For better understanding about this attack let me give you a situation to assume.
Let us assume that, my IQ is 0 and I have a best friend 'Pradeep' , I shares everything with him let say my credentials also.
Now one day a man comes to me and says that I am 'Pradeep' give me your all credentials, and as my IQ is 0, I will give him all the credentials.
Same thing happens with the systems. And as we all know IQ of computers is zero.
But here something changes, because in this modern world, computer will not give credentials so easily.
Now here ARP Poisoning comes in view. ARP cache poisoning is something which forces and also manipulates our system by saying that I am the router send me your whole data I will send this to the destination, and as our PC have zero IQ. It will send its whole credentials to the attackers PC, because our systems work is to send the packets to the router then to the destination.
To achieve this suppose your machine is host ‘A’ and your network router is host ‘B’. ‘A’ has IP-A and MAC-A, while ‘B’ has IP-B and MAC-B as IP address and MAC address respectively. Now, the hacker sends an ARP reply to the router mapping your IP (IP-A) with his machine’s MAC address and another ARP reply to your machine mapping routers IP with his machine’s MAC address. Now any message sent by your machine to router or from router to your machine will reach the hacker’s machine. The hacker can now switch on the ‘IP forwarding’ feature on his machine which lets the hacker’s machine to forward all the traffic to and fro to your machine and router. This way the hacker’s machine sits right in the middle and can sniff or block the traffic.
Let us assume that, my IQ is 0 and I have a best friend 'Pradeep' , I shares everything with him let say my credentials also.
Now one day a man comes to me and says that I am 'Pradeep' give me your all credentials, and as my IQ is 0, I will give him all the credentials.
Same thing happens with the systems. And as we all know IQ of computers is zero.
But here something changes, because in this modern world, computer will not give credentials so easily.
Now here ARP Poisoning comes in view. ARP cache poisoning is something which forces and also manipulates our system by saying that I am the router send me your whole data I will send this to the destination, and as our PC have zero IQ. It will send its whole credentials to the attackers PC, because our systems work is to send the packets to the router then to the destination.
ARP Poisoning Concept
ARP protocol was designed to be simple and efficient but a major flaw in
the protocol is lack of authentication. No authentication was added to
its implementation and as a result, there is no way to authenticate the
IP to MAC address mapping in the ARP reply. Further, the host does not
even check whether it sent an ARP request for which it is receiving ARP
reply message.
In our language, if computer ‘A’ has sent and ARP request and it
gets an ARP reply, then ARP protocol by no means can check whether the
information or the IP to MAC mapping in the ARP reply is correct or not.
Also, even if a host did not send an ARP request and gets an ARP reply,
then also it trusts the information in reply and updates its ARP cache.
This is known as ARP cache poisoning.
ARP Cache Poisoning Consequences
After a hacker sees a possibility of ARP cache poisoning, the attacker can use various attack techniques to harm or to gain control of the victims machine. Lets discuss some of them here :1) Denial of service
A hacker can send an ARP reply mapping an IP address on network with a wrong or non-existent MAC address. For example, a fake ARP reply mapping the network’s router IP with a non-existent MAC will bring down the connectivity of the whole network with the outer world as now any packet sent to IP of router will be sent to a machine with a MAC address that does not exist.2) Man in Middle
As the name suggest, the hacker can make his machine sit right in between of the communication between your system and any other system on network. This way the hacker can sniff all the traffic to and from from both the machines.To achieve this suppose your machine is host ‘A’ and your network router is host ‘B’. ‘A’ has IP-A and MAC-A, while ‘B’ has IP-B and MAC-B as IP address and MAC address respectively. Now, the hacker sends an ARP reply to the router mapping your IP (IP-A) with his machine’s MAC address and another ARP reply to your machine mapping routers IP with his machine’s MAC address. Now any message sent by your machine to router or from router to your machine will reach the hacker’s machine. The hacker can now switch on the ‘IP forwarding’ feature on his machine which lets the hacker’s machine to forward all the traffic to and fro to your machine and router. This way the hacker’s machine sits right in the middle and can sniff or block the traffic.
3) MAC Flooding
For switches on network, MAC flooding is an ARP cache poising technique that is used. Many network switches when overloaded can start acting like a hub and start broadcasting all the network traffic to all the hosts connected to network. So a hacker can flood a switch with fake ARP replies and can make the switch to start behaving like a hub. In this role, the switch does not enable its ‘port security’ feature due to which it broadcast all the network traffic and taking advantage of this, the hacker can packet sniff the network.ARP Cache Poisoning Mitigation Techniques
Poisoning ARP cache remotely is bit difficult as it requires either physical access to the network or control of one of the machines in the network. Since its not always easy so ARP attacks are not frequently heard. Anyways, taking precautions is better than taking medicines. Network administrators should take care that these type of attacks do not take place. Here are a few mitigation points :- For small networks, static ARP entries can be maintained. Static means unchanging, so as the name suggests these entries cannot be changed and thus any tries by hackers to change the mapping fails. This is good for small networks but not for big networks as mapping for every new device added to network needs to be done manually.
- For a large network, the port security features of network switches can be explored. Some features when turned on force the switch to allow only one MAC address for each physical port on switch. This feature makes sure that machines cannot change their MAC address and cannot map more than one MAC to their machine hence preventing attacks like ‘man in middle’.
- In general, Some monitoring tool like ARPwatch can be deployed to get alerts when some malicious ARP activity takes place on your network.
No comments:
Post a Comment