Link Layer Security

Questions and Answers

What is the primary function of the Address Resolution Protocol (ARP)?

• Converting IP addresses to MAC addresses (correct)
• Converting MAC addresses to IP addresses
• Routing packets between different networks
• Securing network communications using encryption

In regular mode, a network interface will process all frames transmitted on the network, regardless of the intended destination.

False (B)

What does 'SHA' stand for in the context of ARP packets?

Sender Hardware Address

The first three octets of a MAC address are assigned by the IEEE and are known as ___________.

Organisationally Unique Identifiers

Match the following Ethernet frame fields with their sizes:

Preamble = 7 bytes Start-of-Frame Delimiter = 1 byte MAC Destination = 6 bytes Interframe Gap = 12 bytes

Which of the following is a potential consequence of a successful ARP spoofing attack?

The attacker can redirect network traffic. (C)

Changing a MAC address on a network interface requires administrator privileges.

True (A)

What term describes configuring a network interface to read all frames on the network?

promiscuous mode

In an Ethernet frame, values within the 'Ethertype/Length' field that are greater than or equal to 0x600 indicate the ___________.

EtherType

Match the following tools with their primary function in network security:

Arpspoof = ARP Spoofing Ettercap = Man-in-the-middle attacks Wireshark = Packet sniffing and analysis

Why is it important to understand the distinction between hubs and switches, even though switches are predominantly used today?

Switches can sometimes act like hubs, especially during security attacks. (C)

According to ARP protocol standards, ARP is a stateful protocol.

False (B)

What type of frame is used to transmit data on an Ethernet network?

Ethernet frame

A switch forwards each frame it receives along the cable it knows is connected to the ___________ for that frame.

destination

Match following IP address types with corresponding EtherType values:

IPv4 = 0x0800 ARP = 0x0806 IPv6 = 0x86DD

What is a 'MAC flooding attack'?

An attack that floods the switch with MAC addresses, causing it to act like a hub. (A)

Ethernet deals with collision events using a fixed-wait strategy.

False (B)

What is the size of a MAC address?

48-bit

The part of the Ethernet frame that contains actual data being transmitted is the ______.

payload

Match the following ARP packet fields with their description:

SPA = IP address of sender TPA = IP address of the target SHA = MAC address of sender THA = MAC address of the target

DHCP snooping can be used as an ARP spoofing countermeasure, one of its functionalities is to:

Keep a record of the MAC address of machines connected on each port of the network device. (C)

Static ARP table entries are easily manageable in large networks.

False (B)

What type of attack is possible when an attacker associates the IP address of the gateway to their own MAC address?

Man-in-the-middle attack

The process of intercepting and examining network traffic, potentially using ARP cache poisoning, is known as __________.

packet sniffing

Match the following Ethernet frame fields with the layer which uses them:

MAC address = Data Link Layer Ethertype = Network Layer

Why is it difficult to detect packet sniffing?

Sniffers are typically passive and do not attempt to steal data (A)

ARP requests are authenticated to prevent spoofing.

False (B)

What part of the ARP packet includes the hardware address of the sender?

SHA

When multiple machines are on the same network segment it can lead to _______, resulting in discarding and retransmitting frames.

collisions

Match the following network security terms with the most relevant definition:

MAC Address = Media Access Control address, a unique identifier assigned to network interfaces. ARP Spoofing = An attack that manipulates ARP tables to redirect network traffic. Packet Sniffing = The process of capturing and analyzing network packets.

What does a rogue machine send to "poison" other machines' ARP cache?

gratuitous ARP replies (B)

Organizations cannot use MAC addresses to identify computers on their network.

False (B)

How many bits is the standard MAC address?

48-bit

If an attacker associated the IP address of the gateway to a __________ MAC address, a denial of service attack can occur.

nonexistent

Match the following components located within the ethernet frame format with their function:

MAC Destination = The destination's MAC address CRC-32 Checksum = Error detection Preamble = Synchronization

What kind of ARP request updates the ARP caches of other hosts?

gratuitous (A)

DHCP Networks cannot have multiple entries for a single machine.

