself there is the wrong information ( 192.168.1.30).

Sorry for any confusion.


>> So, flow would match, if arp + dl_src + nw_src + arp_sha + arp_source_ip_address are matching, right?
>> Then action would be normal.
> 
> nw_src and arp_source_ip_address are the same thing.  There's only one
> IP source field in an ARP packet.
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss

More information about the discuss mailing list