Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
159 views28 pages

An Introduction To ARP Spoofing & Other Attacks: Presenting: Philip Yakubovsky & Ohad Benita

This document provides an introduction to ARP spoofing and other network attacks. It explains that computers connected to an IP network have both an IP address and a MAC address. The ARP protocol is used to map IP addresses to MAC addresses within a local network. ARP spoofing involves constructing forged ARP replies to corrupt a target's ARP cache and redirect traffic. This allows an attacker to perform man-in-the-middle attacks, packet sniffing, denial of service attacks and connection hijacking. Defenses include static ARP entries, MAC binding, and detection tools like ARPWatch that monitor for suspicious ARP behavior. ARP spoofing is difficult to fully defend against due to vulnerabilities in basic networking protocols.

Uploaded by

khanh bui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
159 views28 pages

An Introduction To ARP Spoofing & Other Attacks: Presenting: Philip Yakubovsky & Ohad Benita

This document provides an introduction to ARP spoofing and other network attacks. It explains that computers connected to an IP network have both an IP address and a MAC address. The ARP protocol is used to map IP addresses to MAC addresses within a local network. ARP spoofing involves constructing forged ARP replies to corrupt a target's ARP cache and redirect traffic. This allows an attacker to perform man-in-the-middle attacks, packet sniffing, denial of service attacks and connection hijacking. Defenses include static ARP entries, MAC binding, and detection tools like ARPWatch that monitor for suspicious ARP behavior. ARP spoofing is difficult to fully defend against due to vulnerabilities in basic networking protocols.

Uploaded by

khanh bui
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 28

An Introduction To ARP

Spoofing & Other Attacks


Presenting : Philip Yakubovsky & Ohad Benita
INTRODUCTION
A computer connected to
an IP/Ethernet LAN
has two addresses

MAC/Ethernet
IP Address
Address

• Virtual address • Address of the


network card
• Assigned via
software • In theory, unique &
unchangeable
INTRODUCTION

AAcomputer
computerconnected
connectedtoto
ananIP/Ethernet
IP/EthernetLAN
LAN
hastwo
has twoaddresses
addresses

IP Address MAC/Ethernet Address

• Used by applications • Necessary for Ethernet to send data


• Independent of whatever • Independent of application protocols
network technology operates • Divides data into 1500 byte frames
underneath it • Each frame has a header containing
• Each computer on a network the MAC address of the source and
must have an unique IP address destination computer.
to communicate
INTRODUCTION
IP & Ethernet must work together!
OPERATION
ARP Request

Does anyone
have IP 10.0.0.3?
If so, tell me your
MAC address!
10.0.0.1 (IP) 10.0.0.2 (IP)
00.00.00.00.00.01 (MAC) 00.00.00.00.00.02 (MAC)

10.0.0.3 )IP( 10.0.0.4(IP)


00.00.00.00.00.03 (MAC) 00.00.00.00.00.04 (MAC)
ARP

network
Company Logo
OPERATION
ARP Request

10.0.0.1 (IP) 10.0.0.2 (IP)


00.00.00.00.00.01 (MAC) 00.00.00.00.00.02 (MAC)
I do!!! My MAC
address is
00.00.00.00.00.03

10.0.0.3 )IP( 10.0.0.4(IP)


00.00.00.00.00.03 (MAC) 00.00.00.00.00.04 (MAC)
ARP

network
Company Logo
OPERATION
ARP Cache

• Kept locally to minimize number


AddYour
Add YourTitle
Title
of ARP
requests being broadcast
• Updates the cache with the new IP/MAC
associations for each reply
• Stateless protocol
- Most operating systems will update
the cache if a reply is received,
regardless of whether they sent out
an actual request
OPERATION
ARP Spoofing

