|
It's 4:45 on a Friday afternoon and you've got to finish that report for your team and make it to your 5:30 dinner reservation. You sit down at your desk and log onto the corporate Web e-mail system. You ensure that you are using an encrypted HTTP connection to the remote server because the report contains highly sensitive strategic information. When you connect to the e-mail Web server you get a strange error message, something about a mismatched SSL key. Whatever?IT must be messing around again, you think. You click "OK" and enter your user-name and password, log on to the system, and send your report?all in time to make it to your dinner reservation.
There's just one small problem. You've just been a victim of an ARP spoofing attack. Your username, password, and the report you sent were all intercepted by a hacker. "But I was using an encrypted and secure connection!" you protest. "My network is all switched, so you can't watch any of my traffic!" you insist.
These are just some of the assumptions that make ARP spoofing attacks so highly effective.
Understanding MAC and ARP
In order to understand how you can protect yourself from ARP spoofing-based attacks, you must understand some fundamentals about how systems on Ethernet-based networks communicate. The level of interconnection where ARP spoofing attacks occur is known as Layer 2, or the data link layer in the OSI network model.
The first component of Layer 2 communication is the MAC address. Every network interface in an Ethernet network is assigned a MAC, or Medium Access Control address, at the time the device is manufactured. The MAC address is used to uniquely identify every interface connected to an Ethernet network. Every Ethernet card manufactured has a unique address so that cards from any vendor can be interconnected on an Ethernet-based network without having to worry about address conflicts. MAC addresses are used by network equipment such as switches to route information to the correct port on which a destination machine resides. This MAC address-based routing eliminates the need to broadcast traffic on all ports, as a hub does.
Devices with connected interfaces on an Ethernet LAN use two methods for discovering other connected interfaces on the LAN: Address Resolution Protocol and Reverse Address Resolution Protocol, or ARP and RARP respectively. Without these protocols to perform this interface discovery, it would be necessary to manually input the MAC addresses and associated IP addresses into every machine for every interface on a LAN! This would be a daunting task considering the size and dynamic nature of most modern networks. ARP and RARP automate this process through a series of Ethernet frame broadcasts to detect other locally connected machines. This information is then stored so that traffic sent between systems on the LAN can be properly routed by interconnecting network devices.
How Do ARP Spoofing-Based Attacks Work?
The key to ARP spoofing attacks lies in modifying the cached MAC and IP address pair information maintained by each system. The technique utilized to perform an ARP spoofing attack is sending false ARP broadcast notifications to devices on the local network. These false ARP spoofing messages trick network devices into delivering network data to incorrect switch ports, allowing the attacker to have information destined for a victim system on the LAN sent to the attacker's port on the network device.
There are a variety of ways ARP spoofing can attack a network. One of the most effective and dangerous is the Man-in-the-Middle, or MITM, attack. A MITM attack places the attacking system between the victim's system and the local gateway for egress traffic, allowing the attacking system to "sniff" everything the victim sends and receives.
First the attacker tricks the victim's system into incorrectly addressing Ethernet frames of its packets, and tricks the switch into sending the victim's data to the attacker's switch port. The attacker does this with a series of spoofed ARP messages, after which it is possible for the attacker to monitor the victim's egress connections. However, because the victim's system will not be receiving any data in response to its connection attempts, all outbound network communications made by the victim system will fail.
|
