DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default The Ping Torture of Tantalus" - A Greek tragedy exposing ARP and DNS

"The Ping Torture of Tantalus" - A Greek tragedy exposing the treacherous roles of ARP and Oracle of Names in the suffering of Tantalus

The three leading actors :
  1. Zeno, the Torturer of Tantalus
    Code:
    Host     : zeno.utp.xnet
    Role     : client in 'utp.xnet' network
    OS       : OpenBSD
    NIC      : fxp0
    IP       : 192.168.222.44
    
    ifconfig fxp0:
    fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            address: 00:08:c7:ca:ba:ad
            media: Ethernet autoselect (100baseTX full-duplex)
            status: active
            inet 192.168.222.44 netmask 0xffffff00 broadcast 192.168.222.255
            inet6 fe80::208:c7ff:feca:baad%fxp0 prefixlen 64 scopeid 0x1
    
    "/etc/resolv.conf :"
    nameserver  192.168.222.10
  2. Tantalus, the Victim of Zeno's Ping Tortures
    Code:
    Host     : tantalus.utp.xnet
    Function : client in 'utp.xnet' network
    OS       : OpenBSD
    NIC      : fxp0
    IP       : 192.168.222.210 and 192.168.222.211
    
    ifconfig fxp0
    fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:08:c7:72:45:55
            groups: egress
            media: Ethernet autoselect (100baseTX full-duplex)
            status: active
            inet6 fe80::208:c7ff:fe72:4555%fxp0 prefixlen 64 scopeid 0x1
            inet 192.168.222.210 netmask 0xffffff00 broadcast 192.168.222.255
            inet 192.168.222.211 netmask 0xffffffff broadcast 192.168.222.211
  3. Parmenides, the Oracle of Names
    Code:
    Host: parmenides.utp.xnet
    Function : nameserver for 'utp.xnet' network
    OS       : OpenBSD
    NIC      : fxp0
    IP       : 192.168.222.10 and 192.168.222.11
    
    ifconfig fxp0 :
    fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
            address: 00:08:c7:72:40:d5
            media: Ethernet autoselect (100baseTX)
            status: active
            inet 192.168.222.10 netmask 0xffffff00 broadcast 192.168.222.255
            inet6 fe80::208:c7ff:fe72:40d5%fxp0 prefixlen 64 scopeid 0x1
            inet 192.168.222.11 netmask 0xffffffff broadcast 192.168.222.11

The actors are prepared and ready ......
  1. The flags of their ifconfig output shows 'UP'

  2. There is a communication link with their network hub/ switch: 'status: active'

  3. They all have an IP address and a netmask:
    Code:
    inet 192.168.222.44 netmask 0xffffff00 broadcast 192.168.222.255 (zeno)
    inet 192.168.222.210 netmask 0xffffff00 broadcast 192.168.222.255 (tantalus) victim)
    inet 192.168.222.10 netmask 0xffffff00 broadcast 192.168.222.255 (parmenides)
  4. The actor ~zeno has an "/etc/resolv.conf" file, with a nameserver entry of the Oracle of Names.

    Because the merciful goddess DHCP has given Tantalus a constantly changing address as a hiding place, Zeno the Torturer needs the service of the Oracle of Names to discover the current address of his victim.

Act I - Erasure of the Table of ARP and Placing the Tap

In one xterm on host 'zeno', delete the ARP (Address Resolution Protocol) table and run tcpdump to spy on on the TCP/IP traffic.
The reason for this deletion will become clear at the end of this 'tragedy' .
Code:
# arp -dna
192.168.222.10 (192.168.222.10) deleted

# tcpdump -s 512 -eni fxp0
tcpdump: listening on fxp0
Explanation of the arp options:
Code:
-d  : delete
-n  : show the numerical IP addresses, don't use DNS to resolve to symbolic names
-a  : all entries
Explanation of the tcpdump options:
Code:
-s 512  : decode not only the header but also 512 bytes of data 
-e      : show the MAC, or linklevel, addresses
-n      : show the numerical IP addresses, don't use DNS to resolve to symbolic names
-i fxp0 : specify the interface 'fxp0'
Act II - The Ping Torture of Tantalus

On host 'zeno' run 'ping -c2 tantalus.utp.xnet'
Code:
] ping -c2 tantalus
PING tantalus.utp.xnet (192.168.222.210): 56 data bytes
64 bytes from 192.168.222.210: icmp_seq=0 ttl=255 time=0.387 ms
64 bytes from 192.168.222.210: icmp_seq=1 ttl=255 time=0.261 ms
--- tantalus.utp.xnet ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.261/0.324/0.387/0.063 ms
Act III: The Exposure of the Betrayers ARP and Oracle of Names

The complete wiretap/dump
Code:
root@zeno[/root] tcpdump -s 512 -eni fxp0
tcpdump: listening on fxp0
17:37:16.978337 0:8:c7:ca:ba:ad ff:ff:ff:ff:ff:ff 0806 42:
   arp who-has 192.168.222.10 tell 192.168.222.44

17:37:16.978501 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0806 60:
   arp reply 192.168.222.10 is-at 0:8:c7:72:40:d5

17:37:16.978517 0:8:c7:ca:ba:ad 0:8:c7:72:40:d5 0800 77:
   192.168.222.44.4331 > 192.168.222.10.53:
  44527+ A? tantalus.utp.xnet. (35)

17:37:16.979954 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0800 93:
  192.168.222.10.53 > 192.168.222.44.4331:
  44527 1/0/0 A 192.168.222.210 (51)

17:37:16.980405 0:8:c7:ca:ba:ad ff:ff:ff:ff:ff:ff 0806 42:
   arp who-has 192.168.222.210 tell 192.168.222.44

17:37:16.980514 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0806 60:
   arp reply 192.168.222.210 is-at 0:8:c7:72:45:55

17:37:16.980528 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98:
   192.168.222.44 > 192.168.222.210: icmp: echo request
17:37:16.980722 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98:
   192.168.222.210 > 192.168.222.44: icmp: echo reply

17:37:17.988741 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98:
   192.168.222.44 > 192.168.222.210: icmp: echo request
17:37:17.988922 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98:
   192.168.222.210 > 192.168.222.44: icmp: echo reply
^C
10 packets received by filter
0 packets dropped by kernel
The command is "ping -c2 tantalus.utp.xnet". So the first task is to ask the Oracle of Names, the nameserver at 192.168.222.10, to translate the name 'tantalus.utp.xnet' to the IP address.

Code:
17:37:16.978337 0:8:c7:ca:ba:ad ff:ff:ff:ff:ff:ff 0806 42:
  arp who-has 192.168.222.10 tell 192.168.222.44
Using the ARP (Address Resolution Protocol, the fxp0 NIC 0:8:c7:ca:ba:ad sends a broadcast to ff:ff:ff:ff:ff:ff (255.255.255.255) asking: "User of 192.168.222.10 address, what is your MAC address?"

The reply:
Code:
 17:37:16.978501 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0806 60:
   arp reply 192.168.222.10 is-at 0:8:c7:72:40:d5
"Hi, 0:8:c7:ca:ba:ad, this is 192.168.222.10. My MAC is 0:8:c7:72:40:d5"

