OSI stack security: Layer 4-understanding the role of ARP

In this topic, we will discuss network security from the perspective of OSI hierarchy. We will study the OSI stack in depth from the physical layer to the application layer. Starting from analyzing vulnerabilities at each layer, this paper assumes the various possibilities of these vulnerabilities and discusses security defense measures at each network layer. After discussing all the technical aspects, we did not forget the impact of "people" on network security factors. Therefore, we expanded the "artificial layer" based on the OSI Layer-7 model ".

 

Layer 3 of the OSI model is the data link layer, which provides a data transmission mechanism between network nodes. The important reason for this layer is that it is responsible for dividing data into frames for transmission. There are many insecure factors worth exploring on the data link layer, but the most important of which is Address Resolution Protocol (ARP) processing.

 

ARP is more suitable for trusted networks. It is used to resolve known IP addresses to unknown MAC addresses. When data packets are processed and transmitted to the lower-layer stack, the data link layer splits the data packets into frames. If the network layer already provides an IP address, the data link layer must provide a physical address. This is the ARP task. When two hosts need to communicate, they must be able to provide the physical address of the target device. If the destination is not local, ARP must be able to parse the MAC address of the gateway so that the data frame can be properly addressable.

 

Since ARP is a trust-based protocol, why do network or software security engineers need to pay attention to this issue? During the widespread use of hubs, attackers were not very concerned about ARP programs. To intercept traffic on a LAN, attackers only need to start a Sniffer, such as Wireshark. This is the so-called negative sniffing. The Hub forwards all traffic to all ports. Therefore, an attacker only needs to place his network card in the hybrid mode.

 

Vswitches change this dynamic attack because many networks currently use vswitches. Negative sniffing provides only a small amount of information for attackers. The traffic he sees is only the unicast traffic transmitted to his interface or the broadcast traffic transmitted to all ports. This means that attackers are forced to operate ARP programs. If he wants to see the traffic of other users, he must actively sniff. In short, an active sniffing request allows an attacker to add packets to the network and then send the traffic that he cannot normally receive to his system.

 

Attackers can perform active sniffing in several ways. The first type is ARP. This includes spoofing a host to believe that the attacker's Host IP address belongs to another host on the network. This method usually sends unnecessary ARP responses, as well as encroaches on the content addressing memory (CAM) of the switch and ARP cache on other local systems. The most common ARP virus target is the gateway. If attackers can observe all traffic transmitted to the gateway, passwords, RTP, Telnet, e-commerce, and other sensitive data packets can be sniffed.

 

By spoofing the IP address of the gateway, all hosts on the subnet where the attacker host is located route the route to the system. This method works well, but it is not very confidential. It requires attackers to intrude on the ARP cache of all hosts in the subnet. For attackers, it is much more confidential to occupy ARP caches on only one host. There are some free tools to help attackers perform such attacks, including:

 

Cain

 

Ettercap

 

WinARPAttacker

 

The second method of active sniffing is to try ARP flood to bypass the switch function. In this case, an attacker sends a large number of packets containing different MAC addresses. The essence of this practice is to overwhelm the CAM of the switch. When some switches are overloaded, they enter the hub-like mode. In this case, the switch broadcasts all traffic to all ports due to overload.

 

Either way, they may bypass the security protection mechanism of the switch. It is important for engineers to be aware of this and develop effective countermeasures against these attacks. Encryption, security protocols, and active monitoring of network changes can help defend against this type of attacks. In addition, the switch itself can play a greater role, many modern switches provide detection technology, such as dynamic ARP detection (DAI ). This technique can be used to check ARP packets and ensure their effectiveness. DAI allows network engineers to intercept, record, and terminate ARP packets with invalid MAC addresses. These simple measures can significantly reduce the ability of attackers to successfully load attacks on the data link layer.

 

About Author:

 

Michael Gregg has 15 years of experience in IT and network security. He is the founding and CTO of risk assessment and security consulting company Superior Solutions Inc. He has developed high-level security levels and has written six books. the most recent one is The Hack the Stack: The Eight Layers of an Insecure Network.