arp poisoning

Routers pass packets across a logical path, composed of several data links, by reading and acting on the network addresses in the packets. The packets are passed across the individual data links by encapsulating the packets in frames, which use data-link identifiers (MAC addresses, by way of example) to acquire the frame from source to destination on the link. 1 in the main topics of this book concerns the mechanisms by which routers discover and share facts about network addresses so that routing may take location. Similarly, devices on a data link will need a method to discover their neighbors' data-link identifiers so that frames may be transmitted for the appropriate destination.

Several mechanisms can offer this facts;15 IPv4 makes use of the Address Resolution Protocol (ARP), described in RFC 826. Figure 1-13 shows how ARP works. A device needing to discover the data-link identifier of another device will produce an ARP Spoofing Request packet. This request will include the IPv4 address in the device in question (the target) along with the source IPv4 address and data-link identifier (MAC address) in the device making the request (the sender). The ARP Request packet is then encapsulated inside a frame together with the sender's MAC address as the source and a broadcast address for the destination (see Instance 1-6).16

15 NetWare, by way of example, makes the MAC address in the device the host portion in the network-level addressa really sensible issue to do.

16 Like an IP broadcast, the MAC broadcast is an address of all ones: ffff.ffff.ffff.

Figure 1-13. ARP is used to map a device's data-link identifier to its IP address.

image

Instance 1-6. An analyzer capture in the ARP Request depicted in Figure 1-13, with its encapsulating frame.

Ethernet II, Src: 00:30:65:2c:09:a6, Dst: ff:ff:ff:ff:ff:ff
Destination: ff:ff:ff:ff:ff:ff (Broadcast)
Supply: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6)
Sort: ARP (0x0806)
Address Resolution Protocol (request)
Hardware kind: Ethernet (0x0001)
Protocol kind: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6)
Sender IP address: 172.16.1.21 (172.16.1.21)
Target MAC address: 00:00:00:00:00:00 (00:00:00_00:00:00)
Target IP address: 172.16.1.33 (172.16.1.33)

The broadcast address implies that all devices on the data link will get the frame and examine the encapsulated packet. All devices except the target will recognize that the packet will not be for them and can drop the packet. The target will send an ARP Protocol Reply for the source address, supplying its MAC address (see Instance 1-7).

Instance 1-7. An analyzer capture in the ARP Reply depicted in Figure 1-13.

Ethernet II, Src: 00:ten:5a:e5:0e:e3, Dst: 00:30:65:2c:09:a6
Destination: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6)
Supply: 00:ten:5a:e5:0e:e3 (3com_e5:0e:e3)
Sort: ARP (0x0806)
Trailer: 15151515151515151515151515151515...
Address Resolution Protocol (reply)
Hardware kind: Ethernet (0x0001)
Protocol kind: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (0x0002)
Sender MAC address: 00:ten:5a:e5:0e:e3 (3com_e5:0e:e3)
Sender IP address: 172.16.1.33 (172.16.1.33)
Target MAC address: 00:30:65:2c:09:a6 (AppleCom_2c:09:a6)
Target IP address: 172.16.1.21 (172.16.1.21)

Cisco routers will display ARP activity when the debug function debug arp is invoked, as shown in Instance 1-8.

Instance 1-8. Router Aretha (172.21.5.1) responds to an ARP request from host 172.19.35.2.

Aretha#debug arp
IP ARP: rcvd req src 172.19.35.2 0002.6779.0f4c, dst 172.21.5.1 Ethernet0
IP ARP: sent rep src 172.21.5.1 0000.0c0a.2aa9,
dst 172.19.35.2 0002.6779.0f4c Ethernet0
Aretha#

Figure 1-14 shows the ARP packet format. As the fields are described, evaluate them together with the ARP packets in Instance 1-6 and Instance 1-7.

Figure 1-14. ARP packet format.

image

Hardware Sort specifies the kind of hardware, as specified by the IETF.17 Table 1-5 shows some examples of some of the extra common kind numbers.

