ARP protocol attacks and defenses
Camouflage and Skullduggery
ARP spoofing can be used to initiate denial-of-service attacks, network hijacking, and man-in-the-middle attacks on the Intranet. We look at how to prevent these incursions.
Companies spend huge amounts of money to protect themselves from attacks on the Internet, but the security of the intranet it is not very advanced in most small to medium-sized enterprises. The credo is often: Internal users will not attack their own. The reality is rather different, which is reason enough to take a look at one of the most common attacks and defense options on internal networks: ARP Spoofing.
On the intranet, unlike the Internet, addressing is not based on Layer 3 (IP), but on Layer 2 (Ethernet). A packet identifies its target by reference to the MAC address. To ensure that resolution between IPv4 addresses and MAC addresses runs smoothly, ARP (Address Resolution Protocol) or its counterpart RARP (reverse ARP) are used.
If computer A wants to communicate with computer B, A sends an ARP request to the broadcast address to discover the MAC address of B. Computer B responds with an ARP reply. In a TCP dump, this kind of conversation looks like Listing 1.
Listing 1
Intranet Communication
The result of the query is stored in the ARP cache. The number of seconds until a new ARP request is sent is defined by Linux as the value in /proc/sys/net/ipv4/neigh/default/gc_stale_time
. You can also set the value for each interface in /proc/sys/net/ipv4/neigh/eth0/gc_stale_time
.
Attacks on ARP
The simplest attack at the ARP level relies on the attacker continuously sending ARP reply packets to computer A and setting their own MAC address as the IP address of computer B (Figure 1). If the attacker now sends an ARP reply to computer B, in which the attacker's MAC address for computer A is registered, the attacker now has a bidirectional man-in-the-middle connection. This attack is also referred to as network hijacking. Now the attacker can sniff and manipulate all the traffic between the two computers.
This is not rocket science; in fact, it can easily be achieved with a short Python script (Listing 2) that uses the Scapy package builder. Scapy can be installed using the operating system's package manager or with the Python PIP tool:
pip install Scapy
Listing 2
ARP Attack with Scapy
As parameters, the script requires the two endpoints of the connection the attacker wants to compromise using this attack. An ARP response packet for each endpoint is generated in lines 15 and 16; it sets its own MAC address as the IP address of the opposite end. Scapy automatically adds the missing addresses. It sends two packets in the following loop (lines 18-21) and then waits for interval
seconds before sending them again.
This kind of ARP attack is not very elegant and is easy to detect; after all, you are sending response packets for a request that has never been made. But, sometimes it is the only way for an attacker to spoof the connection using ARP. This is the case, for example, if the two hosts have a faster connection to one another than the attacker himself.
A superior variant of this attack sniffs the network traffic and waits for an ARP request, to which it responds in parallel to the host actually addressed with its own ARP response packet. In this case, the attacker hopes that their packet reaches the destination host faster than the response from the host in fact addressed. To do this, you can extend the script, as shown in Listing 3.
Listing 3
ARP Attack with Own Response Packet
Scapy will not only generate new network packets but also use the sniff()
function to read the traffic and invoke a callback function for each imported packet. To avoid the need to analyze all the packets, the script sets the arp
PCAP filter. This guarantees that only ARP packets are considered as parameters of the callback function. The function checks whether the packet is an ARP request, creates a response packet by reversing the source and target addresses, and sends the results on Layer 2 using sendp()
.
Defense Against ARP Attacks
Man-in-the-middle attacks via ARP are easiest to spot on the client, but network devices such as switches can also do this if the attack traffic is routed through them. As seen, an ARP request is sent within an internal network to discover the MAC address for an IPv4 address.
The attack relies on spoofing the reply to an ARP request so that the client enters the attacker's IP address, instead of the correct one, in its ARP cache. The easiest way to prevent this attack is not to use the ARP protocol to distribute MAC addresses at all. Instead, the MAC addresses of all devices of the network are entered statically.
On a Linux or Mac OS X system, you can create a permanent MAC address with the command:
arp -s 10.0.0.2 00:0c:29:c0:94:bf
On Windows, on the other hand, the command looks like this:
arp -s 10.0.0.2 00-0c-23-c0-94-bf
In OpenBSD, you need to add the permanent
parameter because, otherwise, only an overridable static entry is created.
arp -s 10.0.0.2 00:0c:29:c0:94:bf permanent
To try to minimize the administrative overhead – and assuming that the network is too large and flexible to implement a static MAC address easily – there are still ways at least to detect this type of attack.
To begin, I'll take a closer look at the client. Normally, an attacker will not be on the network when the client logs on for the first time. The client thus first learns with a high degree of probability the correct MAC address of the computer with which it wants to communicate. On most networks, the MAC/IP address mappings rarely change. You can thus write a script that checks whether this mapping has changed (Listing 4).
Listing 4
Checking the MAC/IP Address Mappings
The attack is not only detected, but also prevented. The price is the difficulty in assigning a new MAC address to an IP, because the old mapping needs to be deleted on the client side before this can happen. One way to achieve more flexibility is the use of configuration management tools like Puppet, which can be used directly either to assign new or delete old static MAC entries from the /etc/ethers
file.
Today, many network devices offer the option of learning and checking MAC addresses statically or dynamically. The relevant techniques here include port security, DHCP snooping, private VLANs, AID, and implementation of the 802.1x standard.
Conclusions
It is not very difficult to protect yourself against the described attack. As an administrator, you can either rely on a combination of static ARP and a configuration management tool, or a feature of the switches that you deploy. ARP was standardized in 1982, when networks still only seemed to consist of friendly computers. Anyone who uses ARP should be aware that this is not a secure protocol and that appropriate precautions must be taken.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Canonical Releases Ubuntu 24.04
After a brief pause because of the XZ vulnerability, Ubuntu 24.04 is now available for install.
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.