Attacking LAN hosts with ARP spoofing
This article introduces the OSI model of internet communication, and describes ARP spoofing. It’s used to attack hosts in a Local Area Network (LAN). Passive and active sniffing are described. Finally, the mitigation of ARP spoofing is briefly discussed.
2. The OSI model
This model describes the structure of internet communication. The idea was to prepare a reference model in order to allow different manufacturers to create networking solutions that can cooperate with each other. The OSI model is comprised of seven layers:
Layer 7: Application
Layer 6: Presentation
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2: Data link
Layer 1: Physical
I’ll discuss how data goes from the sender to the receiver. From the sender’s perspective, the data goes from layer 7 to layer 1. From the receiver’s perspective, the data goes from layer 1 to layer 7.
I’ll explain what happens when data goes from layer 7 to layer 1. At each stage (from layer 7 to layer 6, from layer 6 to layer 5, and so on) the data of the upper layer is includes into the data of the lower layer (encapsulation). On the receiver’s side, the reverse process occurs and is called decapsulation. That’s how the different OSI layers interact. In reality, it’s more complicated – for example, the data of the application layer might be segmented at the transport layer (before sending to network layer), and fragmented at the network layer (before sending to data link layer.)
Finally, let’s see the classification of network devices with reference to the layers of OSI model:
Layer 1 devices: repeater, hub
Layer 2 devices: bridge, switch
Layer 3 device: router
ARP spoofing is related to the ARP protocol (described in the next section of the article), which is used to bind IP and MAC addresses (from the network and data link layers of the OSI model; Ethernet is commonly used at data link layer.)
3. ARP protocol
Let’s assume that two computers, COMP1 and COMP2, are in the same LAN and want to communicate. COMP1 knows the IP address of COMP2 (denoted by COMP2_IP in the article), but what is actually needed in order to send the message to COMP2 is the MAC address of COMP2 (denoted by COMP2_MAC). Here, the ARP protocol is used. COMP1 sends an ARP request to everyone in the LAN (broadcasting). That request can be understood as something like this: “Hi, COMP2_IP, would you tell me your MAC address (COMP2_MAC)?” What happens next is the ARP reply message with COMP2_MAC. Now, COMP1 can send the message to COMP2, because he knows COMP2_MAC’s address. That’s how it should work. However, there may be an attacker spoofing ARP’s reply messages. Let’s see how that works in this case.
4. ARP protocol – spoofing ARP reply
Let’s continue the story from the previous section and denote the computer of the attacker with COMP_ATTACKER, the IP address of COMP_ATTACKER with COMP_ATTACKER_IP, and the MAC of COMP_ATTACKER by COMP_ATTACKER_MAC.
Now let’s recall the description of the ARP protocol from the previous section of the article, and change one thing – when the ARP request is sent, the COMP_ATTACKER replies (ARP reply) with their own MAC address (COMP_ATTACKER_MAC). Then, COMP1 thinks that they’re sending the message to COMP2, but they’re actually sending it to COMP_ATTACKER, because they’ve received COMP_ATTACKER_MAC in the ARP reply. In addition, COMP_ATTACKER sends the ARP request to everyone in the LAN to learn the COMP2_MAC. At that point, COMP_ATTACKER knows the COMP2_MAC and can forward the message (received form COMP1) to COMP2. Before forwarding the message, COMP_ATTACKER can read and/or modify the message if it’s not protected. That’s how ARP spoofing works. As we can see, that attack can lead to serious problems.
5. Passive and active sniffing
Switches know the MAC addresses attached to their ports and send the messages only to the port, where the destination host is attached. That way, other hosts cannot see the messages or sniff the traffic. As we’ve already seen, ARP spoofing can be used to overcome that problem from the attacker’s point of view. ARP spoofing is an active attack, because sending the spoofed ARP reply is involved.
Now let’s go back to the old days and discuss hubs. Those devices work at Layer 1 of the OSI model. The message received by the hub is sent to all its ports. Normally, the host reads the messages that are sent to them. However, the host can be put in promiscuous mode to see all the messages. That’s how passive sniffing works: the attacker is just sniffing the traffic.
6. Mitigation of ARP spoofing
Normally, the entries in the ARP table of the host are dynamic. These entries could be predefined (static) to solve the problem with ARP spoofing. However, this approach has an administrative overhead.
Another idea is delegating the problem to the upper layers of the OSI model and using cryptography to provide authentication (digital certificates), data confidentiality (symmetric encryption), and data integrity (HMAC). SSL/TLS can be used here (it works between application and transport layers of the OSI model.) That way, we can detect if something wrong has happened with the message, and prevent reading it.
The OSI model of internet communication was introduced. Then the ARP protocol and ARP spoofing were discussed. The difference between active and passive sniffing was presented. Finally, the mitigation of ARP spoofing was briefly analyzed.