False (B)

Besides Ethernet, what else does the term 'Ethernet' refer to?

link-layer protocol

In ARP Spoofing, associating an IP address of a machine to a wrong MAC address is also known as ARP ______.

poisoning

Match each of the following status indications of a packet sniffer with a characteristic of that packet sniffer.

Software-based = Dependent Network setUp Private/Public Key Pairs Used = Makes Sniffing Virtually Useless Attacker Associates the IP address of the gateway to a nonexistent MAC address = Results in Denial of Service Attack

Which of the following is a characteristic of hubs, but not typically of switches, increasing the likelihood of collisions?

Forwarding all frames to all attached devices. (D)

In Ethernet frame format, the Ethertype/Length field serves only one purpose: to specify the protocol of the payload. True or False?

False (B)

In the context of network security, what does ARP spoofing enable an attacker to do, if the attacker associates the IP address of the gateway to their MAC address?

Man-in-the-middle attack

In local area networks, most network interfaces operate in _______ mode by default, ensuring they receive only frames intended for their specific MAC address.

regular

Match the layer with the given protocol:

Link Layer = Ethernet Network Layer = IP Transport Layer = TCP Application Layer = SMTP

Flashcards

What is the Address Resolution Protocol (ARP)?

Connects the network layer to the data link layer by converting IP addresses to MAC addresses.

What is a MAC address?

A unique identifier assigned to a network interface for communications at the data link layer.

What is the length of a MAC address?

A 48-bit number, often in hex, that identifies a network interface.

What are Organizationally Unique Identifiers?

The first three octets of a MAC address assigned by the IEEE.

What does Ethernet refer to?

The physical medium and link-layer protocol standardized as IEEE 802.3.

What are Ethernet frames?

Data units transmitted over an Ethernet cable.

What is the 'Preamble' in an Ethernet Frame?

Part of an Ethernet frame used for synchronization; consists of 7 bytes.

What is the 'Ethertype' field?

A field in the Ethernet frame indicating whether the data is for IPv4, IPv6, etc.

What is the payload in an Ethernet frame?

Part of an Ethernet frame containing the actual data being transmitted.

What do Hubs do?

Logically connect multiple devices, but forwards all traffic to all devices.

What do Switches do?

Forwards traffic only to the intended recipient, learning MAC addresses.

What is a MAC flooding attack?

Flooding a switch with many MAC addresses, causing it to act like a hub.

What is ARP Spoofing?

Attack where false ARP replies are sent to poison ARP caches.

What is a Gratuitous ARP?

An ARP request that updates the ARP caches of other hosts.

What can be done when the gateway's IP address is associated with an attacker's MAC address?

Sniffing traffic before forwarding to the real gateway (passive attack).

What can be done when the gateway's IP address is associated with an attacker's MAC address?

Modifying traffic before forwarding it (active attack).

What can be done when the gateway's IP address is associated with an attacker's MAC address?

Acting as a 'Man-In-The-Middle'.

What happens when the gateway IP is linked to a nonexistent MAC address?

Outgoing traffic sent to a nonexistent MAC address, causing a disruption.

What is Packet Sniffing?

Examine network traffic for analysis or malicious intent.

What are packet sniffers?

Software or hardware to capture packets, may be legitimate or malicious.

How can packet sniffing be detected?

Requires suspicion, involves 'pinging' the sniffer to detect.

How do you stop packet sniffing?

Encrypt packets to make them meaningless to sniffers.

What is Wireshark?

A packet sniffer and protocol analyzer for capturing and analyzing frames.

What does SHA stand for in ARP?

Sender hardware address (SHA).

What does SPA stand for in ARP?

Sender protocol address (SPA).

What does THA stand for in ARP?

Target hardware address (THA).

