arp spoofing attacks dr. neminath hubballi iit indore © neminath hubballi
TRANSCRIPT
ARP Spoofing AttacksARP Spoofing AttacksDr. Neminath HubballiDr. Neminath Hubballi
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
What is ARP?What is ARP?
Address Resolution Protocol maps IP address to MAC address
Purpose of ARP
32-bit Internet address
48-bit Ethernet address
ARP
ARP CACHE : IP – MAC Bindings
IP MAC TYPE
10.0.0.2 00:00:00:00:00:02 dynamic
How ARP Works?How ARP Works?
ARP Request is Broadcast to all the hosts in LAN
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02
Who has IP 10.0.0.2?Tell your MAC address
ARP Request
ARP Request
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
How ARP Works?How ARP Works?
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02ARP Reply
I have IP 10.0.0.2My MAC is 00:00:00:00:00:02
Unicast Reply from concerned host
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
ARP Cache Stores IP-MAC PairsARP Cache Stores IP-MAC Pairs
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:01
00:00:00:00:00:03
00:00:00:00:00:02
ARP cache : updated
IP MAC TYPE10.0.0.2 00:00:00:00:00:02 dynamic
ARP Reply
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Why is ARP Vulnerable?Why is ARP Vulnerable?
ARP is a stateless protocol
Hosts cache all ARP replies sent to them even if they
had not sent an explicit ARP request for it.
No mechanism to authenticate their peer
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Known Attacks Against ARPKnown Attacks Against ARP
ARP Spoofing
Man-in-the-Middle Attack
Denial-of-Service Attack
MAC Flooding ( on Switch )
DoS by spurious ARP packets
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
ARP Spoofing AttackARP Spoofing Attack
Attacker sends forged ARP packets to the victim
10.0.0.1 10.0.0.200:00:00:00:00:01 00:00:00:00:00:02
I have IP 10.0.0.3My MAC is 00:00:00:00:00:02
ARP Reply
IP MAC TYPE10.0.0.3 00:00:00:00:00:02 dynamic
Attacker
Target
Victim
10.0.0.3
00:00:00:00:00:03
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Spoofing Results in Redirection of Spoofing Results in Redirection of TrafficTraffic
10.0.0.1
00:00:00:00:00:0110.0.0.2
00:00:00:00:00:02
Packets for 10.0.0.3
10.0.0.3
00:00:00:00:00:03
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Man-in-the-Middle Attack Allows Man-in-the-Middle Attack Allows Third Party to Read Private DataThird Party to Read Private Data
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:03
00:00:00:00:00:02ARP Reply
ARP Reply
Attacker
IP MAC TYPE10.0.0.3 00:00:00:00:00:01 dynamic
IP MAC TYPE10.0.0.2 00:00:00:00:00:01 dynamic
00:00:00:00:00:01
10IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Man-in-the-Middle AttackMan-in-the-Middle Attack
10.0.0.1
10.0.0.3
10.0.0.2
00:00:00:00:00:03
00:00:00:00:00:02
00:00:00:00:00:01
Attacker
IP MAC TYPE10.0.0.3 00:00:00:00:00:01 dynamic
IP MAC TYPE10.0.0.2 00:00:00:00:00:01 dynamic
To 10.0.0.3
To 10.0.0.2
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Denial of Service Stops Legitimate Denial of Service Stops Legitimate CommunicationCommunication
A malicious entry with a non-existent MAC address can lead to a
DOS attack
10.0.0.1 10.0.0.2
00:00:00:00:00:02
I have IP 10.0.0.3My MAC is XX:XX:XX:XX:XX:XX
ARP Reply
IP MAC TYPE10.0.0.3 XX:XX:XX:XX:XX:XX dynamic
Attacker
Victim
00:00:00:00:00:01
Target
10.0.0.300:00:00:00:00:03
12IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Denial of Service Stops Legitimate Denial of Service Stops Legitimate CommunicationCommunication
00:00:00:00:00:01
Victim unable to reach the IP for which the forged packet was
sent by the attacker
10.0.0.110.0.0.2
00:00:00:00:00:02
IP MAC TYPE10.0.0.3 XX:XX:XX:XX:XX:XX dynamic
Attacker
Victim
PING 10.0.0.3 Request timed out.
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
MAC Flooding Degrades Network MAC Flooding Degrades Network PerformancePerformance
Attacker bombards the switch with numerous forged ARP packets
at an extremely rapid rate such that its CAM table overflows
PORT MAC1 00:00:01:01:01:01
2 00:00:02:02:02:02
…. ……….. …….
10.0.0.1
00:00:00:00:00:01
Attacker
14IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
DoS by Spurious ARP PacketsDoS by Spurious ARP Packets
Attacker sends numerous spurious ARP packets at the victim
such that it gets engaged in processing these packets
Makes the Victim busy and might lead to Denial of Service
10.0.0.1
00:00:00:00:00:01
Attacker
Victim
Spurious ARP Packets
Busy Processing
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi
Detection and Mitigation Detection and Mitigation TechniquesTechniques
Static ARP Cache entries—Fixed IP-MAC pairs
ARPWATCH /COLOSOFT CAPSA/ARP-Guard- Maintains a database with IP-
MAC mappings and any change detected is reported to administrator
Count the imbalance in number of requests and responses
Evaded
Cryptographic Techniques:
Secure ARP – use cryptographic algorithms to authenticate
TARP- ticket based
IIT Indore © Neminath HubballiIIT Indore © Neminath Hubballi