17 All numbers in use in many fields all through the TCP/IP protocol suite had been initially listed in: J. Postel and J. Reynolds, "Assigned Numbers," RFC 1700, October 1994. This huge document (230 pages) is usually a valuable reference, but is now a little outdated. A current list of assigned numbers might be found at www.iana.org.

Table 1-5. Prevalent hardware kind codes.

Number

Hardware Sort

1

Ethernet

three

X.25

4

Proteon ProNET Token Ring

6

IEEE 802 Networks

7

ARCnet

11

Apple LocalTalk

14

SMDS

15

Frame Relay

16

ATM

17

HDLC

18

Fibre Channel

19

ATM

20

Serial Link

Protocol Sort specifies the kind of network-level protocol the sender is mapping for the data link identifier; IPv4 is 0x0800.

Hardware Address Length specifies the length, in octets, in the data link identifiers. MAC addresses will be 6.

Protocol Address Length specifies the length, in octets, in the network-level address. IPv4 will be 4.

Operation specifies no matter if the packet is an ARP Request (1) or an ARP Reply (2). Other values may also be found right here, indicating other makes use of for the ARP packet. Examples are Reverse ARP Request (three), Reverse ARP Reply (4), Inverse ARP Request (8), and Inverse ARP Reply (9).

The final 20 octets are the fields for the sender's and target's data-link identifiers and IPv4 addresses.

Inside the best screen in Instance 1-9, the IOS command show arp is used to examine the ARP table inside a Cisco router.

Instance 1-9. The ARP table for 3 devices connected for the very same network: a Cisco router, a Microsoft Windows host, and a Linux host.

Martha#show arp
Protocol Address Age (min) Hardware Addr Sort Interface
Online ten.158.43.34 2 0002.6779.0f4c ARPA Ethernet0
Online ten.158.43.1 - 0000.0c0a.2aa9 ARPA Ethernet0
Online ten.158.43.25 18 00a0.24a8.a1a5 ARPA Ethernet0
Online ten.158.43.100 6 0000.0c0a.2c51 ARPA Ethernet0
Martha#
________________________________________________________________________
C:WINDOWS>arp -a

Interface: 148.158.43.25
Online Address Physical Address Sort
ten.158.43.1 00-00-0c-0a-2a-a9 dynamic
ten.158.43.34 00-02-67-79-0f-4c dynamic
ten.158.43.100 00-00-0c-0a-2c-51 dynamic
_________________________________________________________________________
Linux:~# arp -a
Address HW kind HW address Flags Mask
ten.158.43.1 10Mbps Ethernet 00:00:0C:0A:2A:A9 C *
ten.158.43.100 10Mbps Ethernet 00:00:0C:0A:2C:51 C *
ten.158.43.25 10Mbps Ethernet 00:A0:24:A8:A1:A5 C *
Linux:~#

Notice the Age column. As this column would indicate, ARP facts is removed from the table immediately after a specific time to avoid the table from becoming congested with old facts. Cisco routers hold ARP entries for four hours (14,400 seconds); this default might be changed. The following instance modifications the ARP timeout to 30 minutes (1800 seconds):

Martha(config)# interface ethernet 0
Martha(config-if)# arp timeout 1800

The middle screen of Instance 1-9 shows the ARP table of a Microsoft Windows Pc, along with the bottom shows the ARP table from a Linux machine. Even though the format is distinctive from the IOS display, the vital facts is the very same in all 3 tables.

ARP entries may also be permanently placed in the table. To statically map 172.21.5.131 to hardware address 0000.00a4.b74c, with a SNAP (Subnetwork Access Protocol) encapsulation kind, use the following:

Martha(config)# arp 172.21.5.131 0000.00a4.b74c snap

The command clear arp-cache forces a deletion of all dynamic entries from the ARP table. It also clears the fast-switching cache along with the IP route cache.

Several variations of ARP exist; a minimum of one, proxy ARP, is very important to routing.

Proxy ARP

Often named promiscuous ARP and described in RFCs 925 and 1027, proxy ARP is usually a strategy by which routers may make themselves out there to hosts. By way of example, a host 192.168.12.5/24 desires to send a packet to 192.168.20.101/24, however it will not be configured with default gateway facts and therefore does not know tips on how to reach a router. It may situation an ARP Request for 192.168.20.101; the nearby router, receiving the request and knowing tips on how to reach network 192.168.20.0, will situation an ARP Reply with its own data link identifier in the hardware address field. In effect, the router has tricked the nearby host into thinking that the router's interface is the interface of 192.168.20.101. All packets destined for that address are then sent for the router.

Figure 1-15 shows another use for proxy ARP. Of distinct interest listed here are the address masks. The router is configured with a 28-bit mask (four bits of subnetting for the Class C address), but the hosts are all configured with 24-bit, default Class C mask. As a result, the hosts will not be aware that subnets exist. Host 192.168.20.66, wanting to send a packet to 192.168.20.25, will situation an ARP Request. The router, recognizing that the target address is on another subnet, will respond with its own hardware address. Proxy ARP makes the subnetted network topology transparent for the hosts.

Figure 1-15. Proxy ARP enables the use of transparent subnets.

image

The ARP cache in Instance 1-10 provides a hint that proxy ARP is in use. Notice that several IPv4 addresses are mapped to a single MAC identifier; the addresses are for hosts, but the hardware MAC identifier belongs for the router interface.

Instance 1-10. This ARP table from host 192.168.20.66 in Figure 1-15 shows several IPv4 addresses mapped to one MAC identifier, indicating that proxy ARP is in use.

C:WINDOWS>arp -a

Interface: 192.168.20.66
Online Address Physical Address Sort
192.168.20.17 00-00-0c-0a-2a-a9 dynamic
192.168.20.20 00-00-0c-0a-2a-a9 dynamic
192.168.20.25 00-00-0c-0a-2a-a9 dynamic
192.168.20.65 00-00-0c-0a-2c-51 dynamic
192.168.20.70 00-02-67-79-0f-4c dynamic

Proxy ARP is enabled by default in IOS and may be disabled on a per interface basis together with the command no ip proxy-arp.

Gratuitous ARP

A host may occasionally situation an ARP Request with its own IPv4 address as the target address. These ARP Requests, recognized as gratuitous ARPs, have several makes use of:

A gratuitous ARP may be used for duplicate address checks. A device that concerns an ARP Request with its own IPv4 address as the target and receives an ARP Reply from another device will realize that the address is usually a duplicate.
A gratuitous ARP may be used to advertise a brand new data-link identifier. This use takes benefit in the fact that when a device receives an ARP Request for an IPv4 address that is already in its ARP cache, the cache might be updated together with the sender's new hardware address.
A router running Hot Standby Router Protocol (HSRP) that has just taken over as the active router from another router on a subnet concerns a gratuitous ARP to update the ARP caches in the subnet's hosts.

Lots of IP implementations do not use gratuitous ARP, but you need to be aware of its existence. It's disabled by default in IOS but might be enabled together with the command ip gratuitous-arps.

Reverse ARP

Instead of mapping a hardware address to a recognized IPv4 address, Reverse ARP (RARP) maps an IPv4 address to a recognized hardware address. Some devices, like diskless workstations, may not know their IPv4 address at startup. RARP may be programmed into firmware on these devices, allowing them to situation an ARP Request that has their burned-in hardware address. The reply from a RARP server will provide the suitable IPv4 address.

RARP has been largely supplanted by Dynamic Host Configuration Protocol (DHCP), an extension in the Bootstrap Protocol (BootP), both of which can offer extra facts than the IPv4 address, and which, in contrast to RARP, might be routed off the nearby data link.