ARP Reply checking

fuchsc wrote on Tuesday, August 13, 2019:


I’m using FreeRTOS+TCP for a TI TMS570LS3137 chip. It’s working very good.
At the moment I’m making some tests for the TCP/IP stack and MAC driver. One test is to send many ARP reply packages from a Win10 PC. I noticed that the data (MAC address and IP address) of these packages are taken to the ARP table without restrictions (except the subnet mask).
I’m not an expert of network stacks, but this can be dangerous because then other UDP packages will be send to another node. (I learned that this is known as ARP spoofing attack)
I also do not know if this can be prevent by the FreeRTOS+TCP stack or if other stacks prevents this. Googling this attack shows that, for example Linux, ignores ARP reply packages without an ARP request package.
Can this also be done in FreeRTOS+TCP stack?

Thanks and best regards

rtel wrote on Friday, September 13, 2019:

Bumping this up to the top as it was sat in moderation for a long time
(apologies - no posts are supposed to go into moderation).

heinbali01 wrote on Friday, September 13, 2019:

Sorry to see that your message stayed “in moderation” for such a long time.
From experience: when a post stays in moderation, it may to wait one day and just send it again. The second one might get through.
I will come up with an answer within a day.

heinbali01 wrote on Monday, September 16, 2019:

Any message that is apparently aimed at “this device”, will lead to an update of the ARP cache. There are two limitations though:

  1. UDP messages will only update the ARP cache if the target port is active.

  2. Once a TCP connection has started, it will not lookup the IP-address in the ARP table. The MAC address of the peer is stored in the Socket object.

We could only store ARP addresses in case this device has sent a request. Sounds nice, but how do I reply to a peer that sends a UDP packet or a TCP SYN? Send an ARP request first? It is possible, but it may disturb existing applications and it will make things slower.

I asked around and got this answer: “one needs a stateful IPS/IDS (intrusion prevention/detection system) to catch ARP spoofing.
The best mitigation for an endpoint is defence-in-depth, i.e. use TLS.”

fuchsc wrote on Friday, October 25, 2019:

Thank you for your answer.

Hi Fuchsc. How are you?
I see that you managed to use the FreeRTOS TCP stack with the TMS570LS3137. I am working with the same board, and I need to use this same stack. Could you provide me with your stack files please? I would appreciate it very much, since I was trying to use it but without success, and I did not find a solution. I´m very sad about that. I hope you can help me. Thanks a lot!! And sorry for the inconvenience.