150 likes | 376 Vues
ARP Poisoning. Rushad Shaikh CSCI 5931 Web Security Spring 2004. ARP Poisoning Attacks. Topics Logical Address Physical Address Mapping ARP ARP Cache Table ARP Poisoning Prevent ARP Poisoning. Logical address. Internetwork address Unique universally In TCP/IP its called IP Address
E N D
ARP Poisoning Rushad Shaikh CSCI 5931 Web Security Spring 2004
ARP Poisoning Attacks • Topics • Logical Address • Physical Address • Mapping • ARP • ARP Cache Table • ARP Poisoning • Prevent ARP Poisoning
Logical address • Internetwork address • Unique universally • In TCP/IP its called IP Address • 32 bits long Physical Address • Local address • Unique locally
Mapping • Delivery of a packet requires two levels of addressing • Logical • Physical • Mapping a logical address to its physical address • Static Mapping • Table to store information • Updating of tables • Dynamic Mapping • ARP • Logical Address to Physical Address • RARP • Physical Address to Logical Address
ARP • ARP request • Computer A asks the network, "Who has this IP address?“
ARP(2) • ARP reply • Computer B tells Computer A, "I have that IP. My Physical Address is [whatever it is].“
CacheTable • A short-term memory of all the IP addresses and Physical addresses • Ensures that the device doesn't have to repeat ARP Requests for devices it has already communicated with • Implemented as an array of entries • Entries are updated
Cache Table State Queue Attempt Time-out IP Address Physical Address R5900180.3.6.1ACAE32457342 P22129.34.4.8 P145201.11.56.7 R8450114.5.7.89457342ACAE32 P121220.55.5.7 F R 9 60 19.1.7.82 4573E3242ACA P 18 3 188.11.8.71
ARP Poisoning • Simplicity also leads to major insecurity • No Authentication • ARP provides no way to verify that the responding device is really who it says it is • Stateless protocol • Updating ARP Cache table • Attacks • DOS • Hacker can easily associate an operationally significant IP address to a false MAC address • Man-in-the-Middle • Intercept network traffic between two devices in your network
Prevent Arp Poisoning • For Small Network • Static Arp Cache table • For Large Network • Arpwatch • As an administrator, check for multiple Physical addresses responding to a given IP address
References: • www.watchguard.com/infocenter/editorial/135324.asp • www.l0t3k.org/security/docs/arp/