This post presents what is the attack known as “ARP Man in the Middle” which is basically a way for a malicious user to sniff network traffic on a fully switched network. If you don’t know this attack yet, go on reading.
What is ARP
In short, ARP is the protocole which is used by a computer to resolve a MAC address (i.e : the hardware address of a network interface) from an IP address on the same network.
Basically, when a computer A needs to reach another computer B on the same network knowing only its IP address, it will broadcast an ARP packet meaning “who has the IP W.X.Y.Z ?” and when B, whose IP address is W.X.Y.Z, gets this ARP packet, it will answer to A “W.X.Y.Z is at a:b:c:d:e:f” the latter being B’s own MAC address.
From now on, A knows the hardware address of B (A will store this entry with the IP address of B in its so called ARP table for a while) and can subsequently communicate with it.
It is good to know what is “Gratuitous ARP” too. It is basically a broadcasted ARP packet saying “Hello, here’s my IP address : A.B.C.D and this is my MAC address : aa:bb:cc:dd:ee:ff”. This is used to update the ARP tables of the computers of the same network, and is usually when a computer boots, to announce itself on the network (to prevent / detect potential IP address conflicts). This is useful if you reboot a server after having for example changed a faulty network interface (so anyone should be notified of the hardware address change).
The ARP Man In The Middle attack
This attack is known as the ARP Man In the Middle because the malicious user will try to insert himself between A and B to eavesdrop all communications in between.
ARP doesn’t implement any kind of authentication. When A asks for the MAC address of B’s IP, it is of course expected that only B will answer. But nothing prevents a malicious computer C to answer with its own MAC address and if it manages to answer faster than B (for example because B is a fairly loaded server or (even worse) router) then A will logically assume that the IP of B is assigned to C and will send to C all the traffic which should legitimately have been sent to B.
Of course anyone can send a gratuitous ARP pretending to be someone else, but Gratuitous ARP is a broadcast packet, so anyone will see it, including B, which will usually complain (check the logs) that someone is trying to use the same IP address. Moreover, this broadcast packet could be detected by an IDS which would raise an alert.
Wether it is by answering the ARP request faster than the legitimate B or by issuing a Gratuitous ARP pretending to be B, C is now getting all the traffic that A intended to be delivered to B.
Of course this will be quickly discovered if C doesn’t provide the same services as B (for example if a user sitting at computer A expected to connect to a web site on B and the website doesn’t exist on C), but if C is clever enough, it will forward the packets it got from A to B and pass back the packets from B to A, analyzing them in between.
This is why this attack is known as the “ARP Man In the Middle” : the computer C is actually in the middle of all the traffic passing between A and B and is free to collect all kind of private information, passwords, session IDs, etc.
Key point
You might have heard that a network switch is better than a hub from a security point of view because a hub will repeat packets on all the ports (so a malicious user can sniff packets intended to others) while a switch will only transmit a packet on the port where the recipient is connected.
With the ARP man in the middle attack, you can sniff packets not intended for your computer, even on a fully switched network.
Protecting yourself
To avoid this attack, you can statically enter entries in the ARP tables, but this quickly becomes an administrative nightmare. And some standard ARP mechanisms will fail (such as Gratuitous ARP which is precisely supposed to allow to update ARP tables entries for example when you change the network card of a server).
It is anyway a best approach to consider that any communication can be sniffed, and that anything of value should be ciphered using proper cryptographic tools (SSH, HTTPS, SSL/TLS, VPN and so on). This way, maybe your information will be intercepted, but it won’t be of any value to the malicious user.
Don’t even think about using insecure protocols such as telnet, http, ftp, and others where the passwords are in the clear, thinking “it’s ok, I am on a switched network so no one else but the legitimate target will get these packets” ! If you do have to connect on an unsecure application, try to set some sort of tunnel (again, ssh, vpn, ipsec or other) so that the communication won’t go in the clear.
arpwatch is your friend
You should talk about dsniff 🙂
See ya!