All Cisco-Network Study Notes: Mitigating Added ARP Vulnerabilities

Mitigating Added ARP Vulnerabilities

During the ARP accident analysis, we apparent three vulnerabilities:

• No authentication. Leading to the ARP bluffing attack.

• Advice leak. All ARP requests are beatific as Ethernet multicast and every Layer 2

adjacent host can body a cartage cast (for example, which IP abode talks to which

IP address).

• Availability. Alike if ARP is a simple protocol, it cannot be implemented in hardware,

and the about-face axial processor consistently runs it. An antagonist ability assail a host or

a router with a flood of ARP requests; if this happens, CPU appliance alcove 100

percent and the CPU cannot action added basic genitalia of a about-face (such as spanning

tree or a acquisition protocol).

DAI is an able fix for the no affidavit vulnerability of ARP.

There is no accepted way to abate the advice aperture vulnerability. Although the security

impact of this vulnerability is small, batty arrangement architects charge accomplish a architecture where

the bulk of hosts per Ethernet articulation is baby (even to the point of accepting a distinct host

plus its absence aperture per segment). Hence, an antagonist will alone be able to apprentice that

some hosts acquaint with a router but will not ascertain the alien hosts’ IP addresses.

Chapter 13, "Control Plane Policing," explains the availability vulnerability. It also

describes acknowledgment techniques above DAI amount limiting.

Example 6-10 ARPwatch Alert for a Potential ARP Bluffing Attack

From: arpwatch@example.org (Arpwatch charly)

To: root@example.org

Subject: afflicted ethernet abode (adsl) eth0

Date: Thu, 3 May 2007 13:31:15 +0200 (CEST)

hostname: adsl

ip address: 192.0.2.1

interface: eth0

ethernet address: 0:15:58:27:83:dc

ethernet vendor:

old ethernet address: 0:4:27:fd:52:40

old ethernet vendor: Cisco Systems, Inc.

timestamp: Thursday, May 3, 2007 13:31:14 +0200

previous timestamp: Thursday, May 3, 2007 13:29:23 +0200

delta: 1 minute

118 Chapter 6: Exploiting IPv4 ARP

Summary

IPv4 hosts use ARP to ascertain anniversary other’s Ethernet MAC addresses. Because ARP is not

authenticated, an antagonist can accelerate ARP packets with spoofed agreeable to victims. The

victims amend their ARP tables and alpha sending accurate cartage to an incorrect MAC address.

This allows the antagonist to accept and detect the cartage beatific by victims, alike in a switched

environment area sniffing is commonly—but wrongly—believed impossible. This is

called ARP bluffing (also accepted as ARP poisoning).

Cisco switches can advantage the bounden abstruse by concern DHCP traffic.

This ability allows the about-face to audit all ARP packets and bead the packets that

contain amiss information. This address is alleged DAI, and it’s acceptable to successfully

prevent an ARP bluffing attack.

Chapter 7, "Exploiting IPv6 Neighbor Discovery and Router Advertisement," explains

what the agnate of ARP for IPv6 is and whether it can be secured.

References

1 Plummer, David C. RFC 826, “An Ethernet Abode Resolution Protocol.”

November11 1982.

2 Dugsong. dsniff. http://www.monkey.org/~dugsong/dsniff/.

3 Ornaghi, Alberto and Marco Valleri. ettercap. http://ettercap.sourceforge.net/.

4 Montoro, Massimiliano. cain. http://www.oxid.it/.

5 Carter, Earl. Cisco Secure Intrusion Detection System. Cisco Press, October 2001.

6 LBNL’s Arrangement Research Group. ARPwatch. ftp://ftp.ee.lbl.gov/arpwatch.tar.gz.