With this information 'zeno' at 192.168.222.44 (0:8:c7:ca:ba:ad) is able to ask the Oracle or nameserver 192.168.222.10 (0:8:c7:72:40:d5) for the DNS A record of 'tantalus.utp.xnet'
Code:
17:37:16.978517 0:8:c7:ca:ba:ad 0:8:c7:72:40:d5 0800 77:
  192.168.222.44.4331 > 192.168.222.10.53:
  44527+ A? tantalus.utp.xnet. (35)
The answer is a A record with IP 192.168.222.210:
Code:
17:37:16.979954 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0800 93:
   192.168.222.10.53 > 192.168.222.44.4331:
  44527 1/0/0 A 192.168.222.210 (51)
Having obtained the IP address of 'tantalus', the assistance of ARP is needed another time. now to find out the MAC address of 192.168.222.210.
Code:
17:37:16.980405 0:8:c7:ca:ba:ad ff:ff:ff:ff:ff:ff 0806 42:
   arp who-has 192.168.222.210 tell 192.168.222.44
17:37:16.980514 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0806 60:
   arp reply 192.168.222.210 is-at 0:8:c7:72:45:55
Finally after all this preparatory work, ping can perform the 'torture' by sending two ICMP requests and listening for replies.
Code:
17:37:16.980528 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98:
   192.168.222.44 > 192.168.222.210: icmp: echo request
17:37:16.980722 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98:
   192.168.222.210 > 192.168.222.44: icmp: echo reply

17:37:17.988741 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98:
   192.168.222.44 > 192.168.222.210: icmp: echo request
17:37:17.988922 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98:
   192.168.222.210 > 192.168.222.44: icmp: echo reply
To end tcpdump we press Control-C
Code:
 ^C
10 packets received by filter
0 packets dropped by kernel
The answers of the arp queries are cached for possible reuse in a table. We can see this table with the following command
Code:
#  arp -an
? (192.168.222.10) at 00:08:c7:72:40:d5 on fxp0
? (192.168.222.210) at 00:08:c7:72:45:55 on fxp0
If we leave out the "-n" option the DNS names will be shown too.
Code:
# arp -a
parmenides.utp.xnet (192.168.222.10) at 00:08:c7:72:40:d5 on fxp0
tantalus.utp.xnet (192.168.222.210) at 00:08:c7:72:45:55 on fxp0
If 'zeno' would have had previous TCP/IP communciation with 'tantalus' and nameserver 'parmenides', we wouldn't
have seen the ARP traffic. Only if a host cannot find an IP<->MAC address mapping in the ARP table, an ARP request has to be done.

A tcpdump of another ping from zeno to tantalus, with a filled arp table, shows no arp traffic
Code:
19:10:29.695485 0:8:c7:ca:ba:ad 0:8:c7:72:40:d5 0800 77:
  192.168.222.44.17885 > 192.168.222.10.53:  49880+ A? tantalus.utp.xnet. (35)

19:10:29.697044 0:8:c7:72:40:d5 0:8:c7:ca:ba:ad 0800 93:
  192.168.222.10.53 > 192.168.222.44.17885:
   49880 1/0/0 A 192.168.222.210 (51)

19:10:29.697480 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98:
  192.168.222.44 > 192.168.222.210: icmp: echo request
19:10:29.697688 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98:
  192.168.222.210 > 192.168.222.44: icmp: echo reply

19:10:30.702854 0:8:c7:ca:ba:ad 0:8:c7:72:45:55 0800 98:
  192.168.222.44 > 192.168.222.210: icmp: echo request
19:10:30.703030 0:8:c7:72:45:55 0:8:c7:ca:ba:ad 0800 98:
  192.168.222.210 > 192.168.222.44: icmp: echo reply
Epilogue

Each BSD OS is equipped with all the tools to diagnose a TCP/IP problem. A program like 'ifconfig' allows you to check the configuration of your NIC. And 'tcpdump' shows exactly the exchange of packets.

We have seen what in a well configured network should happen during a "ping -c2 hostname'.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
arp, dns, tcpdump

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Fixed "xinit" after _7 _8, "how" here in case anyones' "X" breaks... using "nvidia" jb_daefo Guides 0 5th October 2009 09:31 PM
FreeBSD ping issue wooki FreeBSD General 1 2nd October 2009 04:10 PM
Can't ping "$ localhost" pieterverberne OpenBSD General 4 20th August 2009 08:26 PM
"Thanks" and "Edit Tags". diw Feedback and Suggestions 2 29th March 2009 12:06 AM
Cannot get new installed card to ping other machine Johnny2Bad FreeBSD Installation and Upgrading 2 10th June 2008 08:54 PM


All times are GMT. The time now is 11:54 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick