ARP attacks

Layer 2 Attacks

Why should we secure layer 2?

No matter how secure you make the TCP/IP fortress, if a hacker can get into any of the layers, he can rule the system. If the attacker can puncture the stack at layer 2, he can control all the above traffic.
The Data Link layer is as vulnerable as any other layer and can be subjected to a variety of attacks which the switch must be configured to protect against.

What layer 2 is/does?

Basic purpose of link layer in TCP/IP protocol suite is to send/ receive:
1) IP datagrams for the IP module
2) ARP requests and replies for teh ARP module
3) RARP requests and replies for teh RARP module

What are the possible attacks in layer 2?

The majority of attacks at layer 2 exploit the inability of a device to track the
attacker who can therefore perform undetected malicious actions on the forwarding
path to alter it and then exploit teh change.
Some of the common layer 2 attacs are listed below.
. ARP-based attacks
. MAC Duplicating
. DHCP Starvation attack
. DHCP Rogue attack
. CAM Overflow/ MAC flooding
. VLAN Hopping attack
. Spanning Tree attack
. Virtual Trunk Protocol attack
. VMPS attack ( VLAN Management Policy Server)
. 802.1Q and ISL Tagging attack
. Double-Encapsulated 802.1Q/ Nested VLAN attack
. Private VLAN attack
. Multicast Brute Force attack
. Random Frame Stress attack

A detailed desciption of ARP Attacks follows.

Address Resolution Protocol

Address Resolution Protocol is used to resolve the MAC address of a host given its IP address. When a host wants to send data to destination, the information available to it is the IP address. However, in order to deliver the packet, the source needs to construct a frame now. Since it doesnt have the MAC address of the destination,
it broadcasts an ARP request packet on the network. The concerned host replies back with its MAC address in an ARP reply packet if it is on the same LAN segment, otherwise, the next hop gateway will respond.

The ARP Packet format



ARP caching

Each device on the network maintains an ARP cache where all the address mappings learnt from the network or configured by the administrator are kept. The ARP cache takes the form of a table containing matched sets of hardware and IP addresses. There are two different ways that cache entries can be put into the ARP cache :
Static and Dynamic. Static ARP cache entries are address resolutions that are manually added (by the administrator) to the cache table for a device and are kept in the cache on a permanent basis. Dynamic ARP cache entries are hardware/IP address pairs that are added to the cache by the software itself as a result of successfully-completed past ARP resolutions. They are kept in the cache only for a
period of time and are then removed.

ARP Spoofing

CVE Vulnerability ID: CVE-1999-0667

ARP is a stateless protocol that doesn’t require authentication, so a simple ARP reply packet sent to an host can force an update in its ARP cache. Even if a previously unexpired dynamic ARP entry is there in the ARP cache, it will be overwritten by a newer ARP reply packet on most operating systems. This is the root problem, which leads to ARP spoofing.

ARP spoofing is the process of forging ARP packets to be able to impersonate another host in the network. The principle of ARP spoofing is to send fake, or “spoofed”, ARP messages to the victim periodically. The period between the spoofed ARP responses is much lesser than the ARP cache entry timeout period for the operating
system running on the victim host. This will ensure that the the victim host would never make an ARP request for teh host whose address the attacker is impersonating. Generally, the aim is to associate the attacker’s MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address
would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC ! address to the IP address of the victim’s default gateway.

Attack symptoms on the Network

When the tcpdump is analysed, it can be detected that lots of ARP reply packets from a particular host are sent.

Attack Detection Mechanism

Passive Detection

In Passive Detection, we sniff the ARP requests/ responses on the network and construct a MAC addresss to IP address mapping database. If we notica a change in any of these mappings in future ARP traffic then we raise an alarm and conclude that an ARP spoofing attack is underway. The most popular tool in this category is
ARPWATCH. The main drawback of this passive method is the time lag between learning the address mappings and subsequent attack detection.

Active Detection
In [1], an active detection technique for ARP spoofing was proposed. Here, we inject ARP request and TCP SYN packets into the network to probe for inconsistencies. This can also additionally detect the real mapping of MAC to IP addresses to a fair degree of accuracy in the event of an actual attack.

Attack Mitigation Techniques

Static ARP Table
Here we use static ARP table entries to combat ARP spoofing. When a static ARP entry is in the table, the kernel will ignore all ARP responses for the specific address used in the entry and use the specified MAC address instead. The command used for
this simple: arp -s ipaddr macaddr . The arp command can also take a file as input (say, a perl script) and use it to create a static ARp table entries using -f. This could make it faster, but still, this is not a scalable solution at all and managing all these entries is a full time
job by itself. This can also fail miserably if mobile hosts such as laptops are periodically introduced into the network.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s