ARP-Spoofing

ARP spoofing ( from the English to spoof -. Ger fooled, fooled ) or ARP Poisoning request ( Engl. about corruption inquiry ) refers to sending fake ARP packets. It is used to alter the ARP tables in a network so that then the data traffic between the two (or more ) systems can be monitored or manipulated in a computer network. It is a possibility to perform a man-in- the-middle attack in the local network.

Target of such attack may be to listen to phone calls and IP telephony.

Despite the notoriety and the age of onset popular operating systems offer no protection against ARP spoofing. This has to be retrofitted in the rule.

Operation

To listen to the traffic between Host A and Host B, a malicious ARP message for assigning a particular IP address sends to the attacker host A. In this message, its own MAC address is included instead of the host B, host A so that future packets that are actually destined for Host B sends to the attacker. The same happens with host B, so that these packages rather than directly to A now inadvertently sends to the attacker. The attacker must now forward the data received from A and B packets to the intended recipient, so that a abhörbare connection can occur. Once this is done, the attacker operates unnoticed as a proxy. One speaks of a Man -in-the -middle attack. The attacker can of course also reject network traffic in order to make a communication between specific hosts impossible.

While a pure interception of network traffic using a sniffer works only in ungeswitchten networks, this attack is successful even in switched networks. Software that implements this proxy function is, for all major operating systems to get the internet for free and relatively easy to use (see Ettercap, Wireshark ).

Consequences

Thus, an attacker has unprotected compounds, such as those used when sending e -mail or viewing Web pages, almost a free hand for them to read and manipulate. Encrypted and authenticated connections tend to be safe; they often use strong cryptographic algorithms and digital certificates to authenticate the peer.

Hooks an attacker, for example, in an HTTPS connection, in order to manipulate the home banking, the user acknowledges this a warning message from the browser using an invalid certificate. However, in practical scenarios, an attacker can prevent users establish TLS connections and can be replaced by those on the requested HTTP HTTPS connections. Thus, it is possible to intercept data that would otherwise be sent encrypted anyway.

SSH connections can be classified as safe (SSH version 1 is not ) when a modified Fingerprint leads to termination of the connection. Often the user is prompted after notice of the fingerprints, to decide whether he wants to continue the connection.

Detect ARP spoofing

To detect or prevent ARP spoofing is not easy. There are several possibilities. One of them is to leave the ARP outermost front and work with static tables to convert IP addresses to hardware addresses. This possibility is not very efficient because the ARP tables need to be updated constantly. It is best to put the basic problem is: Each ARP response, whether requested or not, whether useful or not, is accepted by almost all operating systems. Here it may help to leave the processing of ARP replies programs with greater intelligence. This monitor who sends the answers when and what information the answers. Obviously fake ARP packets can be identified and discarded so. By connecting to an Intrusion Detection System is a warning to the system administrator can spend.

ARP spoofing can be most clearly seen if you look at the ARP tables. In the following example, the computer performs with the MAC address c5: f2 by an ARP spoofing, in which he says all hosts on the network that he had any other: cb: df: 56: b5 He gives his MAC address for each IP to (so it network traffic to all hosts reached). He directs the traffic, however, transparently ( forwarded him ), so the attack for all other hosts really is unnoticeable ( although of course any traffic can be discarded and would thus create a complete blockage of all traffic ). Shown is the ARP table of the victim computer in the network. It is not clear who the aggressor; this purpose, the administrator would have to search all MAC addresses. This could, however, be prevented by a MAC spoofing.

Address HWType HWAddress Flags Mask Iface 192.168.1.6 ether c5: cb: df: 56: b5: f2 C eth0 192.168.1.8 ether c5: cb: df: 56: b5: f2 C eth0 The attacker! 192.168.1.1 ether c5: cb: df: 56: b5: f2 C eth0 192.168.1.9 ether c5: cb: df: 56: b5: f2 C eth0 In the following example, the attacker is more modest: he captures only traffic to and from the Internet ( 192.168.1.1 is the gateway).

Address HWType HWAddress Flags Mask Iface 192.168.1.6 ether 12:15: af: 43:90: de C eth0 192.168.1.8 ether c5: cb: df: 56: b5: f2 C eth0 The attacker! 192.168.1.1 ether c5: cb: df: 56: b5: f2 C eth0 Actually a router, but passed through fake MAC address of the attacker 192.168.1.9 ether a8: 7b: 39: dc: 78: a3 C eth0 192.168.1.1 is the gateway of the network; the attacker ( .8 ) thus reads also the traffic to the Internet.

On the same victim host a traceroute would look to a neighboring computer like this:

Traceroute to 192.168.1.9 ( 192.168.1.9 ), 30 hops max, 60 byte packets   1 192.168.1.8 ( 192.168.1.8 ) 2.629 ms 2.615 ms 2.604 ms The attacker forwards all packets!   2 192.168.1.9 ( 192.168.1.9 ) 77 776 ms 78 261 ms 79 246 ms, the target computer Without ARP Spoofing the output should look like this:

Traceroute to 192.168.1.9 ( 192.168.1.9 ), 30 hops max, 60 byte packets   1 192.168.1.9 ( 192.168.1.9 ) 134 356 ms 134 824 ms 135 314 ms At the beginning of the attack, the packet traffic of the attacker looks like this (taken with tcpdump ):

13:17:27.376957 ARP, Reply 192.168.1.9 is- at c5: cb: df: 56: b5: f2 ( oui Unknown ), length 28 13:17:27.387128 ARP, Reply 192.168.1.8 is- at c5: cb: df: 56: b5: f2 ( oui Unknown ), length 28 13:17:27.387432 ARP, Reply 192.168.1.7 is- at c5: cb: df: 56: b5: f2 ( oui Unknown ), length 28 13:17:27.388654 ARP, Reply 192.168.1.6 is- at c5: cb: df: 56: b5: f2 ( oui Unknown ), length 28 13:17:27.388995 ARP, Reply 192.168.1.5 is- at c5: cb: df: 56: b5: f2 ( oui Unknown ), length 28 The traceroute method is of course useless if the attacker does not forward traffic, but discards ( dropt ), and all network traffic is blocked. The method to look in the ARP table is usually helpful, since it was not supposed to happen that multiple IP addresses share a MAC address.

Legal application

In the area of ​​Linux-based high availability cluster, the targeted manipulation of ARP packets is used to avoid losing data packets if the primary server fails, and redirect immediately to the new " contact" in the cluster. The secondary server must then take over the shared IP address of the cluster.

79232
de