AN INTRODUCTION TO ARP SPOOFING

Similar documents
CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

ICS 451: Today's plan

Switched environments security... A fairy tale.

To see how ARP (Address Resolution Protocol) works. ARP is an essential glue protocol that is used to join Ethernet and IP.

Towards Layer 2 Authentication: Preventing Attacks based on Address Resolution Protocol Spoofing

Switching & ARP Week 3

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

DESIGN DETECTION OF MULTIPLE SPOOFING ATTACKERS USING ARP J.Deny* 1, J.Densi 2, J. Darwin 3

ELEC5616 COMPUTER & NETWORK SECURITY

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

A Framework for Optimizing IP over Ethernet Naming System

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Muhammad Farooq-i-Azam CHASE-2006 Lahore

Lab Using Wireshark to Examine Ethernet Frames

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Ref: A. Leon Garcia and I. Widjaja, Communication Networks, 2 nd Ed. McGraw Hill, 2006 Latest update of this lecture was on

20-CS Cyber Defense Overview Fall, Network Basics

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Lab Using Wireshark to Examine Ethernet Frames

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

Material for the Networking lab in EITF25 & EITF45

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

ARP Inspection and the MAC Address Table

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

Address Resolution Protocol (ARP), RFC 826

GenCyber Networking. ARP Poisoning

CIT 380: Securing Computer Systems. Network Security Concepts

Cache poisoning in S-ARP and Modifications

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

19: Networking. Networking Hardware. Mark Handley

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

NETWORK SECURITY. Ch. 3: Network Attacks

CSc 466/566. Computer Security. 18 : Network Security Introduction

Network Security. Network Vulnerabilities

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

IP: Addressing, ARP, Routing

ARP SPOOFING Attack in Real Time Environment

CS 458 Internet Engineering Spring First Exam

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

Packet Sniffing and Spoofing

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

CIS 5373 Systems Security

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

Configuring Dynamic ARP Inspection

CSE 565 Computer Security Fall 2018

DDoS Testing with XM-2G. Step by Step Guide

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Introduction to Computer Networks. CS 166: Introduction to Computer Systems Security

Keywords: ARP Protocol; ARP Cache; ARP Spoofing Attack; Reverse ARP Poisoning, Active IP Probing

CCNA 1 Chapter 5 v5.0 Exam Answers 2013

Lab1. Definition of Sniffing: Passive Sniffing: Active Sniffing: How Does ARP Spoofing (Poisoning) Work?

Detecting Sniffers on Your Network

2. What is a characteristic of a contention-based access method?

CCNP Switch Questions/Answers Securing Campus Infrastructure

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

CSC 574 Computer and Network Security. TCP/IP Security

Computer Networks Security: intro. CS Computer Systems Security

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Network Security. Thierry Sans

Computer Network Routing Challenges Associated to Tackle Resolution Protocol

Scribe Notes -- October 31st, 2017

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Configuring Dynamic ARP Inspection

DELVING INTO SECURITY

Chapter 5 Reading Organizer After completion of this chapter, you should be able to:

CSCI 680: Computer & Network Security

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

Welcome to PHOENIX CONTACT Routing

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Auxiliary Protocols

in-the-middle attack

Configuring Flood Protection

SDN-based Defending against ARP Poisoning Attack

1 TABLE OF CONTENTS UNCLASSIFIED//LES

Lab 9.8.1: Address Resolution Protocol (ARP)

Chapter 2 - Part 1. The TCP/IP Protocol: The Language of the Internet

Good day. Today we will be talking about Local Internetworking What is Internetworking? Internetworking is the connection of different networks.

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Man in the middle. Bởi: Hung Tran

CS Paul Krzyzanowski

Enhance the Security and Performance of IP over Ethernet Networks by Reduction the Naming System Design

To make a difference between logical address (IP address), which is used at the network layer, and physical address (MAC address),which is used at

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Denial of Service, Traceback and Anonymity

CIS 551 / TCOM 401 Computer and Network Security

Lecture 17 Overview. Last Lecture. Wide Area Networking (2) This Lecture. Internet Protocol (1) Source: chapters 2.2, 2.3,18.4, 19.1, 9.

Troubleshooting High CPU Utilization Due to the IP Input Process

Wireless Network Security Spring 2016

ACCURATE STUDY GUIDES, HIGH PASSING RATE! Question & Answer. Dump Step. provides update free of charge in one year!