What does TPA stand for in ARP?

Target protocol address (TPA).

Study Notes

• Link Layer security is being explored in this lesson
• This lesson covers the overview of link layer and Ethernet, ARP protocol, ARP table, ARP spoofing, ARP spoofing countermeasures, and packet sniffing

The Link Layer

• Computers connect to a network through a network interface device, like an ethernet card or Wi-Fi adapter
• Computers may have multiple network interfaces
• Packets are transmitted between network interfaces
• Most Local Area Networks, including Ethernet and WiFi, broadcast frames
• In regular mode, each network interface receives only the frames intended for it
• Traffic sniffing is possible by configuring the network interface to read all frames in promiscuous mode

MAC Addresses

• Most network interfaces have Media Access Control (MAC) addresses
• A MAC address is a 48-bit number, displayed in hex, like 00-1A-92-D4-BF-86
• The first three octets of a MAC address are IEEE-assigned Organisationally Unique Identifiers, such as Cisco 00-1A-A1, D-Link 00-1B-11, ASUSTek 00-1A-92
• The following three octets can be assigned by the organization to ensure uniqueness
• Organizations use MAC addresses to identify computers on their network
• MAC addresses can be reconfigured by network interface driver software

Viewing and Changing MAC Addresses

• The MAC addresses can be viewed using the following commands:
  • Linux: ip addr (was ifconfig)
  • Windows: ipconfig /all
• Steps for changing a MAC address in Linux:
  • Stop the networking service: /etc/init.d/network stop
  • Change the MAC address: ifconfig eth0 hw ether <MAC-address>
  • Start the networking service: /etc/init.d/network start
• Steps for changing a MAC address in Windows:
  • Open the Network Connections
  • Access the properties for the network interface
  • Click Configure
  • In the advanced tab, change the network address to the desired value
• Administrator privileges are required to change a MAC address

Ethernet

• Ethernet is the physical medium and the link-layer protocol standardised as IEEE 802.3
• Frames are transmitted on an Ethernet cable and received by machines on the same network segment of a local-area network (LAN)
• Multiple machines on the same segment may lead to collisions
• Ethernet deals with collision events using a random-wait strategy (on the order of microseconds)

Ethernet Frame Format

• Preamble (7 bytes) is in bits 0 to 55
• Start-of-Frame delimiter (1 byte) is bits 56 to 63
• MAC destination (6 bytes) is bits 64 to 111
• MAC source (6 bytes) is in bits 112 to 159
• Ethertype/Length (2 bytes) is in bits 160 to 175
  • Indicates length if ≤1500, Ethertype if ≥0x600
• Payload (46-1500 bytes) is in bits 176 to 543+
• CRC-32 checksum (4 bytes) is in bits 543+ to 575+
• Interframe gap (12 bytes) / idle pattern is in bits 575+ to 671+
• Ethertype designates the payload protocol; 0x0800 for IPv4, 0x0806 for ARP, 0x86DD for IPv6, 0x809B for Apple Talk

Hub vs Switch

• Machines on a LAN can be connected with a Hub or Switch
• Switches are predominantly used today
• Understanding the distinction is important because switches can sometimes act like hubs
• Hubs logically connect multiple devices together to act as a single network segment
• Hubs forward all frames to all attached devices
• Hubs typically create unnecessary bandwidth for the segment, which will increase the likelihood of collisions
• In terms of security, hubs can have a negative impact
• Hubs don't require overhead for proper addressing of frames
• The switch forwards each frame it receives along the cable it knows is connected to the destination for that frame
• Switches can sometimes act like hubs
  • When devices are first connected to a switch until it learns the addresses of the machines that are connected to its various ports
  • If a frame is designated as one that should be broadcast
  • With a MAC flooding attack, an attacker can flood the switch with MAC addresses, causing a denial of service; defaults to fail-open mode and acts like a hub
• Even when a switch behaves like a switch, there are still security risks like ARP spoofing

