1ARP Protocol (cont.)
ARP Request & Reply Operation – steps involved:
1) The sender knows the IP address of the target.
2) IP asks ARP to create an ARP request message, filling in the sender physical and IP address, and the target IP address. The target physical address is set to 0-s!
3) The message is passed to the data link layer where it is encapsulated in a frameusing the physical address of the sender as the source address and the physicalbroadcast address as the destination address.
4) Every host and router receives the frame. As the frame contains a broadcastdestination address, all stations remove the message and pass it to their ARP.All machines except the one targeted drop the packet.
5) The target machine replies with an ARP reply message that contains its physicaladdress.
6) The sender receives the reply message. It knows the physical address of thetarget machine and is able to send the original IP datagram …
DataPreambleand SFD
Destinationaddress
Sourceaddress Type CRC
8 bytes 6 bytes 6 bytes 2 bytes 4 bytes
Type: 0x0806
2ARP Protocol (cont.)
Example [ ARP operation ]A host with IP address 130.23.43.20 and MAC address B2:34:55:10:22:10 has a packetfor another host with IP address 130.23.43.25 (and MAC address A4:6E:F4:59:83:AB,which is unknown to the first host). The two hosts are on the same Ethernet network. Show the ARP request and reply packets encapsulated in Ethernet frames.
FF:FF:FF:FF:FF:FF – 48 1-sEthernet broadcast address
IP: 130.23.43.20MAC: B2:34:55:10:22:10
IP: 130.23.43.25MAC:
A4:6E:F4:59:83:AB
Knows only target’s IP address: 130.23.43.25.
???
place where the requestedMAC address can be found!
3ARP Protocol (cont.)
Example [ ARP operation ]
If the source needs to send an IP datagram tothe destination now, it makes sense that the
destination will probably need to send a response
to the source at some point soon. (After all, most communication on a
network is bidirectional.) As an optimization, then,
the destination device will add an entry to its own
ARP cache containing the hardware and IP
addresses of the source that sent the ARP
Request.This saves the destination
from needing to do anunnecessary resolution
cycle later on.
http://www.tcpipguide.com/free/t_ARPAddressSpecificationandGeneralOperation-2.htm
4
http://cyberdig.blogspot.ca/2012/05/understand-arp-through-animation.html
ARP Protocol (cont.)
ARP Animations:
5ARP Protocol (cont.)
https://www.practicalnetworking.net/series/arp/traditional-arp/
6ARP Protocol (cont.)
Gratuitous ARP – an ARP Response that was not prompted by an ARPRequest • Gratuitous ARP is sent as a broadcast message and is a
way for a node to announce or update its IP to MACmapping to the entire network
Example: two Routers share theIP address 10.0.0.1. The hosts usethis shared IP address as their default gateway.When one of the routers experiencesa failure, the other router sends a Gratuitous ARP.
https://www.practicalnetworking.net/series/arp/gratuitous-arp/
7ARP Protocol (cont.)
Gratuitous ARP (cont.) – how to recognize if an ARP packet is ‘gratuitous’ • operation code: 2 (reply)• source IP = destination IP• target MAC = ff:ff:ff:ff:ff:ff
8ARP Protocol (cont.)
https://www.geeksforgeeks.org/computer-network-arp-reverse-arprarp-inverse-arpinarp-proxy-arp-gratuitous-arp/
9ARP Vulnerabilities
Vulnerabilities of ARP 1) since ARP does not authenticate requests orreplies, ARP Requests & Replies can be forged
2) ARP is stateless – ARP Replies can be sent without a corresponding ARP Request
3) according to ARP protocol specification, a nodereceiving an ARP packet (Request or Reply) mustupdate its local ARP cache with the informationin the source fields
ARP Attacks 1) ARP-based Flooding / DDoS→ attacker floods victim with unsolicited and/or forged ARP
packets (requests or replies) with various sender IP addresses⇒ consumes system resources + causes an overflow of ARPtables (size of ARP tables is generally restricted)
2) ARP Spoofing / ARP Poisoning → attacker sends bogus ARP packets to target devices causing
these devices to modify their ARP entries – as a result:a) devices cannot communicate with one another and/or b) devices send their data to the attacker
10ARP Vulnerabilities (cont.)
Defense Against ARP Flood Attacks
https://support.huawei.com/enterprise/en/doc/EDOC1100041419?section=j07g&topicName=overview-of-arp-security
11
MAC11:11:11:11:11:11
MACA0:A0:A0:A0:A0:A0
ARP Spoofing – attack in which a malicious actor sends falsified ARP messages over a LAN – allows the malicious actor tointercept or stop data in-transit …• can only occur on LANs that utilize ARP protocol
• 3 main flavours: Gateway Spoofing & User Spoofing &User-User Spoofing
ARP Vulnerabilities (cont.)
combination of gateway and user spoofing
12ARP Vulnerabilities (cont.)
Example [ Gateway ARP Spoofing ]ARP packet sent from the attacker (A) deceives Host B into adding a false IP-to-MACbinding of the gateway. After that normal communication between Host B and the gateway are interrupted. If an ARP packet with the forged gateway MAC address is broadcast to the LAN, all communication within the LAN may fail!!!
Could be a gratuitous messageto poison the entire networkat once!!!
13ARP Vulnerabilities (cont.)
Example [ User ARP Spoofing ]ARP packet sent from the attacker (A) deceives gateway into adding a false IP-to-MACaddress binding of Host B. After that, normal communications between the gatewayand Host B are interrupted.
14ARP Vulnerabilities (cont.)
Example [ User-User ARP Spoofing ]ARP packet sent from the attacker (A) deceives Host C into adding a false IP-to-MACAddress mapping of Host B. After that, normal communications between Host C andHost B are interrupted.
15ARP Vulnerabilities (cont.)
Defense Against ARP Spoofing – Basic Techniques
https://support.huawei.com/enterprise/en/doc/EDOC1100041419?section=j07g&topicName=overview-of-arp-security
16ARP Vulnerabilities (cont.)
Defense Against ARP Spoofing – Advanced Solutions
https://www.ionos.com/digitalguide/server/security/arp-spoofing-attacks-from-the-internal-network/
17ARP Attacks in 2018
Optional Reading:
https://www.ptsecurity.com/ww-en/analytics/banks-attacks-2018/
18ARP Attacks in 2018 (cont.)
https://www.tomsguide.com/us/circle-disney-shmoocon-wyatt,news-26489.html
Optional Reading: