Preventing ARP Cache Poisoning Attacks

Man in the middle attacks SNIFF, SNOOP, HIJACK

High level view User Hacker Target application The man in the middle attack allows the hacker to sit in between all communication between client and server. They sniff, manipulate and change or insert new data/ commands without either side being aware

How can this happen? One of the more common methods is something called ARP Cache Poisoning A little background - ARP: Address Relay Protocol ARP is used by computers to find who has a particular IP address and then bind to that computers MAC address ARP is a broadcast protocol (a cry for help, if you will) Attackers can send false replies to an ARP request, and insert their own computer as a fake network citizen Once this happens, they can impersonate either the end point, or the gateway (which allows snooping and inserting into all traffic)

ARP Spoofing Who has 200.21.22.23? Who has 200.21.22.23? User Target application IP: 200.21.22.23 MAC: aa:aa:aa:aa:aa:aa 200.21.22.23 is cc:cc:cc:cc:cc [either reply or unsolicited] 200.21.22.20=bb:bb:bb:bb:bb:bb 200.21.22.23=aa:aa:aa:aa:aa:aa 200.21.22.20=bb:bb:bb:bb:bb:bb 200.21.22.23=cc:cc:cc:cc:cc:cc Hacker IP: 200.21.22.23 MAC: cc:cc:cc:cc:cc:cc

Sample Command: arp -a

Notes The attack can only be used on networks that use ARP, and requires attacker have direct access to the local network segment to be attacked. Just about everyone uses ARP! Since you need to have your attacking software on the local network segment for this to work, hackers are always looking for ways to infiltrate your environment Hence all the network discovery port scans!

How can you prevent this? ARP cache poisoning is one of the hardest hacks to prevent, but some tools to exist Static IP/ MAC lists [Difficult to manage on large networks] ARP Spoofing detection software Can be integrated into DHCP server Can be part of the switch/ router Can be on local PC Can be within the OS

IRL? Imagine that Alice and Barbara talk to one another on the phone in Lojban, which is an obscure language. Nancy is a secret agent who needs to listen in on their conversation but who cannot tap the phone line. Nancy is very clever and talented, so she does the following: 1. Nancy observes Alice and Barbara for a while. She notices that Alice always calls Barbara, not the other way around. 2. Nancy recognizes that Alice and Barbara are speaking in Lojban. She learns that language. 3. Nancy slips a business card into Alice s purse. The card says Barbara but it has Nancy s phone number. 4. When Alice calls this number, it is Nancy who receives the call. She answers in Lojban and imitates Barbara s voice. 5. Nancy immediately calls Barbara on another phone. She imitates Alice s voice, saying hello in Lojban. 6. Nancy continues both conversations switching between them as needed. Now Alice and Barbara are both certain that they are talking to one another. In reality, they are talking to Nancy who relays communication between them. Nancy knows all the secrets. She may also manipulate the information that Alice and Barbara are sharing with one another.

In the network age In the world of computing, some of the most famous cases linked to MITM attacks were the following: In 2013, information was leaked about the Quantum/FoxAcid MITM system employed by NSA to intercept TOR connections. In 2014, Lenovo installed MITM (SSL Hijacking) adware called Superfish on their Windows PCs. In 2015, a British couple (the Luptons) lost 340,000 in an email eavesdropping / email hijacking MITM attack.