110 likes | 216 Views
Fundamentals of Computer Security. Network Hack: ARP Poisoning. Network Technology. ports. Network Interface Card ( NIC ). Host Computer. Hub. A hub establishes connections from one-to-many ports. Network Technology. ports. Network Interface Card ( NIC ). Host Computer. Switch.
E N D
Fundamentals of Computer Security Network Hack: ARP Poisoning CSCI 379 Fundamentals of Computer Security
Network Technology ports Network Interface Card (NIC) Host Computer Hub A hub establishes connections from one-to-many ports. CSCI 379 Fundamentals of Computer Security
Network Technology ports Network Interface Card (NIC) Host Computer Switch A switch is able to establish port-to-port connections. CSCI 379 Fundamentals of Computer Security
Addressing NIC MAC Address: a unique, six-byte hex number assigned by the manufacturer. Each networked device has its own MAC address. Example: 00:4E:3F:12:2A:00 NIC Host Computer NIC MAC Address (six-byte) IP Address (four-byte) mapping? Assignable by the administrator. Used in the global Internet; routable. Recognized by Internet protocols. Fixed. Used internally in the local network; not routable. Recognized only by lower level protocols. CSCI 379 Fundamentals of Computer Security
The Address Resolution Protocol(ARP) This protocol constructs on-the-fly a mapping between the MAC addresses and the IP addresses in a local network. Basic Elements: • ARP Cache (or table) • ARP Request messages • ARP Reply messages Example: Host A: who has IP address x? Host B: <silence> Host C: <silence> Host D: hey, that’s me and my MAC address is y, btw. Host A: (add to its ARP cache the pair {IP(x),MAC(y)}) broadcast point to point Subsequently, host A’s messages to IP(x) on the network are addressed to MAC(y). CSCI 379 Fundamentals of Computer Security
Vulnerability ARP Request messages are sent to the broadcast MAC address FF:FF:FF:FF:FF:FF. ARP Reply messages are sent back to the MAC address of the requester. There is no guarantee that who replies to an ARP Request is really who it says it is. There is authentication. CSCI 379 Fundamentals of Computer Security
Threats CSCI 379 Fundamentals of Computer Security
Denial of Service Faking ARP Replies, one can associate an important IP address to a false MAC address, for instance, a MAC address that does not exist. If that important IP address happens to correspond to the router, the network can be effectively disconnected: it can’t see the outside world and the outside world can’t see the local network. CSCI 379 Fundamentals of Computer Security
Man-in-the-Middle (MITM) Example: Host A: who has IP address 192.168.0.1 (router)? Host B: <silence> Host C: <silence> Host D: hey, that’s me and my MAC address is y, btw. Host A: (add to its ARP cache the {IP(192.168.0.1),MAC(y)}) Router to the Internet Host D becomes “the router”: all traffic goes through D now, but D should be smart enough to allow outside traffic to go outside. What kind of bad things can D do? Sneak-and-peek, filter traffic, respond to requests sent to outside servers, etc. CSCI 379 Fundamentals of Computer Security
MAC Flooding Switch to the Internet This is an ARP Cache Poisoning technique that aims at overloading the switch. When certain switches are overloaded, they drop into “hub mode”: all network traffic gets broadcast to all the computers on the network. When this happens, sniffing packets becomes possible. The trick is to spoof many, many ARP replies hoping to overload the switch’s ARP table. How can one carry out this kind of attack? CSCI 379 Fundamentals of Computer Security
Incident Reporting Statistics Source: http://www.cert.org CSCI 379 Fundamentals of Computer Security