ARP Poisoning

From Hakipedia
Jump to: navigation, search
An intruder performing a passive sniffing attack, causing data sent from 172.16.1.4 to the Gateway to be directed through the intruders system.

ARP Poisoning, also known as ARP Poison Routing, is a network attack that exploits the transition from Layer 3 to Layer 2 addresses.

Severity

High.

Exploit Likeliness

High.

Description

ARP (address resolution protocol) operates by broadcasting a message across a network, to determine the Layer 2 address (MAC address) of a host with a predefined Layer 3 address (IP address). The host at the destination IP address sends a reply packet containing its MAC address. Once the initial ARP transaction is complete, the originating device then caches the ARP response, which is used within the Layer 2 header of packets that are sent to a specified IP address.

An ARP Spoofing attack is the egression of unsolicited ARP messages. These ARP messages contain the IP address of a network resource, such as the default gateway, or a DNS server, and replaces the MAC address for the corresponding network resource with its own MAC address. Network devices, by design, overwrite any existing ARP information in conjunction with the IP address, with the new, counterfeit ARP information. The attacker then takes the role of man in the middle; any traffic destined for the legitimate resource is sent through the attacking system. As this attack occurs on the lower levels of the OSI model, the end-user is oblivious to the attack occurrence.

ARP Poisoning is also capable of executing Denial of Service (DoS) attacks. The attacking system, instead of posing as a gateway and performing a man in the middle attack, can instead simply drop the packets, causing the clients to be denied service to the attacked network resource. The spoofing of ARP messages is the tributary principal of ARP Poisoning.

Attack Vector

Ettercap passively sniffing packets in a network environment.

Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.

Mitigation

Mitigation of ARP Poisoning can be performed on the Cisco IOS with DAI (DYNAMIC ARP INSPECTION) which is relying on DHCP Snooping.

Enable DAI

ip arp inspection vlan <Vlan ID>

Enable DHCP snooping
switch(config)# ip dhcp snooping
!Enable DHCP Snooping!
switch(config)# ip dhcp snooping vlan vlan_id {, vlan_id}
!Enable DHCP Snooping for specific VLANs!
switch(config-if)# ip dhcp snooping trust
!Configure an interface as trusted for DHCP Snooping purposes!
switch(config-if)# ip dhcp snooping limit rate rate
!Set rate limit for DHCP Snooping!