Securing ARP and DHCP for mitigating link layer attacks

9. Wireshark I: Protocol Stack and Ethernet

2. Network Infrastructure Security -- Switching

VLAN Hopping, ARP Poisoning, and Man-In-TheMiddle Attacks in Virtualized Environments

Configuring ARP CHAPTER4

Cisco CCNA Basic IP Routing Part I

Network Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:

Chapter 8 roadmap. Network Security

Transcription:

AN INTRODUCTION TO ARP SPOOFING April, 2001 Sean Whalen Sophie Engle Dominic Romeo

GENERAL INFORMATION Introduction to ARP Spoofing (April 2001) Current Revision: 1.8 Available: http://chocobospore.org http://packetstorm.securify.com http://securityportal.com An Introduction to ARP Spoofing Slide 2

PURPOSE Audience Basic networking experience TCP/IP Reference Model Switched vs. non-switched networks Topic: ARP Spoofing Introduction - Defenses Operation - Conclusion Attacks An Introduction to ARP Spoofing Slide 3

INTRODUCTION A computer connected to an IP/Ethernet LAN has two addresses: MAC/Ethernet Address Address of the network card In theory, unique & unchangeable Virtual address Assigned via software An Introduction to ARP Spoofing Slide 4

INTRODUCTION MAC/Ethernet Address Necessary for Ethernet to send data Independent of application protocols Divides data into 1500 byte frames Each frame has a header containing the MAC address of the source and destination computer An Introduction to ARP Spoofing Slide 5

INTRODUCTION Used by applications Independent of whatever network technology operates underneath it Each computer on a network must have an unique IP address to communicate An Introduction to ARP Spoofing Slide 6

INTRODUCTION IP & Ethernet must work together! Source Application Destination IP When the source needs to send something out on the network, it sends a packet of data with the IP address to the Ethernet layer. Data Ethernet An Introduction to ARP Spoofing Slide 7

INTRODUCTION IP & Ethernet must work together! Source Application Destination IP Data Destination IP Ethernet ARP Destination MAC Ethernet then takes the IP, and uses ARP to get the corresponding MAC Address. An Introduction to ARP Spoofing Slide 8

INTRODUCTION IP & Ethernet must work together! Source Application Destination IP ARP Destination IP Data Ethernet Destination MAC Destination MAC Destination IP Then, Ethernet adds the MAC to the frame and sends it out into the network, where it will eventually arrive at the destination. Data Network Destination An Introduction to ARP Spoofing Slide 9

OPERATION ARP Request Does anyone have IP 10.0.0.3? If so, tell me your MAC address! <<10.0.0.1 (IP) 00:00:00:00:00:01 (MAC) 10.0.0.2 (IP) 00:00:00:00:00:02 (MAC) <<10.0.0.3 (IP) 00:00:00:00:00:03 (MAC) ARP 10.0.0.4 (IP) 00:00:00:00:00:04 (MAC) First, ARP sends a request into the network asking for the MAC matching the given IP. network An Introduction to ARP Spoofing Slide 10

OPERATION ARP Reply <<10.0.0.1 (IP) 00:00:00:00:00:01 (MAC) I do!! My MAC address is 00:00:00:00:00:03 10.0.0.2 (IP) 00:00:00:00:00:02 (MAC) <<10.0.0.3 (IP) 00:00:00:00:00:03 (MAC) ARP 10.0.0.4 (IP) 00:00:00:00:00:04 (MAC) Everyone on the network listens for these requests, and sends back it s MAC address if it s IP matches the request. network An Introduction to ARP Spoofing Slide 11

OPERATION ARP Cache Kept locally to minimize the number of ARP requests being broadcast Updates the cache with the new IP/MAC associations for each reply Stateless protocol Most operating systems will update the cache if a reply is received, regardless of whether they sent out an actual request An Introduction to ARP Spoofing Slide 12

OPERATION ARP Spoofing Involves constructing forged ARP replies Takes advantage of the ARP cache Process of corrupting cache is Poisoning An Introduction to ARP Spoofing Slide 13

OPERATION ARP Spoofing <- 10.0.0.3 10.0.0.1 10.0.0.2 10.0.0.3 ARP Cache MAC Address 00:00:00:00:00:01 00:00:00:00:00:02 ARP Request ARP Response The computer needs to know what MAC address matches with 10.0.0.3, so it sends out an ARP request. An Introduction to ARP Spoofing Slide 14

