ARP Address Resolu,on Protocol

Size: px

Start display at page:

Download "ARP Address Resolu,on Protocol"

Arnold Walker
6 years ago
Views:

1 ARP Address Resolu,on Protocol Security João Paulo Barraca 1

2 Networking Basics Communica,on in packet networks rely on several layers, with different iden,fiers: Applica,ons use TCP/UDP ports Hosts use IP addresses Interface Cards use MAC addresses Communica,on is typically made between applica,ons using touples <IP_Address:Port> and a protocol (e.g. TCP or UDP). João Paulo Barraca <jpbarraca@ua.pt> 2

3 Networking Basics When a packet is to be routed, two situa,ons may occur: The packet is sent to the des,na,on host, which is in the same IP network. The packet must be sent to a next hop (gateway), un,l it reaches the des,na,on IP network. In both cases, packet is transmiyed between physical interfaces João Paulo Barraca <jpbarraca@ua.pt> 3

4 Networking Basics Applica,on Applica,on HLP HLP HLP HLP IP SRC: IP_A DST: IP_C IP SRC: IP_A DST: IP_C IP SRC: IP_A DST: IP_C IP SRC: IP_A DST: IP_C MAC SRC: MAC_A DST: MAC_B MAC SRC: MAC_A DST: MAC_B MAC SRC: MAC_B DST: MAC_C MAC SRC: MAC_B DST: MAC_C Phy Phy Phy Phy João Paulo Barraca 4

5 Networking Basics IP addresses do not change between source and des,na,on MAC addresses are valid for a single network segment When packet is routed, MAC address of next hop must be found João Paulo Barraca <jpbarraca@ua.pt> 5

6 IP to MAC mapping Sta,c configura,on MAC entries of all hosts configured sta,cally All hosts know the MAC address of all interfaces of all other hosts Does not scale! Changing a single interface requires upda,ng all other hosts Dynamic configura,on: ARP João Paulo Barraca <jpbarraca@ua.pt> 6

7 Address Resolu,on Protocol RFC 826 ARP: find MAC address of an Interface which is in a host with IP address RARP: find IP address of host having an interface with the given MAC 32bit IPv4 Addresses ARP 48bit Ethernet Addresses João Paulo Barraca <jpbarraca@ua.pt> 7

8 Address Resolu,on Protocol Who has ? Send ARP Request using broadcast. João Paulo Barraca 8

9 Address Resolu,on Protocol Not me! Me! 00:11:22:33:44:55 Reply using ARP Response using unicast João Paulo Barraca 9

10 Address Resolu,on Protocol Every packet sent requires two MAC address Source Address is known Des,na,on Address must be determined ARP Cache increases performance Caches both known and unknown entries Avoid repea,ng the discovery process per packet Entries have a large life,me (2 minutes) João Paulo Barraca <jpbarraca@ua.pt> 10

11 ARP Cache arp -a! fog.av.it.pt ( ) at 00:1e:8c:3e:6a:a6 [ether] on eth0! atnog.av.it.pt ( ) at 00:15:17:e6:6f:67 [ether] on eth0! guarani.av.it.pt ( ) at 00:0c:6e:da:19:87 [ether] on eth0! aeolus.av.it.pt ( ) at bc:ae:c5:1d:c6:53 [ether] on eth0! João Paulo Barraca 11

12 ARP Spoofing MAC addresses can be modified ifconfig eth0 hw ether 00:11:22:33:44:55! Using a colliding MAC address will allow recep,on of network traffic for other hosts Some switches limit MAC addresses to single ports Sending ARP packets with spoofed addressed may poison the cache of other sta,ons ARP Poisoning João Paulo Barraca <jpbarraca@ua.pt> 12

13 ARP Poisoning Hosts cache informa,on directly from ARP packets No other verifica,on is done New informa,on will replace exis,ng entries Great for allowing network dynamism Very bad for security Possible to send specially cramed packets to create specific entries in remote hosts João Paulo Barraca 13

ARP Poisoning When receiving an ARP Request: 10.0.0.2 will send an ARP Reply But 10.0.0.2 will also learn that 10.

14 ARP Poisoning When receiving an ARP Request: will send an ARP Reply But will also learn that is at e0:f8:47:1b:1f:42 João Paulo Barraca 14

15 ARP Poisoning When receiving an ARP Reply will learn that is at 90:f6:52:f2:77:62. even if no matching request as made João Paulo Barraca 15

16 ARP Poisoning: Consequences Hosts can be isolated from the network Create fake entries for all other hosts Eve :11:11:11:11:11 Alice :22:22:22:22:22 Bob :33:33:33:33:33 ARP Request Who has ? I am , 44:44:44:44:44:44 GW :11:22:33:44:55 Alice will use 44:44:44:44:44:44 when talking to Bob João Paulo Barraca <jpbarraca@ua.pt> 16

17 ARP Poisoning: Consequences Hosts can be denied communica,on with the outside world Eve :11:11:11:11:11 Alice :22:22:22:22:22 Bob :33:33:33:33:33 ARP Request Who has ? I am , 44:44:44:44:44:44 ARP Request Who has ? I am , 44:44:44:44:44:44 GW :11:22:33:44:55 João Paulo Barraca <jpbarraca@ua.pt> 17

18 ARP Poisoning: Consequences Traffic between two hosts can be intercepted (MitM) Eve :11:11:11:11:11 Alice :22:22:22:22:22 Bob :33:33:33:33:33 ARP Request Who has ? I am , 11:11:11:11:11:11 ARP Request Who has ? I am , 11:11:11:11:11:11 Then Eve will forward traffic GW :11:22:33:44:55 João Paulo Barraca <jpbarraca@ua.pt> 18

19 ARP Poisoning: Avoidance Use sta,c entries No resolu,on process is triggered Colliding Informa,on from ARP packets is discarded Behaviour detec,on Detect ARP Replies without Request Detect repeated Requests from same host. João Paulo Barraca 19

20 ARP Poisoning: Avoidance Use monitoring somware Somware watches for MAC changes Network administrator is no,fied ARP Poison is not actually avoided! Port based packet filtering at switch ingress Spoofed ARP packets are dropped Only possible in sta,c scenarios João Paulo Barraca 20

Basic elements of IP and its interac2on with Ethernet

Basic elements of IP and its interac2on with Ethernet IP addressing, Forwarding, ARP, ARP poisoning Marco Bonola, Lorenzo Bracciale Corso di Fondamen2 di Re2 e Segnali Prof. Giuseppe Bianchi A.A. 2010