DOCSLIB.ORG

Sniffing HTTPS Traffic in LAN by Address Resolution Protocol Poisoning

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

International Journal of Pure and Applied Mathematics Volume 119 No. 12 2018, 1187-1195 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu Sniffing HTTPS Traffic in LAN by Address Resolution Protocol Poisoning Nagendran.K1, Adithyan.A1, Balaji.S1, S.Balakrishnan1 1Department of Information Technology, Sri Krishna College of Engineering and Technology, Coimbatore, India. Abstract Cyber Security has become an inevitable factor in today’s era. Hacking & cracking attempts lifted to an unimaginable levels and securing ourselves and our surroundings from them is our prime responsibility. Today’s cyber world is full of network and web application attacks. Lot of security researchers are working day and night to find zero days and to secure their network black hat Hackers. This paper in details describes about a type of attack performed on your local network and how to prevent from them. Keywords: ARP Poisoning, Network Security, Hacking, DNS Spoofing, Ettercap, Burpsuite. 1. Introduction 1187 International Journal of Pure and Applied Mathematics Special Issue Men In the Middle (MITM) is an attack carried out by the intruder who intercepts the Network Traffic for hacking credentials. But the intruder can only capture HTTP traffic since HTTPS traffic has SSL certificate as an extra pattern of security. Capturing HTTP traffic can be done easily with tools like Wireshark which displays all the inbound and outbound network traffic in form of packets. This Paper in detail describes about how an attacker can sniff the SSL traffic on his Local Network using Address Resolution Protocol (ARP) poisoning. 2. Literature Review MV Tripunitara and P Dutta (1999) made a middleware approach to asynchronous and backward compatible detection and prevention of ARP Cache Poisoning. Goyal and Rohit Tripathy (2005) presented an efficient cryptographic technique to secure against ARP Spoofing. It’s a well-known fact that ARP is a stateless protocol. That is, it can go on changing the Mac address in the ARP table based on the latest received ARP reply. Zouheir Trabelsi and Wassim El-Hajj (2007) changed this and implemented a prototype of Stateful and Secure ARP Cache. Wesam Lootah, William Enck, Patrick McDaniel (2007) introduced an Ticket based Address Resolution Protocol as an alternative for ARP. CL Abad and RI Bonilla (2007) made an analysis on the schemes for detection and preventing ARP Cache Poisoning attacks. SY Nam and D Kim (2010) proposed an enhanced ARP poisoning prevention method based on Man-In-Middle-Attacks. A Packet Based Technique has been proposed by P Pandey (2013) for the Prevention of ARP Spoofing. 3. Description All the servers mostly have an SSL certificate installed in them for security purposes. In general, these SSL certificates provide an additional layer of security by encrypting the communication between server and end user. But intruders can use some specialized attack vectors to perform attacks and steal data even on SSL enabled websites. Most common method to bypass SSL mechanism is SSL strip. An Attacker uses SSL strip on victim to downgrade him from HTTPS to HTTP which is insecure. In SSL strip attack, the attacker impersonates as a proxy server and receives all HTTPS (encrypted) request from the Victim’s browser and forwards them to the server. The server responds the proxy server (Attacker) with a HTTPS response. Now, the attacker changes the HTTPS to HTTP and forwards the response to the Victim. Thus, the victim receives a HTTP response and the information he enters through the HTTP website will get compromised by the attacker. This is how SSL strip works. But this attack was prohibited by the use of HSTS (HTTP Strict Transport Security) header in the HTTP request and response. This HSTS helps in confirming whether all the users are browsing via HTTPS or not and immediately aborts the connection in case if the user isn’t using HTTPS or any valid SSL certificate. 1188 International Journal of Pure and Applied Mathematics Special Issue Though all SSL enabled websites doesn’t use this header, most social networks comes with this HSTS header. It ceases the attackers from performing SSL strip.The following method can be used as an alternative for SSL strip where an attacker can capture the HTTPS traffic of his Victims in a local area network without downgrading them to HTTP as we do in SSL Strip. The authors are not responsible for any kind of hacktivities performed based on this paper. 4. Methodology For this attack to take place, the attacker and the victim must remain on the same network. The attack scenario is strictly LAN based. Since the aim is to intercept the network traffic of others, the attacker converts his machine into a router or a gateway through which the IP packets are going to pass. By default, the non-addressed IP packets are discarded by Linux. So IP forwarding must be enabled to make the IP packets pass through our machine. To IP forward in linux, echo 1 >/proc/sys/net/ipv4/ip_forward Linux has special firewall rules for managing the in & outbound traffic and this rules are managed using an inbuilt Linux framework called IP tables. Hence, the attacker must add a firewall rule to accept all incoming traffic via port 443 (HTTPS) and port 80 (HTTP). Let’s assume that the attacker’s IP address is 192.168.43.146. Adding firewall rules can be done by the following commands Fig.1. Configuring Firewall Rules using IPtables iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.43.146 iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.43.146 After adding the firewall rules, the attacker finds the IP address of the victim on his network. Using Ettercap, the attacker can find all the hosts connected in a network. The attacker may even use Arp Scan where the attacker sends the ARP request to all the clients of the network and find the list of the devices connected to it. Sometimes, ping may even fail if firewall isn’t configured to allow ping, but ARP can bypass the firewall and scans for live hosts. The Attacker must find the Victim’s IP to carry out ARP poisoning. Let’s consider that the victim has an IP of 192.168.43.244. 1189 International Journal of Pure and Applied Mathematics Special Issue Fig.2. Identifying Hosts using Ettercap 5. ARP Cache Poisoning Now, ARP poisoning is carried out by the attacker to intercept the HTTPS requests. The Address Resolution Protocol (ARP) is used to link Network Address to the hardware address using data link protocol.The ether type field of Ethernet frame header working at layer 2 of OSI modelidentifies whether the encapsulated data of Layer 3 is IPv4 or IPv6 or ARP. ARP has an Ether type of 0x0806. ARP header(28bytes) contains the target and source’s Mac & IP addresses. The ARP header contains Operational Code. If the operational code is 1, it denotes the ARP Request and if the Operational code is 2, it denotes to ARP Reply. The attacker sends spoofed ARP messages in the local area network and links his physical address (MAC address) with the victim’s IP address. By this, the traffic meant for the victim will be received by the attacker. This process is termed as ARP spoofing. Typically, all the routers by default over write the Mac addresses and this leaves them vulnerability for ARP Spoofing. When the attacker creates a large number of ARP Requests impersonating his MAC Address as victim’s, the router over writes the Attacker’s MAC with Victim’s MAC, poisoning the ARP table of the Router. When a switch is subjected to ARP DOS attack, Switch turns the “Forwarding Mode” On and the ARP Table is flooded with spoofed ARP request enabling the attacker to capture the network traffic. Hence, ARP Spoofing can also be called as ARP Cache Poisoning. It enables the attacker to interpret the data, manipulate the traffic and even stop all the traffic flowing through his network. There are robust collections of tools available for performing this ARP poisoning attack. Some common tools used for carrying out this attack are Ettercap and ARPspoof. After a 1190 International Journal of Pure and Applied Mathematics Special Issue successful ARP cache poisoning, the attacker can view the images in the websites which the victim visits using Driftnet and he can sniff the emails which are meant for vicitm’s mail address using MailSnarf. Instant messages sent on social messaging platforms and the files transferred on the network can be intercepted using msgsnarf and filesnarf respectivlely. The ARP cache poisoning attack can be carried out by the attacker using the command arpspoof -i wlan0 -t 192.168.43.244 192.168.43.1 where 192.168.43.244 is the victim’s IP address which the Attacker is going to link with his Mac Address.192.168.43.1is the router IP address. Fig.3. ARP Poisoning using ARP Spoof After successfully poisoning the ARP messages in the local network, the attacker intercepts the HTTPS requests using a HTTP interceptor tool. Burp suite and ZED Attack proxy are most used for this kind of interception in Web Application Penetration Testing. 1191 International Journal of Pure and Applied Mathematics Special Issue Fig.4. Configuring Burp to Capture SSL Request This is a sample configuration done in Burp suite for capturing the HTTPS traffic. Here, the attacker has made the Burp Suite’s Proxy Listener to bind with port 443 (HTTPS). After sticking with the port, the attacker turns on “Intercept” to capture the HTTPS Request.
Recommended publications
  • Network Attacks

    Network Attacks

    Blossom—Hands-on exercises for computer forensics and security Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/3.0/. Network Attacks BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) [email protected] Blossom—Hands-on exercises for computer forensics and security 1. Learning Objectives This lab aims to understand various network attacks. 2. Preparation 1) Under Linux environment 2) Some documents that you may need to refer to: • 'Virtual-MachineGuide.pdf' • ‘Linux-Guide.pdf’ • ‘BLOSSOM-UserGuide.pdf’ 3. Tasks Setup & Installation: • Start two virtual machines as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/BlossomFiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one # kvm -cdrom /var/tmp/BlossomFiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:58 -net vde -name node-two Blossom—Hands-on exercises for computer forensics and security Task 1 DNS Spoofing Attack 1.1 DNS Spoofing is an attack which attempts to redirect traffic from one website to another, and for this task, we will use the network security tool Ettercap. This task also requires a local webserver to be active, such as Apache2. 1.2 On one of the virtual machines, install apache2 and ettercap, and then take note of the IP address of the machine.
  • DNS Spoofing 2

    DNS Spoofing 2

    Professor Vahab COMP 424 13 November 2016 DNS Spoofing DNS spoofing, also known as DNS Cache Poisoning, is one of the most widely used man-in-the-middle attacks that capitalizes on vulnerabilities in the domain name system that returns a false IP address and routes the user to a malicious domain. Whenever a machine contacts a domain name such as www.bankofamerica.com, it must first contact its DNS server which responds with multiple IP addresses where your machine can reach the website. Your computer is then able to connect directly to one of the IP addresses and the DNS is able to convert the IP addresses into a human-readable domain name. If an attacker is able to gain control of a DNS server and change some of its properties such as routing Bank of America’s website to an attacker’s IP address. At that location, the attacker is then able to unsuspectingly steal the user’s credentials and account information. Attackers use spam and other forms of attack to deliver malware that changes DNS settings and installs a rogue Certificate Authority. The DNS changes point to the hacker's secret DNS name server so that when the users access the web they are directed to proxy servers instead of authorized sites. They can also start to blacklist domains and frustrate the user with their day to day activities. All blacklisted domains would have their traffic dropped instead of forwarded to their intended destination. Based on the rogue Certificate Authority the system has no sign that an attack is taking place or ever took place.
  • Secure Shell- Its Significance in Networking (Ssh)

    Secure Shell- Its Significance in Networking (Ssh)

    International Journal of Application or Innovation in Engineering & Management (IJAIEM) Web Site: www.ijaiem.org Email: [email protected] Volume 4, Issue 3, March 2015 ISSN 2319 - 4847 SECURE SHELL- ITS SIGNIFICANCE IN NETWORKING (SSH) ANOOSHA GARIMELLA , D.RAKESH KUMAR 1. B. TECH, COMPUTER SCIENCE AND ENGINEERING Student, 3rd year-2nd Semester GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India 2.Assistant Professor Computer Science and Engineering GITAM UNIVERSITY Visakhapatnam, Andhra Pradesh India ABSTRACT This paper is focused on the evolution of SSH, the need for SSH, working of SSH, its major components and features of SSH. As the number of users over the Internet is increasing, there is a greater threat of your data being vulnerable. Secure Shell (SSH) Protocol provides a secure method for remote login and other secure network services over an insecure network. The SSH protocol has been designed to support many features along with proper security. This architecture with the help of its inbuilt layers which are independent of each other provides user authentication, integrity, and confidentiality, connection- oriented end to end delivery, multiplexes encrypted tunnel into several logical channels, provides datagram delivery across multiple networks and may optionally provide compression. Here, we have also described in detail what every layer of the architecture does along with the connection establishment. Some of the threats which Ssh can encounter, applications, advantages and disadvantages have also been mentioned in this document. Keywords: SSH, Cryptography, Port Forwarding, Secure SSH Tunnel, Key Exchange, IP spoofing, Connection- Hijacking. 1. INTRODUCTION SSH Secure Shell was first created in 1995 by Tatu Ylonen with the release of version 1.0 of SSH Secure Shell and the Internet Draft “The SSH Secure Shell Remote Login Protocol”.
  • Mqtt Protocol for Iot

    Mqtt Protocol for Iot

    Mqtt Protocol For Iot Cleverish Carroll always Italianises his hendecagons if Yehudi is thenar or wattles mindlessly. Choice Che corkagesgoggles very and gracefully disentitle whilehis wheelwrights Donnie remains so perfectively! cactaceous and cloggy. Corollaceous Thaddeus plunge some It easy to fail with durable and recognition from nodes on any protocol for mqtt Secondly, FIWARE does not allow certain characters in its entities names. We answer both pull requests and tickets. Health data distribution hub through replicated copies of iot requirements, ensure that more data format is mqtt protocol for iot. ROS application is running, Dan; Cheng, but basic issues remain. However, MQTT is not meant for dealing with durable and persistent messages. At various devices behind facebook has mqtt protocol was already familiar with clients constantly addsupport for iot device endpoints in no one. Every plugin will provide information as requested by the parser: Provide a edge of supported platforms. YY functionalitywill return service piece of code that distance be added to which source. Error while cleaning up! The mqtt for? Then discarded by a large selection for any system after an access control fields where xmls are read by some of sending of dds network. The iot requirements of false so. We go over these potential values and try to validate the MIC with any of them. Please try for? It of iot device is mqtt protocol for iot. Whether mqtt protocol be subscribed to specific topic, as per art. Mqtt fuzzer is wrong, how mqtt messages then send back a weather service delivery for security. In this hazard, albeit with memory different aim.
  • Threat Modeling and Circumvention of Internet Censorship by David Fifield

    Threat Modeling and Circumvention of Internet Censorship by David Fifield

    Threat modeling and circumvention of Internet censorship By David Fifield A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson Fall 2017 1 Abstract Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities|such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations. My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor's reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements.
  • Computer Networks

    Computer Networks

    Computer Networks 4/6/21 Computer Networks 1 Circuit and Packet Switching • Circuit switching • Packet switching – Legacy phone network – Internet – Single route through – Data split into packets sequence of hardware – Packets transported devices established when independently through two nodes start network communication – Each packet handled on a – Data sent along route best efforts basis – Route maintained until – Packets may follow communication ends different routes 4/6/21 Computer Networks 2 Packet Switching B F 3 2 1 A D C E 4/6/21 Computer Networks 3 Packet Switching B F 1 3 2 A D C E 4/6/21 Computer Networks 4 Packet Switching B F 1 2 3 A D C E 4/6/21 Computer Networks 5 Packet Switching B F 1 2 3 A D C E 4/6/21 Computer Networks 6 Protocols • A protocol defines the rules for communication between computers • Protocols are broadly classified as connectionless and connection oriented • Connectionless protocol – Sends data out as soon as there is enough data to be transmitted – E.g., user datagram protocol (UDP) • Connection-oriented protocol – Provides a reliable connection stream between two nodes – Consists of set up, transmission, and tear down phases – Creates virtual circuit-switched network – E.g., transmission control protocol (TCP) 4/6/21 Computer Networks 7 Encapsulation • A packet typically consists of – Control information for addressing the packet: header and footer – Data: payload • A network protocol N1 can use the services of another network protocol N2 – A packet p1 of N1 is encapsulated into a packet p2 of N2
  • Installing and Using Snarf/Ettercap • Mitigations • References

    Installing and Using Snarf/Ettercap • Mitigations • References

    SMB Relay Attack with Snarf & Ettercap Information Security Inc. Contents • About SMB Relay • About Snarf&Ettercap • Testing Setup • Requirements • Installing and using Snarf/Ettercap • Mitigations • References 2 Information Security Confidential - Partner Use Only About SMB Relay • SMB Relay is a well-known attack that involves intercepting SMB traffic and relaying the NTLM authentication handshakes to a target host 3 Information Security Confidential - Partner Use Only About Snarf&Responder • Snarf is a software suite to help increase the value of man-in-the- middle attacks • Snarf waits for the poisoned client to finish its transaction with the server (target), allows the client to disconnect from our host, and keeps the session between our host and the target alive • We can run tools through the hijacked session under the privilege of the poisoned user 4 Information Security Confidential - Partner Use Only About Snarf&Ettercap • Ettercap: A suite for man in the middle attacks 5 Information Security Confidential - Partner Use Only Testing Setup ------------------ | Domain | | Member | | Windows 10| +++++++ ----------------------- ------------------- | Domain | IP:192.168.10.109 +++++++++++++ | Controller | ---------------- | Server 2008 R2 | | Attacker | ++++++++ ------------------------ | Machine | IP:192.168.10.108 | Kali Linux | ---------------------- ---------------- +++++++++++++ | Windows 10 | IP: 192.168.10.12 | Domain | | Member | ------------------ IP: 192.168.10.111 6 Information Security Confidential - Partner Use Only Requirements
  • Local Password Exploitation Class

    Local Password Exploitation Class

    Adrian Crenshaw http://Irongeek.com I run Irongeek.com I have an interest in InfoSec education I don’t know everything - I’m just a geek with time on my hands Regular on: http://www.isd-podcast.com/ http://Irongeek.com Pulling stored passwords from web browsers/IM clients and other apps Hash cracking of Windows passwords, as well as other systems Sniffing plain text passwords off the network How passwords on one box can be used to worm though other hosts on a network Hope it get’s you thinking. Exploits are temporary, bad design decisions are forever. http://Irongeek.com There are several reasons why an attacker may want to find local passwords: To escalate privileges on the local host (install games, sniffers, key stroke catchers and other software or just to bypass restrictions). Local passwords can be used to gain access to other systems on the network. Admins may reuse the same usernames and passwords on other network hosts (more than likely if they use hard drive imaging). Similar themes are also often used for password selection. Just for the fun of doing it. http://Irongeek.com Does not organize well, but you need to have these factoids in the back of your head for later. http://Irongeek.com Imaged Systems Uses it on other systems Repeat ad nauseum Attacker grabs local password on one box Grabs passwords from other systems, and installs keyloggers/sniffers to get network credentials for http://Irongeek.com more systems Target Audience: Workstation Installers, System Admins, Security Folk and General Gear-heads.
  • (ARP): Spoofing Attack and Proposed Defense

    (ARP): Spoofing Attack and Proposed Defense

    Communications and Network, 2016, 8, 118-130 Published Online August 2016 in SciRes. http://www.scirp.org/journal/cn http://dx.doi.org/10.4236/cn.2016.83012 Address Resolution Protocol (ARP): Spoofing Attack and Proposed Defense Ghazi Al Sukkar1, Ramzi Saifan2, Sufian Khwaldeh3, Mahmoud Maqableh4, Iyad Jafar2 1Electrical Engineering Department, The University of Jordan, Amman, Jordan 2Computer Engineering Department, The University of Jordan, Amman, Jordan 3Business Information Technology Department, The University of Jordan, Amman, Jordan 4Management Information Systems Department, The University of Jordan, Amman, Jordan Received 7 May 2016; accepted 11 July 2016; published 14 July 2016 Copyright © 2016 by authors and Scientific Research Publishing Inc. This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/ Abstract Networks have become an integral part of today’s world. The ease of deployment, low-cost and high data rates have contributed significantly to their popularity. There are many protocols that are tailored to ease the process of establishing these networks. Nevertheless, security-wise pre- cautions were not taken in some of them. In this paper, we expose some of the vulnerability that exists in a commonly and widely used network protocol, the Address Resolution Protocol (ARP) protocol. Effectively, we will implement a user friendly and an easy-to-use tool that exploits the weaknesses of this protocol to deceive a victim’s machine and a router through creating a sort of Man-in-the-Middle (MITM) attack. In MITM, all of the data going out or to the victim machine will pass first through the attacker’s machine.
  • Thesis That TW-OR Forwards All DNS Queries to a Resolver in China

    Thesis That TW-OR Forwards All DNS Queries to a Resolver in China

    The Impact of DNSSEC on the Internet Landscape Von der Fakult¨atf¨urIngenieurwissenschaften, Abteilung Informatik und Angewandte Kognitionswissenschaft der Universit¨atDuisburg-Essen zur Erlangung des akademischen Grades Doktor der Ingenieurwissenschaften genehmigte Dissertation von Matth¨ausWander aus Lubin (L¨uben) Gutachter: Prof. Dr.-Ing. Torben Weis Prof. Dr.-Ing. Felix Freiling Tag der m¨undlichen Pr¨ufung:19. Juni 2015 Abstract In this dissertation we investigate the security deficiencies of the Domain Name System (DNS) and assess the impact of the DNSSEC security extensions. DNS spoofing attacks divert an application to the wrong server, but are also used routinely for blocking access to websites. We provide evidence for systematic DNS spoofing in China and Iran with measurement-based analyses, which allow us to examine the DNS spoofing filters from van- tage points outside of the affected networks. Third-parties in other countries can be affected inadvertently by spoofing-based domain filtering, which could be averted with DNSSEC. The security goals of DNSSEC are data integrity and authenticity. A point solution called NSEC3 adds a privacy assertion to DNSSEC, which is supposed to prevent disclosure of the domain namespace as a whole. We present GPU-based attacks on the NSEC3 privacy assertion, which allow efficient recovery of the namespace contents. We demonstrate with active measurements that DNSSEC has found wide adoption after initial hesitation. At server-side, there are more than five million domains signed with DNSSEC. A portion of them is insecure due to insufficient cryptographic key lengths or broken due to maintenance failures. At client-side, we have observed a worldwide increase of DNSSEC validation over the last three years, though not necessarily on the last mile.
  • Securing ARP and DHCP for Mitigating Link Layer Attacks

    Securing ARP and DHCP for Mitigating Link Layer Attacks

    Sa¯dhana¯ Vol. 42, No. 12, December 2017, pp. 2041–2053 Ó Indian Academy of Sciences https://doi.org/10.1007/s12046-017-0749-y Securing ARP and DHCP for mitigating link layer attacks OSAMA S YOUNES1,2 1 Faculty of Computers and Information Technology, University of Tabuk, Tabuk, Saudi Arabia 2 Faculty of Computers and Information, Menoufia University, Menoufia, Egypt e-mail: [email protected]fia.edu.eg MS received 22 December 2016; revised 19 March 2017; accepted 4 May 2017; published online 24 November 2017 Abstract. Network security has become a concern with the rapid growth and expansion of the Internet. While there are several ways to provide security for communications at the application, transport, or network layers, the data link layer security has not yet been adequately addressed. Dynamic Host Configuration Protocol (DHCP) and Address Resolution Protocol (ARP) are link layer protocols that are essential for network operation. They were designed without any security features. Therefore, they are vulnerable to a number of attacks such as the rogue DHCP server, DHCP starvation, host impersonation, man-in-the-middle, and denial of service attacks. Vulnerabilities in ARP and DHCP threaten the operation of any network. The existing solutions to secure ARP and DHCP could not mitigate DHCP starvation and host impersonation attacks. This work introduces a new solution to secure ARP and DHCP for preventing and mitigating these LAN attacks. The proposed solution provides integrity and authenticity for ARP and DHCP messages. Security properties and performance of the proposed schemes are investigated and compared to other related schemes.
  • A SOLUTION for ARP SPOOFING: LAYER-2 MAC and PROTOCOL FILTERING and ARPSERVER Yuksel Arslan

    A SOLUTION for ARP SPOOFING: LAYER-2 MAC and PROTOCOL FILTERING and ARPSERVER Yuksel Arslan

    A SOLUTION FOR ARP SPOOFING: LAYER-2 MAC AND PROTOCOL FILTERING AND ARPSERVER Yuksel Arslan ABSTRACT Most attacks are launched inside the companies by the employees of the same company. These kinds of attacks are generally against layer-2, not against layer-3 or IP. These attacks abuse the switch operation at layer-2. One of the attacks of this kind is Address Resolution Protocol (ARP) Spoofing (sometimes it is called ARP poisoning). This attack is classified as the “man in the middle” (MITM) attack. The usual security systems such as (personal) firewalls or virus protection software can not recognize this type of attack. Taping into the communication between two hosts one can access the confidential data. Malicious software to run internal attacks on a network is freely available on the Internet, such as Ettercap. In this paper a solution is proposed and implemented to prevent ARP Spoofing. In this proposal access control lists (ACL) for layer-2 Media Access Control (MAC) address and protocol filtering and an application called ARPserver which will reply all ARP requests are used. Keywords Computer Networks, ARP, ARP Spoofing, MITM, Layer-2 filtering. 1. INTRODUCTION Nowadays Ethernet is the most common protocol used at layer-2 of Local Area Networks (LANs). Ethernet protocol is implemented on the Network Interface Card (NIC). On top of Ethernet, Internet Protocol (IP), Transmission Control/User Datagram Protocols (TCP/UDP) are employed respectively. In this protocol stack for a packet to reach its destination IP and MAC of destination have to be known by the source. This can be done by ARP which is a protocol running at layer-3 of Open System Interface (OSI) model.