ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi
What is ARP? Address Resolution Protocol maps IP address to MAC address Purpose of ARP 32-bit Internet address 48-bit Ethernet address ARP ARP CACHE : IP – MAC Bindings IPMACTYPE :00:00:00:00:02dynamic
How ARP Works? ARP Request is Broadcast to all the hosts in LAN :00:00:00:00:01 00:00:00:00:00:03 00:00:00:00:00:02 Who has IP ? Tell your MAC address ARP Request IIT Indore © Neminath Hubballi
How ARP Works? :00:00:00:00:01 00:00:00:00:00:03 00:00:00:00:00:02 ARP Reply I have IP My MAC is 00:00:00:00:00:02 Unicast Reply from concerned host IIT Indore © Neminath Hubballi
ARP Cache Stores IP-MAC Pairs :00:00:00:00:01 00:00:00:00:00:03 00:00:00:00:00:02 ARP cache : updated IPMACTYPE :00:00:00:00:02dynamic ARP Reply IIT Indore © Neminath Hubballi
Why is ARP Vulnerable? ARP is a stateless protocol Hosts cache all ARP replies sent to them even if they had not sent an explicit ARP request for it. No mechanism to authenticate their peer IIT Indore © Neminath Hubballi
Known Attacks Against ARP ARP Spoofing Man-in-the-Middle Attack Denial-of-Service Attack MAC Flooding ( on Switch ) DoS by spurious ARP packets IIT Indore © Neminath Hubballi
ARP Spoofing Attack Attacker sends forged ARP packets to the victim :00:00:00:00:01 00:00:00:00:00:02 I have IP My MAC is 00:00:00:00:00:02 ARP Reply IPMACTYPE :00:00:00:00:02dynamic Attacker Target Victim :00:00:00:00:03 IIT Indore © Neminath Hubballi
Spoofing Results in Redirection of Traffic :00:00:00:00: :00:00:00:00:02 Packets for :00:00:00:00:03 IIT Indore © Neminath Hubballi
Man-in-the-Middle Attack Allows Third Party to Read Private Data :00:00:00:00:03 00:00:00:00:00:02 ARP Reply Attacker IPMACTYPE :00:00:00:00:01dynamic IPMACTYPE :00:00:00:00:01dynamic 00:00:00:00:00:01 10 IIT Indore © Neminath Hubballi
Man-in-the-Middle Attack :00:00:00:00:03 00:00:00:00:00:02 00:00:00:00:00:01 Attacker IPMACTYPE :00:00:00:00:01dynamic IPMACTYPE :00:00:00:00:01dynamic To To IIT Indore © Neminath Hubballi
Denial of Service Stops Legitimate Communication A malicious entry with a non-existent MAC address can lead to a DOS attack :00:00:00:00:02 I have IP My MAC is XX:XX:XX:XX:XX:XX ARP Reply IPMACTYPE XX:XX:XX:XX:XX:XXdynamic Attacker Victim 00:00:00:00:00:01 Target :00:00:00:00:03 12 IIT Indore © Neminath Hubballi
Denial of Service Stops Legitimate Communication 00:00:00:00:00:01 Victim unable to reach the IP for which the forged packet was sent by the attacker :00:00:00:00:02 IPMACTYPE XX:XX:XX:XX:XX:XXdynamic Attacker Victim PING Request timed out. IIT Indore © Neminath Hubballi
MAC Flooding Degrades Network Performance Attacker bombards the switch with numerous forged ARP packets at an extremely rapid rate such that its CAM table overflows PORTMAC 100:00:01:01:01:01 200:00:02:02:02:02 ….…… …..…… :00:00:00:00:01 Attacker 14 IIT Indore © Neminath Hubballi
DoS by Spurious ARP Packets Attacker sends numerous spurious ARP packets at the victim such that it gets engaged in processing these packets Makes the Victim busy and might lead to Denial of Service :00:00:00:00:01 Attacker Victim Spurious ARP Packets Busy Processing IIT Indore © Neminath Hubballi
Detection and Mitigation Techniques Static ARP Cache entries—Fixed IP-MAC pairs ARPWATCH /COLOSOFT CAPSA/ARP-Guard- Maintains a database with IP- MAC mappings and any change detected is reported to administrator Count the imbalance in number of requests and responses Evaded Cryptographic Techniques: Secure ARP – use cryptographic algorithms to authenticate TARP- ticket based IIT Indore © Neminath Hubballi