Ever heard of ARP Stuffing? Me neither.
Posted: November 1, 2011 Filed under: Tid-bits | Tags: access, access APC, access PDU, APC, arp, arp -s, arp stuffing, assign, assign IP address, configure apc, configure pdu, distribution, how to configure apc pdu, PDU, ping -l, power, power distribution unit, rack mount pdu, rack mounted apc pdu, unit 7 CommentsSo I’m looking at a metered APC PDU, model 7811, that I need to access. It’s fully racked and stacked, boxes on top of and below it. I don’t have the RJ-11 to serial cable that came with it and I don’t feel like making one. There’s currently not a DHCP scope on the subnet it will belong to so it will likely assign itself an APIPA address assuming it’s set to DHCP by default. It’s essentially an out-of-the-box config – which is nothing. What’s the easiest way to gain access to it?
The serial cable would be easiest, but it’s long been lost or thrown out by those who installed the PDU. Reading the documentation, I come across a section that mentions I can use an ARP command to assign an IP address. Did I read that right? Is it saying I can use ARP to ASSIGN an IP address? Re-reading the manual, it indeed says this – or something close to it, anyways.
Specifically, it says run the following commands from a Windows box on the same subnet:
arp -s
ping -l 113
What is going on here? I hit the googlizer with “arp -s.” The link that I click on brings me to a page for a digital camara, explaining how to do the same thing the PDU documentation wants me to do – use arp -s and a non-default sized ping packet. That’s not a lot of help.
In any young IT guy’s journey, he’ll no doubt learn the intricacies, okay not the intricacies, but at least the purpose and usefulness of the ARP protocol: resolve IP addresses to MAC addresses. But I’ve never heard of ARP assigning IP addresses – that’s both cool and a bit scary. I mean, what’s stopping someone up to no good from wreaking havoc by re-assigning, possibly bad, IP addresses to devices on the network?
So by this time I think I’m missing something. Maybe I only skimmed those chapters on the ARP protocol in college. So I hit up Wikipedia. At the very bottom of the page, the last entry lists something called ARP Stuffing. You can find it here.
Turns out that I wasn’t missing much, if anything. I just hadn’t seen everything yet. There are some devices out there, such as networked camaras, power distribution units, and uninterruptible power supplies that have the ability to accept non-default sized ping packets and assign themselves the address it finds inside the packet. This functionality needs to be built into the device into the first place. The ARP in ARP Stuffing comes from the user “stuffing” a static ARP entry into his local computer’s ARP cache with the desired IP address of the device you wish to configure.
So for instance, I’ve got a bunch of APC PDUs racked and in production. Nobody’s ever bothered to configure them, so here I am left trying to do it. All I have to do is find the MAC addresses. Turns out that they’re on a sticker on the bottom of the PDU. What makes this a pain is that, since the racks are full of equipment, I have to wriggle around on the floor, under the racks, and sometimes take the PDU out of the rack part of the way to see the sticker. But! Once you have the MAC addresses, you’re in bid-ness.
I already had some switch ports provisioned for the correct VLAN, so I plugged in the PDU and plugged in my laptop to the same VLAN. I assigned my laptop an IP address in the proper range for the subnet and then input the two commands above, shown again here.
arp -s 192.168.50.146 00-C0-34-4D-A5-9C
Checking my ARP table with arp -a I see this:
Interface: 192.168.50.131 — 0x2
Internet Address Physical Address Type
192.168.50.36 5c-26-0a-41-b5-93 dynamic
192.168.50.80 f4-ce-46-39-e9-49 dynamic
192.168.50.146 00-c0-34-4d-a5-9c static
I see my static, or “stuffed” entry there, good.
And now the ping: ping 192.168.50.146 -l 113
Pinging 192.168.50.146 with 113 bytes of data:
Reply from 192.168.50.146: bytes=113 time<1ms TTL=128
Reply from 192.168.50.146: bytes=113 time<1ms TTL=128
Reply from 192.168.50.146: bytes=113 time<1ms TTL=128
Reply from 192.168.50.146: bytes=113 time<1ms TTL=128
Ping statistics for 192.168.50.146:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
So you see the only real difference here is that it pings with a packet size of 113 bytes instead of the standard 32. You can see that right away, the device responds with a ping reply.
Now, many of the devices that have this feature built into them will also have some sort of configuration interface – once they have a proper IP address. Now that it has one, you can try and access it. For the APC PDUs, they have web interfaces, ssh/telnet, etc. I fire up a browser and input the IP address I assigned and it pulls up the page. That was pretty easy, eh?
[…] enough to reset the IP address for me. Otherwise I could refer to a certain Michael Brown’s posting regarding these bad boys. Share this:TwitterFacebookLike this:LikeBe the first to like this post. […]
Yep, came in handy as one of the PDU’s had such a low code revision (1.1.6 from 2003!) that after doing a jump to 2 (before moving to 3.7.3) it wigged out pretty significantly. Was able to stuff it’s arp and bam, came back to life.
That’s a beer to you sir when you return to this great country of ours!
[…] If they come with an IP address already, and you know it, then it will be easy to connect to them. The login/password is apc/apc. If you do not know the IP address, you can ARP STUFF them to re-ip them. I’m too lazy to type how, and would rather direct you to this friendly post from Michael Brown. […]
Hi Mike, I found this article when looking for instruction on how to use this method to configure APC rails but from a Cisco device. The reason being, the APC devices are in a remote DC, and I don’t have a PC or server on that subnet to do it “locally”. I finally worked it out, so thought your readers might like instructions on how to do it. Turns out from a cisco device it needs a ping size of 141 bytes (as opposed to the 113 bytes from a windows machine).
So say you want to give the device with MAC address aaaa.bbbb.cccc an IP address of 10.10.1.5, do the following from a Cisco device on that subnet:
router#configure terminal
router (config)#arp 10.10.1.5 aaaa.bbbb.cccc ARPA
router (config)#end
router#ping 10.10.1.5 size 141
The first few pings will fail, then it will start answering. If you have proxy-arp enabled on the subnet, then you will be able to web browse to http://10.10.1.5, put in the default username/password (apc/apc), and then update the network settings with the correct subnet mask and default gateway.
One last step would be to remove the static arp entry from the Cisco device:
router#configure terminal
router (config)#no arp 10.10.1.5 aaaa.bbbb.cccc ARPA
Hope this helps someone out there!
For those curious, the size option of the ping command in Cisco IOS sets the size of the entire IP packet (IP Header, 20 bytes, ICMP Fields, 8 Bytes, Data Payload, 113). Total is 141 bytes.
On Windows, Mac and Linux, the -l or -s options set the size of the payload only (113), hence the difference in the typed commands.
You can hold down the button on the front of those PDU’s for five seconds and the LEDs will read out the IP one digit at a time. So if it’s 169.254.x.x it should give it to you (in theory)… (yes APCs are a pain but I still love ’em)
[…] VirtuallyMikeBrown – Ever herd of ARP stuffing? […]