OPERATION ARP Spoofing 00:00:00:00:00:03 -> 10.0.0.1 10.0.0.2 10.0.0.3 ARP Cache MAC Address 00:00:00:00:00:01 00:00:00:00:00:02 00:00:00:00:00:03 ARP Request ARP Response The computer gets back an ARP Response with the MAC address of 00:00:00:00:00:03. Then, the computer updates the ARP cache with the new IP/MAC Association. An Introduction to ARP Spoofing Slide 15

OPERATION ARP Spoofing ff:ff:ff:ff:ff:ff -> 10.0.0.1 10.0.0.2 10.0.0.3 ARP Cache MAC Address 00:00:00:00:00:01 00:00:00:00:00:02 00:00:00:00:00:03 ff:ff:ff:ff:ff:ff ARP Request ARP Response The computer need not send out an ARP Request to received an ARP Response. Thus, if a spoofed response were to arrive, the computer would update the cache as usual. An Introduction to ARP Spoofing Slide 16

OPERATION ARP Spoofing 10.0.0.1 10.0.0.2 10.0.0.3 ARP Cache MAC Address 00:00:00:00:00:01 00:00:00:00:00:02 ff:ff:ff:ff:ff:ff ARP Request ARP Response Now, when the computer sends data to 10.0.0.3, it will go to the computer with MAC address ff:ff:ff:ff:ff:ff instead of 00:00:00:00:00:03 like it should. An Introduction to ARP Spoofing Slide 17

ATTACKS - SNIFFING Promiscuous mode Allows network cards to examine frames that are destined for MAC addresses other than their own Switches Routes frames to a single port, based on a table of MAC/port associations Prevents traditional sniffing An Introduction to ARP Spoofing Slide 18

ATTACKS - SNIFFING Man-in-the-Middle Attack (MiM) A malicious user: Inserts his computer between the communications path of two target computers Forwards frames between the two target computers so communications are not interrupted All Internet traffic could be intercepted if this was performed between the target and router An Introduction to ARP Spoofing Slide 19

ATTACKS - SNIFFING Man-in-the-Middle Attack (MiM) 10.0.0.1 00:00:00:00:00:01 A 10.0.0.2 00:00:00:00:00:02 B MAC Address MAC Address 10.0.0.2 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 Computer A & B are communicating on a switched network. (For illustration purposes, switch left out of picture.) An Introduction to ARP Spoofing Slide 20

ATTACKS - SNIFFING Man-in-the-Middle Attack (MiM) 10.0.0.1 00:00:00:00:00:01 xx.xx.xx.xx xx:xx:xx:xx:xx:xx 10.0.0.2 00:00:00:00:00:02 A <- ARP Reply X B MAC Address MAC Address 10.0.0.2 xx:xx:xx:xx:xx:xx 00:00:00:00:00:02 10.0.0.1 00:00:00:00:00:01 To intercept communications, computer X first sends a spoofed ARP reply to computer A. This reply replaces the IP address of B with the MAC of X. An Introduction to ARP Spoofing Slide 21

ATTACKS - SNIFFING Man-in-the-Middle Attack (MiM) 10.0.0.1 00:00:00:00:00:01 xx.xx.xx.xx xx:xx:xx:xx:xx:xx 10.0.0.2 00:00:00:00:00:02 A X ARP Reply -> B MAC Address MAC Address 10.0.0.2 xx:xx:xx:xx:xx:xx 10.0.0.1 xx:xx:xx:xx:xx:xx 00:00:00:00:00:01 Computer X then sends a spoofed ARP reply to computer B. This reply replaces the IP address of A with the MAC of X. An Introduction to ARP Spoofing Slide 22

ATTACKS - SNIFFING Man-in-the-Middle Attack (MiM) 10.0.0.1 00:00:00:00:00:01 A xx.xx.xx.xx xx:xx:xx:xx:xx:xx X 10.0.0.2 00:00:00:00:00:02 B MAC Address MAC Address 10.0.0.2 xx:xx:xx:xx:xx:xx 10.0.0.1 xx:xx:xx:xx:xx:xx Now, when computer A wants to talk to B, it sends the data to X. Likewise, computer B sends its data to X when it wants to talk to A. An Introduction to ARP Spoofing Slide 23

