98.6k views
Address Resolution Protocol (ARP) is a protocol that enables network communications to reach a specific device on the network. ARP translates Internet Protocol (IP) addresses to a Media Access Control (MAC) address, and vice versa. Most commonly, devices use ARP to contact the router or gateway that enables them to connect to the Internet. Hosts maintain an ARP cache, a mapping table between IP addresses and MAC addresses, and use it to connect to destinations on the network. If the host doesn’t know the MAC address for a certain IP address, it sends out an ARP request packet, asking other machines on the network for the matching MAC address. The ARP protocol was not designed for security, so it does not verify that a response to an ARP request really comes from an authorized party. It also lets hosts accept ARP responses even if they never sent out a request. This is a weak point in the ARP protocol, which opens the door to ARP spoofing attacks. ARP only works with 32-bit IP addresses in the older IPv4 standard. The newer IPv6 protocol uses a different protocol, Neighbor Discovery Protocol (NDP), which is secure and uses cryptographic keys to verify host identities. However, since most of the Internet still uses the older IPv4 protocol, ARP remains in wide use. What is ARP Spoofing (ARP Poisoning)An ARP spoofing, also known as ARP poisoning, is a Man in the Middle (MitM) attack that allows attackers to intercept communication between network devices. The attack works as follows:
Once the attacker succeeds in an ARP spoofing attack, they can:
Here is a simple way to detect that a specific device’s ARP cache has been poisoned, using the command line. Start an operating system shell as an administrator. Use the following command to display the ARP table, on both Windows and Linux: arp -aThe output will look something like this: Internet Address Physical Address 192.168.5.1 00-14-22-01-23-45 192.168.5.201 40-d4-48-cr-55-b8 192.168.5.202 00-14-22-01-23-45If the table contains two different IP addresses that have the same MAC address, this indicates an ARP attack is taking place. Because the IP address 192.168.5.1 can be recognized as the router, the attacker’s IP is probably 192.168.5.202. To discover ARP spoofing in a large network and get more information about the type of communication the attacker is carrying out, you can use the open source Wireshark protocol. ARP Spoofing PreventionHere are a few best practices that can help you prevent ARP Spoofing on your network:
Computer Viruses, Worms, Trojan Horses, and Rootkits • A computer virus is a potentially damaging computer program that affects, or infects, a computer negatively by altering the way the computer works without the user’s knowledge or permission. • A worm is a program that copies itself repeatedly, for example in memory or on a network, using up resources and possibly shutting down the computer or network. • A Trojan horse (named after the Greek myth) is a program that hides within or looks like a legitimate program. A certain condition or action usually triggers the Trojan horse. • A rootkit is a program that hides in a computer and allows someone from a remote location to take full control of the computer. Once the rootkit is installed, the rootkit author can execute programs, change settings, monitor activity, and access files on the remote computer.
Safeguards against Computer Viruses and Other Malware Botnets A botnet is a group of compromised computers connected to a network such as the Internet that are used as part of a network that attacks other networks, usually for nefarious purposes. A compromised computer, known as a zombie, is one whose owner is unaware the computer is being controlled remotely by an outsider. Cybercriminals use botnets to send spam via e-mail, spread viruses and other malware, or commit a denial of service attack. Denial of Service Attacks A denial of service attack, or DoS attack, is an assault whose purpose is to disrupt computer access to an Internet service such as the Web or e-mail. Perpetrators carry out a DoS attack in a variety of ways. For example, they may use an unsuspecting computer to send an influx of confusing data messages or useless traffic to a computer network. The victim computer network slows down considerably and eventually becomes unresponsive or unavailable, blocking legitimate visitors from accessing the network. Perpetrators have a variety of motives for carrying out a DoS attack. Those who disagree with the beliefs or actions of a particular organization claim political anger motivates their attacks. Some perpetrators use the attack as a vehicle for extortion. Others simply want the recognition, even though it is negative. Back Doors A back door is a program or set of instructions in a program that allow users to bypass security controls when accessing a program, computer, or network. Once perpetrators gain access to unsecure computers, they often install a back door or modify an existing program to include a back door, which allows them to continue to access the computer remotely without the user’s knowledge. Spoofing Spoofing is a technique intruders use to make their network or Internet transmission appear legitimate to a victim computer or network. E-mail spoofing occurs when the sender’s address or other components of the e-mail header are altered so that it appears the e-mail originated from a different sender. E-mail spoofing commonly is used for virus hoaxes, spam, and phishing scams. IP spoofing occurs when an intruder computer fools a network into believing its IP address is associated with a trusted source. Perpetrators of IP spoofing trick their victims into interacting with a phony Web site. Safeguards against Botnets, DoS Attacks, Back Doors, and Spoofing To defend against botnets, DoS attacks, improper use of back doors, and spoofing, users can implement firewall solutions and install intrusion detection software. Firewalls A firewall is hardware and/or software that protects a network’s resources from intrusion by users on another network such as the Internet. Organizations use firewalls to protect network resources from outsiders and to restrict employees’ access to sensitive data such as payroll or personnel records. Large organizations often route all their communications through a proxy server, which is a component Some small office/home office users purchase a hardware firewall, such as a router or other device that has a built-in firewall, in addition to or instead of personal firewall software.
Intrusion Detection Software To provide extra protection against hackers and other intruders, large organizations sometimes use intrusion detection software to identify possible security breaches. Intrusion detection software automatically analyzes all network traffic, assesses system vulnerabilities, identifies any unauthorized access (intrusions), and notifies network administrators of suspicious behavior patterns or system breaches. To utilize intrusion detection software requires the expertise of a network administrator because the programs are complex and difficult to use and interpret. These programs also are quite expensive. |