ARP Spoofing
One of the basic operations of the Ethernet protocol revolves around ARP
(Address Resolution Protocol) requests and replies. In general, when Node A
wants to communicate with Node C on the network, it sends an ARP request. Node
C will send an ARP reply which will include the MAC address. Even in a switched
environment, this initial ARP request is sent in a broadcast manner. It is
possible for Node B to craft and send an unsolicited, fake ARP reply to Node A.
This fake ARP reply will specify that Node B has the MAC address of Node C. Node
A will unwittingly send the traffic to Node B since it professes to have the
intended MAC address. Some available tools are specialized for sending fake ARP
replies to classes of machines (i.e., NFS servers, HTTP servers, etc). One such
tool is dsniff5 and it works well to sniff for specific types of traffic. Other
tools listen for the general ARP request and send the fake ARP reply at that time.
The parasite4 program falls into this category and it serves well to sniff the
entire network. For this type of attack to work, we need the ability to forward
on the frames we receive to their intended host. This is most commonly achieved
through some type of IP forwarding, either at the kernel or application level.
MAC Flooding
Since switches are responsible for setting up the virtual circuits from one node
to another, they must keep a translation table that tracks which addresses
(specifically, which MAC addresses) are on which physical port. The amount of
memory for this translation table is limited. This fact allows the switch to be
exploited for sniffing purposes. On some switches, it is possible to bombard the
switch with bogus MAC address data. The switch, not knowing how to handle the
excess data, will 'fail open'. That is, it will revert to a hub and will broadcast
all network frames to all ports. At this point, one of the more generic network
sniffers will work.
MAC Duplicating
It's not difficult to imagine that, since all frames on the network are routed
based on their MAC address, that the ability to impersonate another host would
work to our advantage. That's just what MAC duplicating does. You reconfigure
Node B to have the same MAC address as the machine whose traffic you're trying
to sniff. This is easy to do on a Linux box if you have access to the 'ifconfig'
command. This differs from ARP Spoofing because, in ARP Spoofing, we are
'confusing' the host by poisoning it's ARP cache. In a MAC Duplicating attack,
we actually confuse the switch itself into thinking two ports have the same MAC
address. Since the data will be forwarded to both ports, no IP forwarding is
necessary.
Protection
There are several methods to protect again these attacks. Some of these methods
are applicable to both the non-switched and switched environments.
By enabling IP filtering on your switch, you directly specify which traffic
is allowed to flow to and from each port. This can be a monumental effort
to put in place and manage, especially if your environment is dynamic.
If your hub or switch has the ability to enable port security, this will
help to protect you from both the MAC Flood and MAC Spoofing attacks. These
feature effectively prevents the hub or switch from recognizing more than 1
MAC address on a physical port. This, like many security procedures, restricts
the environment and amplifies the need for a management process as well as a
auditing process.