ARP Cache Poison detection
Use of ARP Cache in a network device
Most of the network devices will have anARP cache; the content of the same will
be a collection of IP address and the corresponding MAC address of devices already
communicated to from the same device. The ARP table will store the same information
for a small duration of time, to make the communication faster.
Use case 1: -Consider PC1 with IP address 172.10.3.82 wants to communicate to
another PC2 with IP address 172.10.3.78 in the same network. PC1 wants to know the
MAC address of PC2 to send the traffic, soPC1 will be sending an ARP request packet
(see screen shot 1)to the network. ARP request packet will be a broadcast packet.
(Screen shot 1)
External Ethernet header of an ARP request packet contains Source MAC address as
PC1’s MAC address and the Destination MAC address as Ethernet broadcast MAC
address.
Internal ARP request header looks like, Sender MAC address as PC1’s MAC address,
Sender IP address as PC1’s IP address, Target MAC address as all zeros and Target IP
address as PC2’s IP address.
Once this ARP request packet reaches PC2 with Target IP address filled as 172.10.3.78,
PC2 will send an ARP reply packet to PC1. This will be a unicast packet to PC1. Shown
in (screen shot 2).
External Ethernet header of the ARP reply packet contains Source MAC address as
PC2’s MAC address and the Destination MAC address as PC1’s MAC address. This is a
unicast packet destination to PC1.
Internal ARP reply header looks like, Sender MAC address as PC2’s MAC address,
Sender IP address as PC2’s IP address, Target MAC address as PC1’s MAC address and
Target IP address as PC1’s IP address.
PC1 will trust ARP reply from PC2 and it stores the IP address and MAC address details
of PC2 in the ARP table. So the next packet onwards PC1 will not ask for the MAC
address of PC2 to communicate. It will be using from the ARP cache.
Note: - ARP request is an Ethernet broadcast packet and inside ARP header it asks for
the MAC address of particular device whose IP is in target IP address field and the
target MAC address field will be all zeroes.
ARP Cache Poisoning or ARP Spoofing
ARP cache poisoning or ARP spoofing is an attack implemented when an attacker
using a device in your network sends fake ARP replies to corrupt or poison the ARP
cache of your network device. Most of the operating systems are designed in such a way
that if any ARP reply packet comes to the device, it will be updated in the ARP cache.
These ARP entries will get updated even for unsolicited ARP Replies. This behaviour is
due to the reliability of the ARP reply packet.
Use case 2: - Consider PC1 with IP address 172.10.3.82 and MAC address “00-90-4b-63-7d-fe” wants to communicate to another PC2 with IP address “172.10.3.78” whose MAC
address is unknown to PC1. PC1 will be sending a broadcast ARP request packet.
Consider PC3 with IP address “172.10.3.20” and MAC address “00-11-22-22-22-22” is
the attacker in the same network. PC2 and PC3 will be getting the ARP request packet.
Normally PC2 will be responding with an ARP reply packet, with values “sender MAC
address == 00-40-96-b1-5e-c6”, “sender IP address == 172.10.3.78” and “target MAC
address == 00-90-4b-63-7d-fe”, “target IP address == 172.10.3.82”.
Now PC1 will be updating the ARP cache with respect to the ARP response from PC2.So
the ARP cache of PC1 will look as shown in screen shot 3.
At the same time attacker will be sending the spoofed ARP reply packet with values
“sender MAC address == 00-11-22-22-22-22”, “sender IP address == 172.10.3.78” and
“target MAC address == 00-90-4b-63-7d-fe”, “target IP address == 172.10.3.82”.
Screen shot 4 shows the spoofed ARP reply packet.
Once PC1 gets the spoofed ARP response packet from PC3, it will update the ARP cache
with respect to ARP response from PC3. SoPC1 will be updating the ARP cache with the
spoofed MAC in place of actual MAC of PC2.
Now ARP cache is poisoned for PC2’s entry in PC1’s cache.
Further communication from PC1 to the PC2 will be sent to MAC address of PC3.
Corrupted ARP cache of PC1 is as shown in the screen shot 5.
Here MAC address 00-11-22-22-22-22 is not the actual MAC address of PC2, it’s the
actual MAC address of PC3.
