ARP Protocols

(1) Ethernet Address

v      Ethernet Hardware Addresses

Ø      48-bit unique number.

Ø      An address can be unicast, broadcast (all 1s), or multicast address.

v      Ethernet Frame Format

Ø      Link-level connection among machines

Ø      Octet:

t         Why not byte (byte refers to a hardware-dependent character size)

t         Octet refers to an 8-bit quantity on all computers.

Ø      Preamble and CRC: added to the Ethernet frame when the frame is put on the wire. It will be removed by the hardware before the frame is stored into computerts memory. You wontt be able to see them using sniffers.

Ø      Frame Type: For example, 0806 for ARP (on an Ethernet)

Ø      Maximum size: 1500 octets.

v      An example

Ø      Destination is 02 07 01 00 27 ba

Ø      Source is 08 00 2b 0d 44 a7

Ø      Frame type is 08 00 (IP)

ARP Protocols

v      Motivation

Ø      What address can Ethernet interface card recognize?

t         Ethernet address (48-bit address, usually hardcoded in the hardware)

Ø      Computer addresses other computers using IP address, which is created to make Internet routing convenient.

Ø      Once the packet reached a LAN, physical address (such as Ethernet address) must be used. How to find out the Ethernet address? Senders usually have no idea about the physical address of the receivers. They dontt need to know that.

v      ARP Protocol

Ø      Machine A wants to send a packet to B, but A only knows Bts IP address

Ø      Machine A broadcasts ARP request with Bts IP address

Ø      All machines on the local network receive the broadcast

Ø      Machine B replies with its physical address

Ø      Machine A adds Bts address information to its table

Ø      Machine A delivers packet directly to B

v      ARP Encapsulation

Ø      In Ethernet, the Frame Type for ARP is 0806

Ethernet Format

ARP Encapsulation

v      ARP Packet Format

Ø      The format is general enough to allow it to be used with arbitrary physical addresses and arbitrary protocol addresses.

Ø      Hardware Type (2): 1 for Ethernet

Ø      Protocol Type (2): the type of high-level protocol address, e.g. 0800 for IP protocol.

Ø      HLEN (1): length of the hardware address

Ø      PLEN (1): length of the high-level protocol address (e.g. IP)

Ø      Operation (2): ARP request=1, ARP reply=2, RARP request=3, RARP response=4

Ø      SENDER HA(6)

Ø      SENDER IP(4)

Ø      TARGET HA(6)

Ø      TARGET IP(4)

v      ARP Caching

Ø      To reduce communication cost, computers that use ARP maintain a cache of recently acquired IP-to-physical address bindings.

Ø      Each entry has a timer (usual timeout period is 20 minutes)

Ø      The senderts IP-to-address binding is included in every ARP broadcast; receivers update the IP-to-physical address binding information in their cache before processing an ARP packet.

Ø      ARP is stateless, and most of operating systems update their cache when receiving an ARP reply, regardless of whether they have actually sent out a request or not.

Ø      Gratuitous message (src IP = dest IP, operation code = 2:reply)

t         The same IP address is used for both source IP and dest IP. This is used during the initialization of IP stack to find out whether the IP address is used by other host. Whoever has the same IP replies (this message is a broadcast). Otherwise, every host updates its cache.

ARP Cache Poisoning

v      Question: Given how ARP cache works, how do you attack?

Ø      First, how do you modify a target machinets ARP cache?

Ø      Second, if you can achieve ARP cache poisoning, how can you use this technique to compromise the security of your victim? 

v      ARP Cache Poisoning

Ø      By sending forged ARP replies, a target system could be convinced to send frames destined for a computer to another computer.

Ø      There are various ways to conduct cache poisoning: ARP twho ist broadcast , ARP reply, gratuitous ARP message, etc.

Ø      According to the tests on Windows 9x, NT, 2000, XP, Solaris 8, Linux kernel 2.2 and 2.4, Cisco IOS 12, Nokia IPSO 3.5 operating systems, there were always at least one kind of ARP message to poison the cache.

Ø      Moreover, on Windows systems (9x/NT/2K), static ARP entry can always be overwritten using a fake ARP message.

v      Man-in-the-middle attack

Ø      Some servers use IP addresses for authentication. This is the case for many application like Apache ACL, r-commands, NFS, TCP Wrapper, restricted administration tools, etc t

Ø      Goal: the server trusts Tts IP address; evil host E wants to connect to the server.

Ø      How: let the server believe the evil host (E) has the legitimate IP.

t         Setting: evil host E, trusted host T, and server S.

t         E: ARP cache poisoning

t         E: Forward existing server-to-T traffic

t         E: use T's IP to communicate with S.

Ø      Problem: T might broadcast new ARPs, which can correct S's ARP cache. S then sends TCP replies to T, who will send back TCP reset to S (because such TCP connection does not exist between S and T). This will end the evil host's connection with S.

Ø      How to prevent this from happening? ---> Discussion

t         Shutdown T (denial of service)

t         Flood S with forged ARP message

t         Prevent T from sending ARP broadcast: how? give T everything before it needs them.

v      Other attacks: any IP-based authentication

Ø      Bypassing Firewalls: many firewalls only allow outgoing traffic from a few identified computers. The evil host (E) can bypass this rule using cache poisoning.

v      How to protect against ARP cache poisoning attacks?

Ø      Use intrusion detection tools: detect fake ARP messages and maintain consistency of the ARP table. Available on many UNIX platforms, arpwatch maintains a database of Ethernet MAC addresses seen on the network, with their associated IP pairs. Alerts the system administrator via e-mail if any change happens.

Ø      Use strong authentication rather than source IP address. VPN protocols like SSH, SSL or IPSec can greatly improve security by achieving authentication, integrity and confidentiality.