Network Security: Analysis of ARP cache infection attacks (I)

Network Security: Analysis of ARP cache infection attacks (I)

Lie to people, that is, the so-called "social engineering", and also include policies (the offending hacker Kevin Mitnick has been specifically implemented ), for example, assume you are an employee of a company so that you can exchange company secrets with real employees. To cheat computers, there are many different technologies. A common one is ARP Cache Poisoning. This is the core of this article. ARP poisoning can cause great network damage to hackers in the LAN. Since it is often "unrecoverable", every network administrator should understand how such an attack is going on.

ARP Review

In "Computer Network basics: What are NIC, MAC, and ARP ?" (See the translator's article) explains how the IP Address Resolution Protocol (ARP) associates the MAC address of a network device with its IP address, in this way, devices in the same LAN can know each other's existence. ARP is basically a kind of network name.

ARP, a simple protocol, only contains four types of messages:

1. ARP request. Computer A asks the whole LAN, "Who has this IP address ?" ("Who's the IP address ?", The English is the ASCII message in the original message)

2. ARP response. Computer B tells computer A that "I have that IP. My MAC address is [whatever it is]." (My IP address is that. My MAC address is [XX: XX])

4. Reverse ARP request. Similar to ARP requests, but computer A asks, "Who has this MAC address ?" (Whose MAC address is this ?)

4. Reverse ARP response. Computer B tells computer A that "I have that MAC. My IP address is [whatever it is]" (My MAC address is that. My IP address is XXX. XXX)

All network devices have an ARP ing table, that is, a small segment in the memory stores the IP address and MAC address pairs that have been matched by the device. The ARP ing table ensures that the device does not repeatedly send ARP requests to devices it has already communicated.

Here is an example of a conventional ARP communication. Jessica, a receptionist, told Word (the Microsoft document editor we use, the Translator's note) to print the latest Corporate address book. This is her first print task today. Her computer (IP Address: 192.168.0.16) wants to send this print task to the Office's HP LaserJet Printer (IP Address: 192.168.0.45 ). So the computer of Jessica broadcasts an ARP request to ask, "Who has the IP address, 192.168.0.45 ?" (Whose IP address is 192.168.0.45 ?), 1.

All devices in the LAN will ignore this ARP request, except for the HP LaserJet Printer. The printer finds that its IP address is the IP address in the request, so it sends an ARP response: "Hey, my IP address is 192.168.0.45. this is my MAC address: 00: 90: 7F: 12: DE: 7F ", 2.

Now the computer of Jessica knows the MAC address of this printer. It can now send this print task to the correct device (printer, Translator note), and in its ARP ing table, the printer's MAC address 00: 90: 7F: 12: DE: 7F is associated with its IP address 192.168.0.45.

Hey ARP, do you know which device lied to you is not in your dictionary?

The network designer may design the ARP conversation process so easily out of efficient consideration. Unfortunately, this simplicity also brings huge security risks. Do you know why I didn't mention any form of authentication in my brief description of ARP? The answer is that ARP does not exist at all.

 

ARP believes that both sides of the communication are safe and trustworthy, which is actually a good scam. When a device in a network sends a broadcast ARP request, it simply believes that when an ARP response is received, this response is really from the correct device (because only the device corresponding to the IP address sends the corresponding message according to the Protocol ). ARP does not provide any method to authenticate the response device, as it said in its packets. In fact, many operating systems still accept ARP responses from other devices even though no ARP request is sent.

Well, imagine you are a malicious hacker. You just learned that the ARP Protocol does not have any method to authenticate the ARP response. You already know that many devices still accept responses without sending any requests. Well, why can't I create a perfect, valid, but malicious ARP response packet containing any IP address or MAC address I have chosen? Because the victim's computer will blindly accept the ARP response and add it to its ARP ing table, the victim's computer will be easily deceived to associate any IP address I selected with any MAC address. Furthermore, I can broadcast my fake ARP responses to the entire network of the victim and spoof all the computers in the network. Wow, haha!

Return to reality. Now you may know why this common technique is called ARP cache poisoning (or ARP poisoning): attackers cheat the devices on your LAN, mislead or "poison" the location where it knows other devices. This type of terrorist and simple attack brings great harm to the network by attackers, which will be described later.

All your ARP packets are ours!

This allows attackers to associate any IP address with a MAC address to perform many attacks, including DoS and Denial of Service attacks and Man-in-the-Middle (Man in the Middle) attacks) and MAC Flooding ).

Denial of Service

A hacker can only perform simple operations to bind an important IP address to an incorrect MAC address. For example, a hacker can send an ARP response packet (to your computer) to route the router of your network (also known as the network administrator) the IP address is bound to a non-existent MAC address. One computer knows where the default gateway is, but in fact all its data packets, the destination address is not in the network segment (because the nonexistent MAC is not in the network segment of the local area network ), they finally disappear in the endless bit stream (that is, the signal disappears because of the packet's lifecycle ). In this case, hackers can prevent you from connecting to the Internet.