[ Pobierz całość w formacie PDF ]
.Sending a datagram to an IP address associated with a permanentARP cache entry will never result in an ARP request.With no ARP request being sent, anattacker does not have the opportunity to send an ARP reply.It seems unlikely that anyoperating system would overwrite a permanent ARP cache entry with an unsolicited ARPreply.With permanent ARP cache entries for trusted machines, the trusting host will not use ARP todetermine the correct hardware address and will not be fooled into sending IP data to an ARPspoofer.Of course, it will also send IP data to the machine even if the machine has been downfor some time.Another downside to permanent ARP entries is that the cache entries will needrevising if the hardware address changes for a legitimate reason.Finally, ARP caches may be oflimited size, limiting the number of permanent entries or further limiting the time a dynamicentry spends in the cache.Displaying ARP Cache EntriesOn Unix and Windows 95/NT machines, you use the arp command to manipulate andinspect the ARP cache.This command has several options.arp -aThe -a option displays all ARP cache entries for all interfaces of the host.The following outputis an example of what you would see on a Windows 95 machine:Interface: 147.226.112.167Internet Address Physical Address Type147.226.112.1 aa-00-04-00-bc-06 static147.226.112.88 08-00-20-0b-f0-8d dynamic147.226.112.101 08-00-2b-18-93-68 static147.226.112.102 08-00-2b-1b-d7-fd static147.226.112.103 00-00-c0-63-33-2d dynamic147.226.112.104 00-00-c0-d5-da-47 dynamic147.226.112.105 08-00-20-0b-7b-df dynamic147.226.112.106 08-00-20-0e-86-ef dynamic147.226.112.124 08-00-2b-1c-08-68 dynamic147.226.112.169 08-00-09-2a-3c-08 dynamic286 Part II: Gaining Access and Securing the GatewayDeleting an ARP Cache EntryAt some point you may want to delete a permanent ARP cache entry that is no longer valid ordelete a dynamic entry that you suspect of being spoofed.The -d option deletes the entry withthe given IP address from the ARP cache.arp -d 147.226.112.101Inserting a Permanent ARP Cache EntryThe -s option inserts a permanent (static) ARP cache entry for the given IP address.Typically,the Ethernet address would be obtained by displaying the entire ARP cache as shown previ-ously.arp -s 147.226.112.101 08-00-2b-18-93-68To ensure that the address is in the ARP cache you can first use the ping command to send anICMP/IP echo request to the IP address in question.A somewhat more secure, but tedious,method is to use an operating system dependent method for querying the machine in questionfor its own hardware address from its console.You can place a series of such commands intothe startup script for the machine that will be extending trust to others.Inserting Many Permanent ARP Cache EntriesThe -f option loads permanent entries into the ARP cache from a file containing an IP addressto hardware address database.arp -f arptabIn this example, the file is named  arptab, but the name of the file is up to the systemadministrator using the command.The -f option to the arp command is not available on allsystems.In particular, it is missing from the current versions of Windows 95 and WindowsNT.However, it is really just a substitute for a series of arp commands with the -s option.Use an ARP ServerThe arp command outlined in the previous section also allows one machine to be an ARPserver.An ARP server responds to ARP requests on behalf of another machine by consulting(permanent) entries in its own ARP cache.You can manually configure this ARP cache andconfigure machines that extend trust based on this IP address to use ARP replies coming fromthe ARP server rather than ARP replies from other sources.However, configuring a machine tobelieve only in the ARP server is a difficult task for most operating systems.Even if you do not configure other machines to trust only the ARP server for ARP replies, thetype of server may still be beneficial.The ARP server will send out a reply to the same requestsas a potential ARP spoofer.When machines process the ARP replies, there is at least a fairchance that the ARP spoofer s replies will be ignored.You cannot be sure because as you haveseen, much depends on the exact timing of the replies and the algorithms used to manage theARP cache.IP Spoofing and Sniffing 287Introduce Hardware BarriersThe use of bridges or switches removes the threat of sniffing between network segments;likewise, the use of routers removes the threat of ARP spoofing between IP subnets.You canseparate the trusted hosts (those with IP addresses that might benefit an attacker using ARPspoofing) from subnets on which an attacker might obtain access.Subnetting for security ishelpful if physical security prevents attachment to the subnet of the trusted machine.Suchsubnetting prevents a spoofer from powering down one of the trusted machines and attachingto the subnet on which ARP requests from the trusting machine are broadcast.A temptation when considering using subnetting to protect from ARP spoofing is to place themachine extending trust on a separate subnet from the machines to which it is extending trust.However, this setup simply places the router in the position of being deceived by an ARPspoof.If trust is extended on the basis of IP addresses, the machine extending the trust is inturn trusting the routers to deliver the IP datagrams to the correct machine.If the trustedmachines are on a separate subnet that is susceptible to ARP spoofing, the router for thatsubnet must bear the burden of ensuring that IP datagrams get to their legitimate destination.With this setup, you might need to place permanent ARP cache entries for the trustedmachines in the router itself.Finally, it is also important that trusted machines be protected from an ARP spoofer that isattempting to masquerade as the router.Fortunately, routers are typically physically secure andcrash rarely or for very little time, which makes them difficult to impersonate.Sniffing Case Study RevisitedTo illustrate ARP spoofing in a familiar context, recall the solution to the sniffing problemadopted by Computer Science in the case study earlier in the chapter (see fig.6.7).Thesolution to the sniffing problem was to divide the portion of the network servicing ComputerScience into five segments.These segments connect to a switch in the Computer Sciencemachine room.The only router being used is the router that joins Computer Science with thetwo segment subnet for Mathematics and the one segment subnet for English.All five seg-ments in Computer Science are part of a single subnet.Within a single subnet an ARP request goes out to all machines on the subnet and a reply maycome back from any of them.Thus, an ARP spoof attack may be launched from any of thesegments.To prevent this, the segments may be divided into a group of subnets rather than asingle larger subnet [ Pobierz całość w formacie PDF ]

Podobne

• Start
• Marsden John Kroniki Ellie 01 Wojna siÄ™ skoÅ„czyÅ‚a, walka wciąż trwa
• Huberath Marek S Miasta pod skala
• Brosnan John Inwazja Opoponaksow (SCAN dal 1
• Henryk Rzewuski PamiÄ…tki Soplicy
• Butler E Octavia Przypowiesc o siewcy SCR
• Heinlein Robert A Kot ktory przenika sciany (2)
• Lucy Maud Montgomery Ania z Avonlea
• Laborem Exercens
• Pratchett Terry ÂŚwiat Dysku T. 38 W Północ SiÄ™ OdziejÄ™
• Ringo John Wojny Rady Tom 1 Tam BÄ™dÄ… Smoki
• zanotowane.pl
• doc.pisz.pl
• pdf.pisz.pl
• atheist.opx.pl