ARP Protocol (cont.)...ARP Protocol (cont.) 3 Example [ ARP operation] If the source needs to send an IP datagram to the destination now, it makes sense that the destination will probably

1ARP Protocol (cont.)

ARP Request & Reply Operation – steps involved:

1) The sender knows the IP address of the target.

2) IP asks ARP to create an ARP request message, filling in the sender physical and IP address, and the target IP address. The target physical address is set to 0-s!

3) The message is passed to the data link layer where it is encapsulated in a frameusing the physical address of the sender as the source address and the physicalbroadcast address as the destination address.

4) Every host and router receives the frame. As the frame contains a broadcastdestination address, all stations remove the message and pass it to their ARP.All machines except the one targeted drop the packet.

5) The target machine replies with an ARP reply message that contains its physicaladdress.

6) The sender receives the reply message. It knows the physical address of thetarget machine and is able to send the original IP datagram …

DataPreambleand SFD

Destinationaddress

Sourceaddress Type CRC

8 bytes 6 bytes 6 bytes 2 bytes 4 bytes

Type: 0x0806

2ARP Protocol (cont.)

Example [ ARP operation ]A host with IP address 130.23.43.20 and MAC address B2:34:55:10:22:10 has a packetfor another host with IP address 130.23.43.25 (and MAC address A4:6E:F4:59:83:AB,which is unknown to the first host). The two hosts are on the same Ethernet network. Show the ARP request and reply packets encapsulated in Ethernet frames.

FF:FF:FF:FF:FF:FF – 48 1-sEthernet broadcast address

IP: 130.23.43.20MAC: B2:34:55:10:22:10

IP: 130.23.43.25MAC:

A4:6E:F4:59:83:AB

Knows only target’s IP address: 130.23.43.25.

???

place where the requestedMAC address can be found!

3ARP Protocol (cont.)

Example [ ARP operation ]

If the source needs to send an IP datagram tothe destination now, it makes sense that the

destination will probably need to send a response

to the source at some point soon. (After all, most communication on a

network is bidirectional.) As an optimization, then,

the destination device will add an entry to its own

ARP cache containing the hardware and IP

addresses of the source that sent the ARP

Request.This saves the destination

from needing to do anunnecessary resolution

cycle later on.

http://www.tcpipguide.com/free/t_ARPAddressSpecificationandGeneralOperation-2.htm

4

http://cyberdig.blogspot.ca/2012/05/understand-arp-through-animation.html

ARP Protocol (cont.)

ARP Animations:

5ARP Protocol (cont.)

https://www.practicalnetworking.net/series/arp/traditional-arp/

6ARP Protocol (cont.)

Gratuitous ARP – an ARP Response that was not prompted by an ARPRequest • Gratuitous ARP is sent as a broadcast message and is a

way for a node to announce or update its IP to MACmapping to the entire network

Example: two Routers share theIP address 10.0.0.1. The hosts usethis shared IP address as their default gateway.When one of the routers experiencesa failure, the other router sends a Gratuitous ARP.

https://www.practicalnetworking.net/series/arp/gratuitous-arp/

7ARP Protocol (cont.)

Gratuitous ARP (cont.) – how to recognize if an ARP packet is ‘gratuitous’ • operation code: 2 (reply)• source IP = destination IP• target MAC = ff:ff:ff:ff:ff:ff

8ARP Protocol (cont.)

https://www.geeksforgeeks.org/computer-network-arp-reverse-arprarp-inverse-arpinarp-proxy-arp-gratuitous-arp/

9ARP Vulnerabilities

Vulnerabilities of ARP 1) since ARP does not authenticate requests orreplies, ARP Requests & Replies can be forged

2) ARP is stateless – ARP Replies can be sent without a corresponding ARP Request

3) according to ARP protocol specification, a nodereceiving an ARP packet (Request or Reply) mustupdate its local ARP cache with the informationin the source fields

ARP Attacks 1) ARP-based Flooding / DDoS→ attacker floods victim with unsolicited and/or forged ARP

packets (requests or replies) with various sender IP addresses⇒ consumes system resources + causes an overflow of ARPtables (size of ARP tables is generally restricted)

2) ARP Spoofing / ARP Poisoning → attacker sends bogus ARP packets to target devices causing

these devices to modify their ARP entries – as a result:a) devices cannot communicate with one another and/or b) devices send their data to the attacker

10ARP Vulnerabilities (cont.)

Defense Against ARP Flood Attacks

https://support.huawei.com/enterprise/en/doc/EDOC1100041419?section=j07g&topicName=overview-of-arp-security

11

MAC11:11:11:11:11:11

MACA0:A0:A0:A0:A0:A0

ARP Spoofing – attack in which a malicious actor sends falsified ARP messages over a LAN – allows the malicious actor tointercept or stop data in-transit …• can only occur on LANs that utilize ARP protocol

• 3 main flavours: Gateway Spoofing & User Spoofing &User-User Spoofing

ARP Vulnerabilities (cont.)

combination of gateway and user spoofing

12ARP Vulnerabilities (cont.)

Example [ Gateway ARP Spoofing ]ARP packet sent from the attacker (A) deceives Host B into adding a false IP-to-MACbinding of the gateway. After that normal communication between Host B and the gateway are interrupted. If an ARP packet with the forged gateway MAC address is broadcast to the LAN, all communication within the LAN may fail!!!

Could be a gratuitous messageto poison the entire networkat once!!!

13ARP Vulnerabilities (cont.)

Example [ User ARP Spoofing ]ARP packet sent from the attacker (A) deceives gateway into adding a false IP-to-MACaddress binding of Host B. After that, normal communications between the gatewayand Host B are interrupted.

14ARP Vulnerabilities (cont.)

Example [ User-User ARP Spoofing ]ARP packet sent from the attacker (A) deceives Host C into adding a false IP-to-MACAddress mapping of Host B. After that, normal communications between Host C andHost B are interrupted.

15ARP Vulnerabilities (cont.)

Defense Against ARP Spoofing – Basic Techniques

https://support.huawei.com/enterprise/en/doc/EDOC1100041419?section=j07g&topicName=overview-of-arp-security

16ARP Vulnerabilities (cont.)

Defense Against ARP Spoofing – Advanced Solutions

https://www.ionos.com/digitalguide/server/security/arp-spoofing-attacks-from-the-internal-network/

17ARP Attacks in 2018

Optional Reading:

https://www.ptsecurity.com/ww-en/analytics/banks-attacks-2018/

18ARP Attacks in 2018 (cont.)

https://www.tomsguide.com/us/circle-disney-shmoocon-wyatt,news-26489.html

Optional Reading: