Preventing Man in the Middle Attacks on your Network

I recently did a man in the middle attack on my college LAN (for purely educational purposes:)). I simply wrote a raw socket application that pumped ARP reply packets advertising my MAC address with the IP of the gateway. For the destination address I chose the broadcast address. Soon I was receiving packets from lot of hosts on the subnet. Now I was wondering:

  1. Why did it work with broadcast address?
  2. How can I prevent myself from such attacks? (I found a way by adding a static entry of the gateway’s actual MAC address in my computer’s ARP table)
  3. If I am a network admin, how can I ensure that doing a MITM is not as easy as it was in my case?

Answer

A broadcast packet is, at the ethernet level, a packet with a specific bit set in the address which tells: “if you see this frame, have a look at it”. Normally, a network interface will disregard frames unless the destination address is its own MAC address (an interface can be put into “promiscuous mode” to pick up all frames); but the “broadcast” bit makes the frame “interesting” for all network interfaces.

When the frame is not filtered out by the network interface, the frame contents are processed by the host system regardless of its ethernet source and destination addresses: the frame was received, and that’s enough. If the frame contains an ARP reply, then the information contained in this reply (“the host with this IP address uses that ethernet address”) is duly processed. It depends a bit on the operating system, though: Linux is known to disregard ARP replies which do not correspond to an ARP request which it sent not long before.

There is no authentication whatsoever in the ARP protocol; it is built on trust. Hence, it is vulnerable to active attacks such as yours.

Setting a static ARP table entry gives you some protection, but removes a bit of flexibility (if the gateway hardware is replaced, the ethernet address will change, and since the static entry takes precedence, your machine will refuse to talk to the replacement) and it is not a complete protection either: your packets may still be observed by the attacker, and he can still spoof fake packets, which can be enough to do a lot of harm.

As a network administrator, the best you can do is a combination of static routes (tedious, does not scale well) and watch/logging/reporting (maintain a table of IP / ethernet pairs, report every ARP reply which tries to change that). See this page for a list of possible defenses.

Leave a Reply

Your email address will not be published. Required fields are marked *