arp protocol (cont.)...arp protocol (cont.) 3 example [ arp operation] if the source needs to send...
TRANSCRIPT
![Page 1: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/1.jpg)
1ARP Protocol (cont.)
ARP Request & Reply Operation – steps involved:
1) The sender knows the IP address of the target.
2) IP asks ARP to create an ARP request message, filling in the sender physical and IP address, and the target IP address. The target physical address is set to 0-s!
3) The message is passed to the data link layer where it is encapsulated in a frameusing the physical address of the sender as the source address and the physicalbroadcast address as the destination address.
4) Every host and router receives the frame. As the frame contains a broadcastdestination address, all stations remove the message and pass it to their ARP.All machines except the one targeted drop the packet.
5) The target machine replies with an ARP reply message that contains its physicaladdress.
6) The sender receives the reply message. It knows the physical address of thetarget machine and is able to send the original IP datagram …
DataPreambleand SFD
Destinationaddress
Sourceaddress Type CRC
8 bytes 6 bytes 6 bytes 2 bytes 4 bytes
Type: 0x0806
![Page 2: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/2.jpg)
2ARP Protocol (cont.)
Example [ ARP operation ]A host with IP address 130.23.43.20 and MAC address B2:34:55:10:22:10 has a packetfor another host with IP address 130.23.43.25 (and MAC address A4:6E:F4:59:83:AB,which is unknown to the first host). The two hosts are on the same Ethernet network. Show the ARP request and reply packets encapsulated in Ethernet frames.
FF:FF:FF:FF:FF:FF – 48 1-sEthernet broadcast address
IP: 130.23.43.20MAC: B2:34:55:10:22:10
IP: 130.23.43.25MAC:
A4:6E:F4:59:83:AB
Knows only target’s IP address: 130.23.43.25.
???
place where the requestedMAC address can be found!
![Page 3: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/3.jpg)
3ARP Protocol (cont.)
Example [ ARP operation ]
If the source needs to send an IP datagram tothe destination now, it makes sense that the
destination will probably need to send a response
to the source at some point soon. (After all, most communication on a
network is bidirectional.) As an optimization, then,
the destination device will add an entry to its own
ARP cache containing the hardware and IP
addresses of the source that sent the ARP
Request.This saves the destination
from needing to do anunnecessary resolution
cycle later on.
http://www.tcpipguide.com/free/t_ARPAddressSpecificationandGeneralOperation-2.htm
![Page 4: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/4.jpg)
4
http://cyberdig.blogspot.ca/2012/05/understand-arp-through-animation.html
ARP Protocol (cont.)
ARP Animations:
![Page 5: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/5.jpg)
5ARP Protocol (cont.)
https://www.practicalnetworking.net/series/arp/traditional-arp/
![Page 6: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/6.jpg)
6ARP Protocol (cont.)
Gratuitous ARP – an ARP Response that was not prompted by an ARPRequest • Gratuitous ARP is sent as a broadcast message and is a
way for a node to announce or update its IP to MACmapping to the entire network
Example: two Routers share theIP address 10.0.0.1. The hosts usethis shared IP address as their default gateway.When one of the routers experiencesa failure, the other router sends a Gratuitous ARP.
https://www.practicalnetworking.net/series/arp/gratuitous-arp/
![Page 7: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/7.jpg)
7ARP Protocol (cont.)
Gratuitous ARP (cont.) – how to recognize if an ARP packet is ‘gratuitous’ • operation code: 2 (reply)• source IP = destination IP• target MAC = ff:ff:ff:ff:ff:ff
![Page 8: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/8.jpg)
8ARP Protocol (cont.)
https://www.geeksforgeeks.org/computer-network-arp-reverse-arprarp-inverse-arpinarp-proxy-arp-gratuitous-arp/
![Page 9: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/9.jpg)
9ARP Vulnerabilities
Vulnerabilities of ARP 1) since ARP does not authenticate requests orreplies, ARP Requests & Replies can be forged
2) ARP is stateless – ARP Replies can be sent without a corresponding ARP Request
3) according to ARP protocol specification, a nodereceiving an ARP packet (Request or Reply) mustupdate its local ARP cache with the informationin the source fields
ARP Attacks 1) ARP-based Flooding / DDoS→ attacker floods victim with unsolicited and/or forged ARP
packets (requests or replies) with various sender IP addresses⇒ consumes system resources + causes an overflow of ARPtables (size of ARP tables is generally restricted)
2) ARP Spoofing / ARP Poisoning → attacker sends bogus ARP packets to target devices causing
these devices to modify their ARP entries – as a result:a) devices cannot communicate with one another and/or b) devices send their data to the attacker
![Page 10: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/10.jpg)
10ARP Vulnerabilities (cont.)
Defense Against ARP Flood Attacks
https://support.huawei.com/enterprise/en/doc/EDOC1100041419?section=j07g&topicName=overview-of-arp-security
![Page 11: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/11.jpg)
11
MAC11:11:11:11:11:11
MACA0:A0:A0:A0:A0:A0
ARP Spoofing – attack in which a malicious actor sends falsified ARP messages over a LAN – allows the malicious actor tointercept or stop data in-transit …• can only occur on LANs that utilize ARP protocol
• 3 main flavours: Gateway Spoofing & User Spoofing &User-User Spoofing
ARP Vulnerabilities (cont.)
combination of gateway and user spoofing
![Page 12: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/12.jpg)
12ARP Vulnerabilities (cont.)
Example [ Gateway ARP Spoofing ]ARP packet sent from the attacker (A) deceives Host B into adding a false IP-to-MACbinding of the gateway. After that normal communication between Host B and the gateway are interrupted. If an ARP packet with the forged gateway MAC address is broadcast to the LAN, all communication within the LAN may fail!!!
Could be a gratuitous messageto poison the entire networkat once!!!
![Page 13: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/13.jpg)
13ARP Vulnerabilities (cont.)
Example [ User ARP Spoofing ]ARP packet sent from the attacker (A) deceives gateway into adding a false IP-to-MACaddress binding of Host B. After that, normal communications between the gatewayand Host B are interrupted.
![Page 14: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/14.jpg)
14ARP Vulnerabilities (cont.)
Example [ User-User ARP Spoofing ]ARP packet sent from the attacker (A) deceives Host C into adding a false IP-to-MACAddress mapping of Host B. After that, normal communications between Host C andHost B are interrupted.
![Page 15: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/15.jpg)
15ARP Vulnerabilities (cont.)
Defense Against ARP Spoofing – Basic Techniques
https://support.huawei.com/enterprise/en/doc/EDOC1100041419?section=j07g&topicName=overview-of-arp-security
![Page 16: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/16.jpg)
16ARP Vulnerabilities (cont.)
Defense Against ARP Spoofing – Advanced Solutions
https://www.ionos.com/digitalguide/server/security/arp-spoofing-attacks-from-the-internal-network/
![Page 17: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/17.jpg)
17ARP Attacks in 2018
Optional Reading:
https://www.ptsecurity.com/ww-en/analytics/banks-attacks-2018/
![Page 18: ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably](https://reader030.vdocuments.site/reader030/viewer/2022040106/5e98034bb6cdc474995c6e88/html5/thumbnails/18.jpg)
18ARP Attacks in 2018 (cont.)
https://www.tomsguide.com/us/circle-disney-shmoocon-wyatt,news-26489.html
Optional Reading: