1© David Morgan 2011ARP* manARP* man--inin--thethe--middle attackmiddle attackDavid Morgan*address resolution protocol *address resolution protocol ––rfcrfc826826© David Morgan 2011““Hardware addressHardware address””to to ““Protocol Protocol addressaddress””translationtranslation Network layer and up use one addressing scheme  Data link and down use (if any) another Network-up: “protocol” addresses Datalink-down: “hardware” addresses2© David Morgan 2011““HardwareHardware””vsvs““ProtocolProtocol””addressesaddresses Protocol addresses– software abstractions– apps use them to identify destination computers– hardware cannot locate a computer using one  Hardware addresses– applications don’t use them– hardware can locate a computer using one– but only within same physical net (computers on common medium)© David Morgan 2011ExampleExample IP addresses– 32-bit numbers– telnet/ftp/http use them to identify destination computers– ethernet cannot locate a computer using one  Ethernet addresses– 48-bit numbers– telnet/ftp/http don’t use them– ethernet can locate a computer on the common coax or hub using one3© David Morgan 2011Translation necessaryTranslation necessary Given an IP destination, what is the matching ethernet address? Address Resolution Protocol finds out (resolves)© David Morgan 2011Ethernet frame structureEthernet frame structureDestination HWAddress Source HWAddressEthernet’s Data PayloadTypePacket Checksum4© David Morgan 2011Frames Frames ethernetethernetNICsNICs’’will readwill read frames destined to– NIC’s own address – FF:FF:FF:FF:FF:FF others ignored (payload never read)© David Morgan 2011Ethernet broadcastEthernet broadcastFF:FF:FF:FF:FF:FF Source HWAddressEthernet’s Data PayloadTypePacket Checksum5© David Morgan 2011How could we translate?How could we translate? Table lookup– bindings/mappings kept in memory table Message exchange– dynamic message exchange across network ARP uses both© David Morgan 2011A lookup tableA lookup table0A:77:81:0E:52:FA192.168.3.50A:07:4B:12:82:36192.168.3.400:40:05:A3:42:26192.168.3.300:A0:CC:D2:F0:42192.168.3.200:80:C8:E2:AF:61192.168.3.1Ethernet addressIP address6© David Morgan 2011……or how about message exchange?or how about message exchange?Ethernet carrying ARPEthernet carrying ARPDestination HWAddress Source HWAddress 0806Packet ChecksumEthernet’s payload may be an Address Resolution Protocol messageARP message© David Morgan 2011ARP message structureARP message structureHW address type Protocol address typeHALen OperationPALenSender HAddrTarget HAddrSender PAddrSender Paddr(cont)Target PAddr4 bytes7© David Morgan 2011Destination HWAddressPacket ChecksumHW address type Protocol address typeHALen OperationPALenSender HAddrTarget HAddrSender PAddrSender Paddr (cont)Target PAddrPacket ChecksumSource HWAddress 0806Ethernet carrying ARPEthernet carrying ARP© David Morgan 2011B B arpsarps(seeks) D(seeks) DAB C D E8© David Morgan 2011BB’’s s arparprequest is broadcastrequest is broadcast……AB C D E…reaches everybody; everybody reads it, nobody ignores it© David Morgan 2011DD’’s s arparpreply is direct to B reply is direct to B ((unicastunicast))……AB C D E…reaches everybody (hub) or B only (switch); B reads it, everybody else ignores it9© David Morgan 2011Caching Caching arparpresponsesresponses arp is inefficient takes 3 frames to transfer 1 packet packets between host pairs occur in bunches so arp caches a table of recent arp’d bindings in memory subsequent packets use table, not message exchange© David Morgan 2011Cached Cached arparptabletable[root@EMACH1 david]# arp -nAddress HWtype HWaddress Flags Mask Iface192.168.3.1 ether 00:80:C8:E2:AF:61 C eth0192.168.3.3 ether 00:40:05:A3:42:26 C eth064.130.228.62 ether 00:10:E8:09:6E:80 C eth110© David Morgan 2011Operation essentials: Operation essentials: arparprequest request  target receives, reads broadcast frame caches sender’s addr binding compares target IP with his own– quit if no match, otherwise… compose arp response– reverse sender, target addr bindings– insert ethernet addr into Sender Haddr field– insert “2” (response) in operation field– send© David Morgan 2011Operation essentials: Operation essentials: arparpreply reply  target receives, reads unicast frame caches sender’s addr binding uses its hardware address to frame and send protocol packet to sender (remember, arp reply “sender” is protocol’s intended “recipient”)11© David Morgan 2011Observation about caching Observation about caching mechanism for sender bindingsmechanism for sender bindings performed for an incoming request uncritical – no questions asked recipe to write his cache– compose and a request containing the binding you want to write (your MAC in ethernet source field, any IP in arp senderIP field)– send it to him– he’ll take care of it for you© David Morgan 2011Tools for labTools for lab12© David Morgan 2011arparptable impact of table impact of arpingarpingutilityutility192.168.1.142 00:0c:29:32:95:d9192.168.1.122 00:18:8b:ba:fa:a4arp table AFTERSelective packet traceTrue, actualarp table BEFOREprereq: echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind**ethernet frames’ addresses arp messages’ binding pairs© David Morgan 2011Putting wrong mappings in the Putting wrong mappings in the arparptabletable192.168.1.142 00:0c:29:32:95:d9192.168.1.122 00:18:8b:ba:fa:a4“poisoned” AFTERSelective packet tracefalse, arbitraryarp table BEFORE13© David Morgan 2011ConsequenceConsequence target thinks arpslinger’s MAC address is the one that belongs to each of the the 2 poisoned IPs target’s packets to either IP will be frame-addressed to arpslinger arpslinger becomes the recipient of traffic sent by target to them© David Morgan 2011requestreplyMan in the middleMan in the middlenode 1 in the middle of node2node 1 in the middle of node2--node4 conversationnode4 conversationin order to reach node4actual arp/ethernet business by node2 will be conducted with node0– the routerso to get between 2 and 4, node1 must get between 2 and 0requestreply14© David Morgan 2011requestreplyMan in the middleMan in the middlenode 1 in the middle of node2node 1 in the middle of node2--node0