News

OSI: Securing the stack, Layer 2 -- Understanding the role of ARP

Michael Gregg

Layer 2 of the OSI model is where we find the Data Link Layer, which provides the mechanism by which data is transferred from node to node across a network. What makes this layer important is that it is used to frame the data for transmission. There are many insecurities at the Data Link Layer that could be discussed, but one of the most important is the Address Resolution Protocol (ARP) process.

ARP was designed for a more trusting world. It is used to resolve known IP addresses to unknown MAC addresses. When processing packets and passing them down the stack, the Data Link Layer is responsible for framing the packets. While the Network Layer will have provided the IP address, the Data Link Layer will need to provide a physical address. That is the job of ARP. It must establish the destination device's physical address when two hosts need to communicate. If the final destination is not local, ARP must still resolve the MAC address of the gateway so that the frame can be properly addressed.

Now, you may be asking yourself why this process should concern the network or security engineer, since ARP is a trusting protocol. Back in the day when hubs were widely used, attackers were not very concerned with the ARP process. To intercept traffic on the LAN, all the attacker had to do was simply start up a sniffer such as Wireshark. This is known as passive sniffing. Hubs forward all traffic to all ports, so the attacker need only place his network card into promiscuous mode.

    Requires Free Membership to View

Switches changed the dynamic of this attack because most networks today use switches. Passive sniffing provides very little information for the attacker. The only traffic he will see is the unicast traffic bound for his interface or the broadcast traffic that is being forwarded to all ports. This means the attacker is forced to manipulate the ARP process. If he wants to see the traffic between other users, he must attempt active sniffing. Simply stated, active sniffing requires the attacker to inject packets into the network, causing traffic that he should normally not receive to be sent to his system.

There are several ways that the attacker can accomplish active sniffing. The first is ARP poisoning. This involves convincing a host that the IP of another host on the network actually belongs to the attacker. This commonly occurs by sending non-requested ARP replies and poisoning the switches' content-addressable memory (CAM) and the ARP cache of other local systems. A common target of ARP poisoning is the gateway. If the attacker can observe all traffic bound for the gateway passwords, FTP, Telnet, e-commerce, and other types of sensitive data packets can be sniffed. By spoofing the gateway's IP address, all hosts on the attacker's subnet will route his transmissions through his system. This method works but is not very stealthy. It requires the attacker to poison the ARP cache of every host on his subnet. A more stealthy approach would be for the attacker to poison the ARP cache of a single host on the network. Some of the tools that are freely available to aid the attacker in these underhanded deeds include:

  • Cain
  • Ettercap
  • WinARPAttacker

A second approach to active sniffing is to bypass the functionality of the switch by attempting ARP flooding, which occurs when the attacker sends out large numbers of packets, each with a different set of MAC addresses. The idea is to flood the switches' CAM. When some switches are overloaded, they may drop into a hub-like mode. They are simply too busy, so they broadcast all network traffic to all ports.

Regardless of which of these methods is used, they have the potential to bypass the perceived security of the switch. It is important that engineers realize this and develop effective countermeasures to these kinds of attacks. Encryption, secure protocols, and proactive monitoring of the network for unusual activity help in defeating this type of attack. There is also more that can be done with the switches themselves. Many modern switches offer such technologies as Dynamic ARP Inspection (DAI). This technology can be used to inspect ARP packets and ensure they are valid. DAI allows network engineers to intercept, log and discard ARP packets with invalid MAC addresses. These simple steps can significantly reduce the capability of an attacker to launch a successful Data Link Layer attack.

About the author: Michael Gregg has been involved in IT and network security for more than 15 years. He is the founder and CTO of Superior Solutions Inc., a risk assessment and security consulting firm. He has developed high-level security classes and written six books; the most recent is Hack the Stack: The Eight Layers of an Insecure Network.