Re: ARPOP_REQUEST with spoofed IP address (joe, turn it off!)

C. M. Heard wrote:
> How does one tell, in principle, that the source IP address (ar$spa) in
> an ARP packet is in fact spoofed?
Not without cryptographic authentication, in general.

But for this particular issue, not updating the local cache based on 
snooped ARP exchanges (i.e. what Linux does) may make sense. Also, under 
this particular misconfiguration, there'll very likely be two ARP 
responses for a lookup of the IP address in question, so maybe could be 
used as an indicator that there's a problem.
Lars
--
Lars Eggert <larse(_at_)isi(_dot_)edu>           USC Information Sciences 
Institute

smime.p7s
Description: S/MIME Cryptographic Signature