ATTACKS - SNIFFING Man-in-the-Middle Attack (MiM) 10.0.0.1 00:00:00:00:00:01 A xx.xx.xx.xx xx:xx:xx:xx:xx:xx X 10.0.0.2 00:00:00:00:00:02 B MAC Address MAC Address 10.0.0.2 xx:xx:xx:xx:xx:xx 10.0.0.1 xx:xx:xx:xx:xx:xx Computer X needs to do one more thing to prevent disrupting the communication Between A and B. It must forward the packets A sends to B on, and visa versa. An Introduction to ARP Spoofing Slide 24

ATTACKS - SNIFFING MAC Flooding Send spoofed ARP replies to a switch at an extremely rapid rate Switch s port/mac table will overflow Results vary Some switches will revert into broadcast mode, allowing sniffing to then be performed An Introduction to ARP Spoofing Slide 25

ATTACKS - BROADCASTING Sniffing Set the MAC address of the network gateway to the broadcast MAC Storms Enables sniffing of non-internal communications Poisoning caches with the broadcast address could cripple large networks An Introduction to ARP Spoofing Slide 26

ATTACKS DOS Denial of Service Update ARP caches with non-existent MAC addresses Causes frames to be dropped Could be sent out in a sweeping fashion to DoS all clients on a network Possible side affect of post-mim attacks An Introduction to ARP Spoofing Slide 27

ATTACKS - DOS DoS due to Post-MiM Attack 10.0.0.1 00:00:00:00:00:01 A xx.xx.xx.xx xx:xx:xx:xx:xx:xx X 10.0.0.2 00:00:00:00:00:02 B MAC Address MAC Address 10.0.0.2 xx:xx:xx:xx:xx:xx 10.0.0.1 xx:xx:xx:xx:xx:xx Computer X is currently using the MiM attack. An Introduction to ARP Spoofing Slide 28

ATTACKS - DOS DoS due to Post-MiM Attack 10.0.0.1 00:00:00:00:00:01 A 10.0.0.2 00:00:00:00:00:02 B MAC Address MAC Address 10.0.0.2 xx:xx:xx:xx:xx:xx 10.0.0.1 xx:xx:xx:xx:xx:xx Even when X leaves the network, A & B still have each other s IP address assigned to the MAC of X. Since X is no longer on the network, the frames go nowhere. An Introduction to ARP Spoofing Slide 29

ATTACKS - HIJACKING Connection Hijacking Allows an attacker to take control of a connection between two computers Can result in any type of session being transferred An Introduction to ARP Spoofing Slide 30

ATTACKS - CLONING MAC Address Cloning MAC addresses intended to be globally-unique and unchangeable Today, MAC addresses can be easily changed An attacker could DoS a target computer, clone the target s MAC address, and receive all frames intended for the target An Introduction to ARP Spoofing Slide 31

DEFENSES Defenses No universal defense Static (non-changing) ARP entries Port security (or Port Binding, MAC Binding) Detection ARPWatch Reverse ARP (RARP) An Introduction to ARP Spoofing Slide 32

DEFENSES STATIC ROUTES Static Routes ARP caches have static (non-changing) entries Spoofed ARP replies are ignored Creates lots of overhead Each ARP cache must have a static entry for every computer on the network Not practical for most LANs Results can also vary depending on operating system An Introduction to ARP Spoofing Slide 33

DEFENSES MAC BINDING MAC Binding Feature found on high-quality switches Does not allow the MAC address associated with a port to change once it has been set Legitimate changes can be performed by the network administrator Does not prevent ARP spoofing, but does prevent MAC cloning & spoofing An Introduction to ARP Spoofing Slide 34

Detection DETECTION ARPWatch (Free UNIX Program) Listens for ARP replies on a network and builds a table of IP/MAC associations When IP/MAC associations change (flip-flop), an email is sent to an administrator Reverse ARP (RARP) Requests the IP of a known MAC address Can be used to detect MAC cloning Promiscuous Mode Sniffing Many methods exist for detecting machines in promiscuous mode, and can be found in the Sniffing FAQ at http://www.robertgraham.com/pubs/sniffing-faq.html An Introduction to ARP Spoofing Slide 35

DETECTION The exact behavior of ARP varies with: Different operating systems Different operating system versions Different network hardware An Introduction to ARP Spoofing Slide 36

CONCLUSION ARP Spoofing is one of several vulnerabilities which exist in modern networking protocols. IP Spoofing TCP sequence prediction ICMP-based attacks It is unlikely that these problems will be addressed until abused on a wide enough scale to force a change in the status quo. An Introduction to ARP Spoofing Slide 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback