1. Introduction
This article introduces the OSI model of internet communication,
and describes ARP spoofing. It’s used to attack hosts in a Local Area Network
(LAN). Passive and active sniffing are described. Finally, the mitigation of
ARP spoofing is briefly discussed.
2. The OSI model
This model describes the structure of internet communication.
The idea was to prepare a reference model in order to allow different
manufacturers to create networking solutions that can cooperate with each
other. The OSI model is comprised of seven layers:
Layer 7: Application
Layer 6: Presentation
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2: Data link
Layer 1: Physical
Layer 6: Presentation
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2: Data link
Layer 1: Physical
I’ll discuss how data goes from the sender to the receiver. From
the sender’s perspective, the data goes from layer 7 to layer 1. From the
receiver’s perspective, the data goes from layer 1 to layer 7.
I’ll explain what happens when data goes from layer 7 to layer
1. At each stage (from layer 7 to layer 6, from layer 6 to layer 5, and so on)
the data of the upper layer is includes into the data of the lower layer
(encapsulation). On the receiver’s side, the reverse process occurs and is
called decapsulation. That’s how the different OSI layers interact. In reality,
it’s more complicated – for example, the data of the application layer might be
segmented at the transport layer (before sending to network layer), and
fragmented at the network layer (before sending to data link layer.)
Finally, let’s see the classification of network devices with
reference to the layers of OSI model:
Layer 1 devices: repeater, hub
Layer 2 devices: bridge, switch
Layer 3 device: router
Layer 2 devices: bridge, switch
Layer 3 device: router
ARP spoofing is related to the ARP protocol (described in the
next section of the article), which is used to bind IP and MAC addresses (from
the network and data link layers of the OSI model; Ethernet is commonly used at
data link layer.)
3. ARP protocol
Let’s assume that two computers, COMP1 and COMP2, are in the
same LAN and want to communicate. COMP1 knows the IP address of COMP2 (denoted
by COMP2_IP in the article), but what is actually needed in order to send the
message to COMP2 is the MAC address of COMP2 (denoted by COMP2_MAC). Here, the
ARP protocol is used. COMP1 sends an ARP request to everyone in the LAN
(broadcasting). That request can be understood as something like this: “Hi,
COMP2_IP, would you tell me your MAC address (COMP2_MAC)?” What happens
next is the ARP reply message with COMP2_MAC. Now, COMP1 can send the message
to COMP2, because he knows COMP2_MAC’s address. That’s how it should work.
However, there may be an attacker spoofing ARP’s reply messages. Let’s see how
that works in this case.
4. ARP protocol – spoofing ARP reply
Let’s continue the story from the previous section and denote
the computer of the attacker with COMP_ATTACKER, the IP address of
COMP_ATTACKER with COMP_ATTACKER_IP, and the MAC of COMP_ATTACKER by
COMP_ATTACKER_MAC.
Now let’s recall the description of the ARP protocol from the
previous section of the article, and change one thing – when the ARP request is
sent, the COMP_ATTACKER replies (ARP reply) with their own MAC address
(COMP_ATTACKER_MAC). Then, COMP1 thinks that they’re sending the message to
COMP2, but they’re actually sending it to COMP_ATTACKER, because they’ve
received COMP_ATTACKER_MAC in the ARP reply. In addition, COMP_ATTACKER sends
the ARP request to everyone in the LAN to learn the COMP2_MAC. At that point,
COMP_ATTACKER knows the COMP2_MAC and can forward the message (received form
COMP1) to COMP2. Before forwarding the message, COMP_ATTACKER can read and/or
modify the message if it’s not protected. That’s how ARP spoofing works. As we
can see, that attack can lead to serious problems.
5. Passive and active sniffing
Switches know the MAC addresses attached to their ports and send
the messages only to the port, where the destination host is attached. That
way, other hosts cannot see the messages or sniff the traffic. As we’ve already
seen, ARP spoofing can be used to overcome that problem from the attacker’s
point of view. ARP spoofing is an active attack, because sending the spoofed
ARP reply is involved.
Now let’s go back to the old days and discuss hubs. Those
devices work at Layer 1 of the OSI model. The message received by the hub is sent to all its ports.
Normally, the host reads the messages that are sent to them. However, the host
can be put in promiscuous mode to see all the messages. That’s how passive
sniffing works: the attacker is just sniffing the traffic.
6. Mitigation of ARP spoofing
Normally, the entries in the ARP table of the host are dynamic.
These entries could be predefined (static) to solve the problem with ARP
spoofing. However, this approach has an administrative overhead.
Another idea is delegating the problem to the upper layers of
the OSI model and using cryptography to provide authentication (digital
certificates), data confidentiality (symmetric encryption), and data integrity
(HMAC). SSL/TLS can be used here (it works between application and transport
layers of the OSI model.) That way, we can detect if something wrong has
happened with the message, and prevent reading it.
7. Summary
The OSI model of internet communication was
introduced. Then the ARP protocol and ARP spoofing were discussed. The
difference between active and passive sniffing was presented. Finally, the mitigation
of ARP spoofing was briefly analyzed.
No comments:
Post a Comment