Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Mon, 29 Apr 2002 23:00:50 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Mon, 29 Apr 2002 23:00:49 -0400 Received: from bstnma1-ar1-4-64-205-250.bstnma1.elnk.dsl.genuity.net ([4.64.205.250]:28670 "EHLO mail.spoofed.org") by vger.kernel.org with ESMTP id ; Mon, 29 Apr 2002 23:00:48 -0400 Date: Mon, 29 Apr 2002 23:04:18 -0400 From: warchild@spoofed.org To: Andi Kleen Cc: linux-kernel@vger.kernel.org Subject: Re: remote memory reading using arp? Message-ID: <20020430030418.GB6179@spoofed.org> In-Reply-To: <20020429173144.A4044@wotan.suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.28i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Greetings again, I took the time today to gather as much arp traffic as my eyes could handle and enough to shed some valuable light on this issue. While it doesn't show who/what is at fault, it may possibly prove that I'm missing something entirely or the problem is more widespread that was thought. Anyway, here goes. For test 1, I gathered ~1.5M of arp traffic from a monitoring port that sustains 4-5Mb/s traffic in a mixed solaris/linux/win2k environment of approximately 400 machines in an educational setting. For test 2, I gathered ~.5M of arp traffic from a single interface of a RedHat machine located in a "Small Business" environment consisting of approximately 25 machines (linux/winXP). That much arp data is pretty unruly, so I used grep to see if anything stuck out. I grepped for our domain name (ccs.neu.edu) and found this string 15 times in test 1, and grepped for 'http' in test 2 and found that string 62 times. Upon digging into the traffic a bit further, I saw an interesting trends. All of the arp packets that contained interesting data contained it in the last 18 bytes of the 60 byte arp packet. After googling and browsing the rfcs, I've seen these last 18 bytes referred to as both 'trailers' and 'padding'. It is not clear to me what purpose they serve, but seems clear that they can contain some potentially sensitive data. I know this may be getting a bit off topic, but I figured I share my findings with the lists. If I am incorrect in any of my statements, please correct me. thanks, -jon - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/