Arp security by_abdimuna_sep_28

Analysis of ARP protocol security

A.H. Muna@abdimuna1

07.09.2013

Wednesday, December 4, 13

Contents: • What is ARP?

• Logical Address

• Physical Address

• ARP structure

• Mapping

• ARP cache table

•Wednesday, December 4, 13

Contents cont.

• ARP in job

• Problems with ARP

• mARP

•

Wednesday, December 4, 13

ARP

• ARP (англ. Address Resolution Protocol - протокол

разрешения адресов) представляет собой сетевой

протокол, предназначенный для преобразования IP-

адресов (адресов сетевого уровня) в MAC-адреса

(адреса канального уровня) в сетях TCP/IP. Т.е. для

отображения IP-адресов в Ethernet адреса.

Wednesday, December 4, 13

Logical Address

• Unique string of numbers separated by periods that identifies each computer using the Internet Protocol to communicate over a network.

• e.g 172.16.254.1

Wednesday, December 4, 13

Logical Address

Wednesday, December 4, 13

Physical Address

• A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment.

Wednesday, December 4, 13

Physical Address

• MAC addresses are most often assigned by the manufacturer of a network interface controller (NIC) and are stored in its hardware, such as the card's read-only memory or some other firmware mechanism

Wednesday, December 4, 13

Physical Address

• It may also be known as an Ethernet hardware address (EHA), hardware address or physical address.

Wednesday, December 4, 13

Physical Address

Wednesday, December 4, 13

Physical Address

• This 48-bit address space contains potentially 248 or 281,474,976,710,656 possible MAC

addresses.

Wednesday, December 4, 13

ARP structure

Wednesday, December 4, 13

ARP structure

• The root of the ARP data structures is the struct neigh_table, defined in include/net/neighbour.h Collectively the struct neigh_table and the structures to which it points are the internal realization of the arp cache. Each network layer protocol that uses ARP has an associated neigh_table.

•

Wednesday, December 4, 13

ARP neighbor table

Wednesday, December 4, 13

ARP neighbor table

Wednesday, December 4, 13

IPv4 neighbor tableThe neighbor table for the IPV4 ARP protocol is statically declared as follows:

Wednesday, December 4, 13

IPv4 neighbor tableThe entry_size field is set to 4 more than it "needs to be" because of the way

struct neighbor which is shown on the next page is defined. Its last field,

primary_key[0], is declared as an array of 0 bytes. The extra 4 bytes of the

entry_size ensure that when the stucture is dynamically allocated, space for the

actual size of its primary_key[0] will be included.

The parms section defines some operational time­out triggers. In a standard x86 Linux system the clock ticks once every 10msec and HZ is equal to 100, the number of ticks per second.

4 #ifndef HZ 5 #define HZ 100 6 #endifThus Hz can be considered to mean seconds here.

Wednesday, December 4, 13

IPv4 neighbor tableThis structure defines the contents of a single arp cache element.

Wednesday, December 4, 13

IPv4 neighbor tableFunctions of the structure elements:

Wednesday, December 4, 13

Hardware cacheHardware header cache elements contain the hardware header needed for the 1st hop made by an outgoing packet.

Wednesday, December 4, 13

Hardware cacheThe function structure elements:

Wednesday, December 4, 13

The arp_init( )Defined in net/ipv4/arp.c,Called by inet_init( );

Responsibilities include: Setting up the ARP cache. Registering the ARP packet with kernel. Creating a proc entry /proc/net/arp

Wednesday, December 4, 13

Registering the ARP packet typeAfter setting up the ARP cache, arp_init( ) must register the ARP packet type with the link layer. This is done via a call to dev_add_pack().

1197 dev_add_pack(&arp_packet_type);

The arp_packet_type is statically declared as

Wednesday, December 4, 13

Creating /proc/net/arp entryAfter registering ARP packet type, arp_init() creates a proc entry that displays the contents of ARP cache via arp_get_info() . arp_get_info() displays entries in hash_buckets and phash_buckets.

Wednesday, December 4, 13

Creating /proc/net/arp entry

In the following table, the last three entries are proxies:

Wednesday, December 4, 13

ARP structures summery

Wednesday, December 4, 13

ARP employed

• For two hosts on the same network and one desires to send a packet to the other on different networks and must use a gateway/router

• For a router that needs to forward a packet for one host through another router from one host to the destination host on the same network

Wednesday, December 4, 13

ARP employed

ATALKS

B1

hello

Wednesday, December 4, 13

ARP employed

ATALKS

B1

hello

Wednesday, December 4, 13

ARP employed

ATALKS

B1

Wednesday, December 4, 13

ARP employed

ATALKS

B1

Wednesday, December 4, 13

ARP employed

ATALKS

B1

Wednesday, December 4, 13

ARP employed

ATALKS

B1

Wednesday, December 4, 13

ARP employed

Wednesday, December 4, 13

ARP employed

Wednesday, December 4, 13

ARP employed

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B2

Wednesday, December 4, 13

ARP employed

ATALKS

B3

Wednesday, December 4, 13

ARP employed

ATALKS

B3

Wednesday, December 4, 13

ARP employed

ATALKS

B3

Wednesday, December 4, 13

ARP employed

ATALKS

B3

Wednesday, December 4, 13

ARP employed

ATALKS

B3

Wednesday, December 4, 13

ARP employed

ATALKS

B3

Wednesday, December 4, 13

ARP employed

ATALKS

B3

Wednesday, December 4, 13

ARP Message format

28 #define ETH_HW_ADDR_LEN 6 29 #define IP_ADDR_LEN 4 30 #define ARP_FRAME_TYPE 0x0806 31 #define ETHER_HW_TYPE 1 32 #define IP_PROTO_TYPE 0x0800 33 #define OP_ARP_REQUEST 2 34 35 #define DEFAULT_DEVICE "eth0" 36 #define WIFI_DEVICE “en1”

Wednesday, December 4, 13

ARP Message format

Wednesday, December 4, 13

ARP problems

1.No Authentification2. Mobile computer3. DoS attack 4. MiTM attack 5. In some LAN’s like local Talk, the PHY ADD

changes, every time the computer is turned on.

Wednesday, December 4, 13

ARP problems

1.No Authentication

ARP provides no way to verify that the responding device is really who it says it isStateless protocol.Updating ARP Cache table

Wednesday, December 4, 13

ARP problems

2.Mobile computer

In mobile computing, where network device do change their physical location(offices), static arp is painful. You have to register the Hardware address each time, a new device is introduced.

Wednesday, December 4, 13

ARP problems

3.DoS attack

ARP is susceptible to Denial of services attack.Hacker can easily associate an operationally significant IP address to a false MAC address

Wednesday, December 4, 13

ARP problems4.MiTM attack

Wednesday, December 4, 13

ARP problems4.MiTM attack

Wednesday, December 4, 13

ARP problems4.MiTM attack

Wednesday, December 4, 13

Proposed solutions

Wednesday, December 4, 13

Что я буду делать Вообще !

Wednesday, December 4, 13

Что я буду делать Вообще !

Wednesday, December 4, 13

To Be Continue ...!

Спасибо !

Wednesday, December 4, 13

mARP

Proposing a modified ARP

Wednesday, December 4, 13