1 / 17

ARP Caching

ARP Caching. Christopher Avilla. What is ARP all about?. Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding. ARP Refresher. Determines a MAC when only IP address is known I mplemented in many types of networks

aurora
Download Presentation

ARP Caching

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ARP Caching Christopher Avilla

  2. What is ARP all about? • Background • Packet Structure • Probe • Announcement • Inverse and Reverse • Proxy • Tools • Poisoning • MAC Flooding

  3. ARP Refresher • Determines a MAC when only IP address is known • Implemented in many types of networks • Most frequently used to translate IPv4 addresses into Ethernet MAC addresses • In the next generation Internet Protocol, IPv6, ARP's functionality is provided by the Neighbor Discovery Protocol (NDP).

  4. Packet Structure • Simple message format • One address resolution request or response • Operation code for request (1) and reply (2) • 4 addresses, the hardware and protocol address of the sender and receiver

  5. Probe • ARP request constructed with an all-zero sender IP address • IPv4 Address Conflict Detection specification (RFC 5227). • First test to see if the address is already in use, by broadcasting ARP probe packets.

  6. Announcements • gratuitous ARP message • Updating other host's mapping of a hardware address when the sender's IP address or MAC address has changed • broadcast as an ARP request containing the sender's protocol address (SPA) in the target field (TPA=SPA), with the target hardware address (THA) set to zero. • An alternative is to broadcast an ARP reply with the sender's hardware and protocol addresses (SHA and SPA) duplicated in the target fields (TPA=SPA, THA=SHA).

  7. Announcements Cont. • Not intended to solicit a reply • Updates any cached entries in the ARP tables of other hosts that receive the packet. • Many operating systems perform gratuitous ARP during startup • Load balancing for incoming traffic • In a team of network cards, used to announce a different MAC address within the team that should receive incoming packets.

  8. Inverse ARP • Protocol used for obtaining IP addresses from MAC addresses • Used in Frame Relay and ATM networks • As ARP translates Layer 3 addresses to Layer 2 addresses, InARP may be described as its inverse • Implemented as a protocol extension to ARP • Uses the same packet format from ARP with different operation codes.

  9. Reverse ARP • Translates Layer MAC addresses to IP addresses • Used to obtain the IP address of the requesting station itself for address configuration purposes • RARP is now obsolete. It was replaced by BOOTP, which was later superseded by the Dynamic Host Configuration Protocol (DHCP).

  10. Proxy • Device on a given network answers the ARP queries for an IP address not on that network • The ARP Proxy is aware of the location of the traffic's destination • Offers its own MAC address in reply • "send it to me, and I'll get it to where it needs to go." • The "captured" traffic is routed by the Proxy to the intended destination via another interface or tunnel • Sometimes referred to as 'publishing'.

  11. Tools • ARPwatch • Generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network. • ARPing • The program tests whether a given IP address is in use on the local network, and can get additional information about the device using that address • Cain and Able

  12. Cache Poisoning • Update cache whenever an ARP request OR!!! Reply is received. • If the MAC address for the given IP has changed. Overwrite the old value • ARP replies are unicast • Used to set up man in the middle attacks • Allows attacker to monitor, intercept, and modify sessions

  13. MAC Flooding • ARP Cache Poisoning technique • For Network switches • When certain switches are overloaded they often drop into a "hub" mode. • The switch is too busy to enforce its port security features and just broadcasts all network traffic • Flood a switch's ARP table with a ton of spoofed ARP replies then packet sniff

  14. Why do we care? • Network Design • Security • Device Configuration • Advanced Devices • Nortel • Cisco • Allied Tellesis

  15. Conclusion • Packet Structure • Probes and Announcements • Extensions of the protocol • Tools • Threats

  16. Resources • http://www.packetnexus.com/docs/arppoison.pdf • http://en.wikipedia.org/wiki/Address_Resolution_Protocol • http://www.watchguard.com/infocenter/editorial/135324.asp

More Related