Note: -In the above case the attacker can do the following things:
• Read all the packets from PC1 to PC2.
• Read all the packets from PC1 to PC2 and modify the packets and send the same
to the actual destination. Like a Man-In-Middle attack.
Pictorial representation of use case 2:-
To avoid above mentioned problems, Motorola Wireless switches have ARP cache
poisoning detection mechanism and logging support for spoofed ARP packets.
DHCP snoop table and its use
A DHCP snoop table gets created by snooping on the DHCP ACK packets coming via
DHCPTrusted Ports. Dhcp trusted port configuration can be modified by the user. By
default all GE and SA ports are dhcp trusted and the Wlan ports are un-trusted.
DHCP Ack packets coming only via dhcp trusted port will be considered for creating the
DHCP Snoop Table.
Wireless switch will not flood DHCP discover packets to a non-dhcp trusted ports. So
DHCP discover packets flow only via dhcp trusted ports in the wireless switch. DHCP
servers sitting behind the dhcp trusted ports will receive the discover packet and it will
send the dhcp offer packet to the Mobile Units. Wireless switch will snoop the DHCP
ACK packets coming via dhcp trusted ports and write the entries in the snoop table. In
the wireless switch, user is provided an option to configure trust for the ARP packets in
their network on a port basis. By default it is disabled.
Here on Network Devices shall bereferred as Mobile units.
After snooping the actual IP address and MAC address, it will be written in the
DHCP snoop table. Now switch will know the correct IP address and the MAC address of
the mobile units. So if any other devices claimsor sends a fake ARP reply then the switch
will be detecting it as an attempt to poison its cache and drop it. This way Motorola
wireless switch will be identifying the fake ARP replies.
Note: -Motorola wireless switch gives ARP cache protection to the DHCP clients,
Routers and DHCP server.
Creation of DHCP Snoop table
When a mobile unit gets DHCP ACK packetfrom the DHCP server, wireless switch
snoops the Dhcp Ack packet and learns the following information:
• Actual IP address and MAC address of the mobile unit.
• Actual IP address and MAC address of the DHCP server
• Actual IP address of the default gateway
It writes all this information as entries in the DHCP snoop table. Next time when
an ARP packet comes to the wireless switch, it will check the ARP packet source IP and
source MAC with the entry present in the dhcp snoop table, if it finds any mismatch then
it will drop the packet with corresponding log message.
Use case 3:- Consider there are three MUs in the network. MU1 and MU2 are the
genuine MUs connected to wlan and they get the IP address from onboard DHCP server.
When DHCP ACK packet goes to the MU1 via wireless switch, it snoops the packet and
creates the DHCP snoop table entry as shown in screen shoot 6.
Wireless switch collects information from the DHCP ACK packet and writes the
following entries in the DHCP snoop table:-
• Type as DHCP client, IP address is 172.10.3.78 and MAC address is 00-40-96-b1-5e-c6
• Type as DHCP server, IP address is 172.10.1.3 and MAC address is 00-1c-0e-52-3e-c1
• Type as Router, IP address is 172.10.1.100 and MAC address as all zeros.
Actual MAC address of router will get updated only when an ARP packet
comes from the router.
Now on MU1, DHCP server and the Router will be protected against ARP poisoning
attack.
When DHCP ACK packet goes to the MU2 via wireless switch, it snoops the packet and
creates the DHCP snoop table entry which is as shown in screen shoot 7.
Wireless switch will snoop the DHCP ACK packetand create the following entries in the
DHCP snoop table:-
• Type as DHCP client, IP address is 172.10.3.82 and MAC address is 00-90-4b-63-7d-fe
• Type as DHCP server, IP address is 172.10.1.3 and MAC address is 00-1c-0e-52-3e-c1
• Type as Router, IP address is 172.10.1.100 and MAC address as all zeros.
Actual MAC address of router will get updated only when an ARP packet
comes from the router.
Now onwards MU2, DHCP server and the Router will be protected against ARP
poisoning attack.
Note: - DHCP client entries will be available in the snoop table for the lease time. After
the lease time expires the entries will get deleted automatically.
0 nhận xét:
Post a Comment