510 likes | 1.64k Views
Man In The Middle Attack. Outline. Introduction about MITM attack scenarios ARP poisoning Quick refresh on ARP ARP methods and defenses DNS poisoning Quick refresh on DNS DNS security goals DNS poisoning by out-of-bailiwick glue RR DNS poisoning by spoofed responses.
E N D
Outline • Introduction about MITM attack scenarios • ARP poisoning • Quick refresh on ARP • ARP methods and defenses • DNS poisoning • Quick refresh on DNS • DNS security goals • DNS poisoning by out-of-bailiwick glue RR • DNS poisoning by spoofed responses
MITM attack scenarios Different attacks in different scenarios: LOCAL AREA NETWORK: - ARP poisoning - DNS spoofing - STP mangling - Port stealing FROM LOCAL TO REMOTE (through a gateway): - ARP poisoning - DNS spoofing - DHCP spoofing -ICMP redirection - IRDP spoofing - route mangling REMOTE: - DNS poisoning - traffic tunneling - route mangling
Addresses in Data Link Layer 32-bit IP address: • network-layer address • used to route to destination network LAN (or MAC or physical or Ethernet) address: • To identify source & destination on same network • Known to the adapter (e.g. in PROM) • Most LANs: 48 bits, global address space • Few LANs: configurable, e.g. as function of IP addr • Special broadcast address – send to all nodes • Used for address resolution (ARP)…
Address Resolution Table • Each host maintains its own address resolution table • Each entry correlates between IP address and MAC address • In an entry there is a field that marks the way the entry was created (Static or Dynamic) Example: IP Address MAC Address TTL 1.1.24.1 00:30:7b:91:bd:6c 8:00 1.1.24.65 00:60:e1:00:9c:70 --- 1.1.24.223 00:60:e1:00:07:91 8:03
ARP Mechanism Broadcast Request: Sender IP, Sender MAC, Target IP C learns A’s IP, MAC B, D could also learn, butusually don’t (since they maynot send to A). A B C D Unicast Response A learns C’s IP, MAC A B C D
ARP protocol (RFC 826) • A wants to send datagram to B, knows B’s IP address. • B on same subnet… but her MAC addr not in A’s table • A broadcasts ARP query packet, with B's IP address • all machines on subnet receive ARP query • B receives ARP query, replies to A with its (B's) MAC address • Sent to A’s MAC address (unicast) • A caches <IP,MAC> in ARP table
ARP Poisoning Attack • The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including • Denial of Service, • Man in the Middle, • MAC Flooding.
ARP Poisoning Attack • Attackers are often on isolated segments • How to intercept traffic from Alice to Bob? • Trick Alice into sending to Eve’s MAC address • ARP poisoning attack: • Alice uses ARP broadcast to find Bob • Eve answers Alice uses Eve’s Link address • Eve can forward to Bob becomes MITM Switch Eve Alice Bob
ARP Poisoning Methods • Unsolicited • Send ARP request with false sender’s IP • (some) hosts use to update their ARP tables • Send ARP response with incorrect mapping • Unsolicited: (some) hosts update their ARP table even if they didn’t make request • Solution: ignore unsolicitated mappings • Response to ARP request • Mapping to attacker’s MAC address • Send upon hearing / expecting request • Improve chances by loading destination’s segment/host
ARP Poisoning Example • Example: • Assume router’s IP is 10.1.1.0 • Host’s IP is 10.1.1.1 • Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to requests from 10.1.1.0 with its MAC address • From this point on all packets meant for 10.1.1.1 is routed to 10.1.1.2 because the router has the MAC address of 10.1.1.2 in its routing table
ARP Poisoning Tools • ARP Poisoning tools are: • ARPoison • Ettercap • Parasite
Port Security Mechanisms Switch Eve Alice IP:… MAC: Gateway DHCP Server Bob
Outline • Introduction about MITM attack scenarios • ARP poisoning • Quick refresh on ARP • ARP methods and defenses • DNS poisoning • Quick refresh on DNS • DNS security goals • DNS poisoning by out-of-bailiwick glue RR • DNS poisoning by spoofed responses
DNS Resolution Process Root Server .com TLD Server 132.3.3.4 Authoritative ns.bob.com Server 156.4.5.6 Client Local Server Resolve `A` www.bob.com Resolve `NS` com `NS` 132.3.3.4 Resolve `A` www.bob.com `NS` ns.bob.com `A` 156.4.5.6 Resolve `A` www.bob.com `A` 156.6.6.6 (IP of www.bob.com) Request to 156.6.6.6 (www.bob.com)
Domain Names and IP Addresses • IP packets contain source, dest IP addresses • 32 bits, e.g. 128.33.44.223 • Routers use IP Addresses • To deliver packets to their destinations • Users use Domain Names, e.g. www.foo.edu • Domain Names are hierarchical, and: • Meaningful: *.edu: university, www.*: web server • Easier to manage, remember and use • DNS – Map domain names to IP addresses • Fixed IP, current IP, best IP (e.g. proximity)
DNS Caching • Caching is critical for DNS performance • All DNS modules perform caching • Client DNS Cache • Local DNS Server Cache • DNS server used only to cache records • Clients always access this server • May be nested (… DNS.foo.edu ISP DNS) • Caching is of DNS Resource Records (RR)
Reverse DNS • `Reverse` DNS query: IP name • How? PTR query to in-addr.arpa domain • E.g., rDNS for IP=1.2.3.4 : DNS query for PTR record for address 4.3.2.1.in-addr.arpa • Note reverse order of address bytes (why?) • 4.3.2.1.in-addr.arpa controlled by ISP/owner • Use for security: • Servers should have rDNS to domain name • Use rDNS to identify (dial-in, DSL,…) clients
Header Questions Answers Authority Other ID (16 bits) Flags Name Name Type of RR Type of RR Number of questions Number of answers TTL in seconds Value Number of authority Number of other DNS Messages • DNS protocol: send request, receive reply • Single format for requests & replies RR (Resource Record)
DNS Security: Goals • Authenticity • Owners should control mappings (name IP) • DNS-Security: cryptographically-signed DNS RR • To ensure security against MITM attacker • Although MITM attacker can forget IP addresses anyway • See few extra foils after conclusions • Availability • Prevent Denial of Service (DoS) attacks • Non-Goal: Confidentiality • Protocol allows any server to query any other • Servers may restrict distribution • Encrypt records if needed (non-standard) • No support for hiding requests • Undesirable: allowing `what’s there?` query
MITM via DNS Poisoning • Allows blind attacker to become MITM • Web spoofing / phishing attacks • Spoof blacklist responses,… Bob.com 129.4.4.5 3. DstIP=6.6.6.6 Dear Bob, … 1. DNS request:bob.com 0. Poison: bob.com6.6.6.6 2. Response: bob.com6.6.6.6 6.6.6.6 DNS server