• Involves constructing forged ARP replies


Ad Your Title

• Takes advantage of the ARP cache


• Process of corrupting cache is
“Poisoning”
OPERATION
ARP Spoofing

ARP Request

ARP Cache
OPERATION
ARP Spoofing

ARP Response

ARP Cache
OPERATION
ARP Spoofing

ARP Response

ARP Cache
OPERATION
ARP Spoofing

ARP Response

ARP Cache
Attacks – Sniffing

Promiscuous mode
- Allows network cards to examine frames that
are destined for MAC addresses other than
their own

Switches
- Allows network cards to examine frames that
are destined for MAC addresses other than
their own
Attacks - Sniffing

 Man-in-the-Middle Attack (MiM)


• A malicious user:
– Inserts his computer between the communications
path of two target computers
– Forwards frames between the two target computers
so communications are not interrupted

• All Internet traffic could be intercepted if this


was performed between the target and router
Attacks – Sniffing
MAC Flooding
• Send spoofed ARP replies to a switch at
an extremely rapid rate
• Switch’s port/MAC table will overflow
• Results vary
– Some switches will revert into broadcast mode,
allowing sniffing to then be performed

Storms
 Poisoning caches with the broadcast address
could cripple large networks
Attacks - DoS

Denial of Service
 Update ARP caches with non-existent
MAC addresses
• Causes frames to be dropped
• Could be sent out in a sweeping fashion to
DoS all clients in the network

 Possible side effect of post-MiM Attacks


DoS - SYN Attack

The SYN attack is a common denial of


service (DoS) technique characterized
by the following pattern:
 Using a spoofed IP address an attacker sends
multiple SYN packets to the target machine.
 For each SYN packet received, the target
machine allocates resources and sends an
acknowledgement (SYN-ACK) to the source
IP address.
DoS – SYN Attack

 The target machine doesn't receive a


response from the attacking machine, it
attempts to resend the SYN-ACK five times,
at 3,6,12, 24,48 sec. intervals, before un-
allocating the resources 96 seconds after
attempting the last retry.
 If you add it all together, you can see that the
target machine allocates resources for more
than 3 minutes to respond to just one SYN
attack.
Attacks - Hijacking

Connection Hijacking

 Allows an attacker to take control of a


connection between two computers

 Can result in any type of session being


transferred
Attacks - Cloning

MAC Address cloning


 MAC addresses intended to be globally-
unique and unchangable
 Today, MAC addresses can be easily
changed
 An attacker could DoS a target computer,
clone the target’s MAC address, and recieve
all frames intended for the target
DEFENSES

D
No universal defense
E
F
Static (non-changing) ARP entries
E
N
Port security (or Port Binding, MAC Binding)
S
E
Detection: •ARPWatch • Reverse ARP (RARP)
S
Defenses – Static Route
Static Routes
 ARP caches have static (non-changing)
entries
 Spoofed ARP replies are ignored
 Creates lots of overhead
• Each ARP cache must have static entry for every
computer on the network
• Non practical for most LANs
 Result can also vary depending on the
operating system
Defenses – MAC Binding

MAC Binding
 Feature found on high-quality switches
 Does not allow the MAC address associated
with a port to change once it has been set
 Legitimate changes can be performed by the
network administrator
 Does not prevent ARP spoofing, but does
prevent MAC cloning & spoofing
Detection
Detection
 ARPWatch (Free UNIX Program)
• Listens for ARP replies on the network and builds
a table of IP/MAC associations
• When IP/MAC associations change (flip-flop), an
email is sent to the administrator
 Reverse ARP (RARP)
• Requests the IP of a known MAC address
• Can be used to detect MAC cloning
 Promiscuous Mode Sniffing
• Many methods exist for detecting machines in
promiscuous mode
DETECTION

The exact behavior


of ARP varies with

Different Different Different


operating operating network
systems system versions hardware
CONCLUSION
ARP Spoofing is one of several
vulnerabilities which exist in modern
networking protocols.
- IP Spoofing
- TCP sequence prediction
- ICMP-based attacks

It is unlikely that this problems will be


addressed until abused on a wide
enough scale to force a change in the
status quo.
Company Logo

You might also like