Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan June 18, 2015 1 / 19
ARP (Address resolution protocol) poisoning ARP is used to resolve 32-bit IP addresses (e.g., 55.91.56.21) into 48-bit local MAC addresses (e.g., 01-1C-23-0E-1D-41) Hosts on the same network must know each other s MAC addresses before they can send and receive packets using IP addresses Hosts build ARP tables by sending ARP requests and replies to each other 2 / 19
Normal ARP operation Every hosts on a network builds an ARP table Entry of 10.0.0.1 into ARP table at gateway router 3 / 19
Normal ARP operation Suppose the gateway (router) receives a packet addressed to an internal host (10.0.0.1) It sends an ARP request to every host on the LAN asking if they have that IP address Only the host that has the requested IP address responds. All other hosts ignore the request Here, host A responds with an ARP reply that contains its physical/mac address (A1-A1-A1-A1-A1-A1) The switch records the MAC addresses of the gateway and Host A, as well as their respective port numbers The gateway receives the ARP reply and records Host A s IP address and corresponding MAC address 4 / 19
Normal ARP operation After adding the MAC address entry into its ARP table for host A, the gateway can forward all packets addressed to 10.0.0.1 The switch looks only at the MAC address as the packet is passed from the gateway to Host A Other hosts on the LAN cannot see any packets addressed to Host A 5 / 19
ARP Spoofing ARP requests and replies do not require authentication or verification All hosts trust all ARP replies ARP spoofing uses false ARP replies to map any IP address to any MAC address Spoofed ARP replies are broadcast to other hosts on the LAN This allows an attacker to manipulate ARP tables on all LAN hosts 6 / 19
ARP poisoning ARP poisoning can be used to reroute traffic for a MITM (Man-in-the-Middle) attack The attacker begins the attack by sending a continuous stream of unsolicited ARP replies to all hosts on the LAN except the gateway Tells other hosts on the LAN that the gateway (10.0.0.4) is now at C3-C3-C3-C3-C3-C3 Hosts on the LAN record the false ARP reply in their ARP tables Any packets they wish to send to the gateway will be addressed to 10.0.0.4 at C3-C3-C3-C3-C3-C3 Since the switch only looks at MAC addresses, it cannot identify the incorrect ARP resolution being pushed out to all other hosts After intercepting the message, the attacker reroutes traffic to the gateway 7 / 19
ARP poisoning 8 / 19
ARP poisoning To poison the gateway. The attacker sends a continuous stream of spoofed ARP replies to the gateway telling it that all other internal hosts are at C3-C3-C3-C3-C3-C3 The gateway records all internal IP addresses (10.0.0.1, 10.0.0.2, and 10.0.0.3) and the same MAC address (C3-C3-C3-C3-C3-C3) in its ARP table Any packet the gateway receives will be forwarded to the attacker The attacker redirects the traffic it intercepts To launch this attack, the attacker must have access to the local network and must also send a continuous stream of spoofed ARP replies to keep the other hosts ARP tables from self-correcting 9 / 19
ARP DoS attack A minor modification in the attack stops all traffic on the local network The attacker sends all internal hosts a continuous stream of unsolicited spoofed ARP replies saying the gateway (10.0.0.4) is at E5-E5-E5-E5-E5-E5 Hosts record the gateway s IP address and nonexistent MAC address Packets addressed to E5-E5-E5-E5-E5-E5 are dropped by switch since the MAC address does not exist 10 / 19
ARP DoS attack 11 / 19
Preventing ARP poisoning Static tables ARP poisoning can be prevented by using static IP tables and static ARP tables Static ARP tables are manually set and cannot be dynamically updated using the ARP Difficult to manage Limit local access Another way of preventing ARP poisoning is to limit access to the local network Controlling network access 12 / 19
Network access control LAN can be both wired and wireless where most often wireless LANs are connected to wired LANs The wireless client communicates by radio with a wireless access point, which in turn connects via 4-pair UTP to an Ethernet switch 13 / 19
Network access control 14 / 19
Access control threats Traditionally, Ethernet LANs offered no access control security Any intruder who entered a corporate building could walk up to any wall jack and plug in a notebook computer The intruder would then have unrestricted access to the LAN s computers, bypassing the site s border firewall A complete breakdown in access control Even deeper access threats in wireless LANs Once intruders gain access, they can use a packet sniffer to intercept and read legitimate traffic 15 / 19
Ethernet security 802.1X security 802.1X makes the Ethernet workgroup switch the gateway to the network The user s computer connects to a specific port on the workgroup switch That port is the real point of access control The name of the 802.1X standard is Port-Based Access Control 16 / 19
802.1X security 17 / 19
802.1X security When the computer first connects, the port is in an unauthorized state It will not permit the user to communicate over the network The port remains unauthorized until the computer authenticates itself After authentication, the port changes to authorized state, and the computer gets access to the network Not to burden up the switch, the switches rely on a central authentication server This server has credentials-checking authentication data and the processing power 18 / 19
RADIUS and EAP Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service 802.1X relies on Extensible Authentication Protocol (EAP), to govern the specifics of authentication interactions 19 / 19