ARP (Address Resolution Protocol)

• ARP connects the network layer to the data link layer by converting IP addresses to MAC addresses
• ARP broadcasts requests and caches responses for future use
• Initiation involves a computer broadcasting a message: who has <IP address1> tell <IP address2>
• When the machine with <IP address1> or an ARP server receives this message, it broadcasts the response <IP address1> is <MAC address>

ARP Example 1

• Data comes from an external network at the gateway needing forwarding to the IP address 192.168.1.19
• IP addresses are not used to find nodes in a LAN
• The gateway has two options:
  • It already has the MAC address of this node thanks to a previous ARP announcement message
  • Otherwise, it sends a request "who has this IP address" and the node replies with its MAC address

ARP Example 2

• Computer A needs to communicate http data to computer B
  • Requires the MAC address of computer B to send on the same network segment
• Assuming A has B's URL; A can use the DNS protocol to get B's IP address from the root domain name
• Computer A checks if B's MAC address is in A's ARP table
• If not, A sends an ARP request broadcast on the network segment asking for MAC address corresponding to B's IP address
• If a response is received, A caches the MAC address in the ARP table with B's IP address, and sends the Ethernet frame

Viewing and Changing MAC Addresses

• The Linux command ip neigh (old command, arp -a, also works on Windows) displays the ARP table on your present device
• You can also find the other devices on your network segment using: $ sudo arp-scan --interface=eth1 --localnet
  • Your specific interface can be obtained from ip addr
  • You may need to use sudo apt-get install arp-scan

ARP Packet and Announcements

• An ARP packet contains 4 addresses:
  • Sender hardware address (SHA)
  • Sender protocol address (SPA)
  • Target hardware address (THA) (ignored in requests)
  • Target protocol address (TPA)
• ARP packet format is used for both ARP requests and ARP replies

ARP Packet

• Hardware Type specifies link protocol types; Ethernet is 0x0001
• Protocol Type specifies network protocol type; IPv4 is 0x0800
• HLEN and PLEN specify the length of the hardware address (MAC address is 6 octets) and upper layer protocol (IPv4 is 4 octets, IPv6 is 16 octets)
• Operation can be either Request (1) or Reply (2)
• Remaining fields hold the sender's and target's hardware and upper layer protocol addresses

ARP Packet and Announcements - Packet Formats

• ARP request (OP=1):
  • SPA: IP address of the sender
  • SHA: MAC address of the sender
  • TPA: IP address of the target
  • THA: usually broadcast
• ARP reply (OP=2):
  • SPA: IP address of the sender
  • SHA: MAC address of the sender
  • TPA: IP address of the target
  • THA: MAC address of the target
• ARP Announcement/Gratuitous message (OP=1):
  • A special kind of ARP request to update the ARP caches of other hosts, could be done by the operating system during start-up
  • TPA=SPA: IP address of the sender
  • THA: broadcast (all 1s)

ARP Spoofing

• The ARP protocol is simply built and susceptible to a spoofing or poisoning attack
• ARP protocol properties:
  • The standard ARP is a stateless protocol that updates the ARP table whenever an ARP response is received, even without an ARP request being sent; ARP announcements are not authenticated
• Machines trust each other, and a rogue machine can spoof another machine by sending gratuitous ARP replies to "poison" other machines' ARP caches
• If the attacker associates the IP address of the gateway to its MAC address:
  • It can sniff the traffic before forwarding it to the real gateway, hence a passive attack
  • Modify the traffic before forwarding it as an active attack
  • Man-in-the-middle attack, the attacker can associate the IP address of the gateway to a nonexistent MAC address
  • Outgoing traffic of the network is sent to the nonexistent address, hence a denial of service attack
• Tools for ARP Spoofing: Arpoison, Ettercap, Arpspoof

ARP Security Issues

• To summarize the security issues presented thus far for the link layer:
  • Eavesdropping of hub or switch communications
  • ARP spoofing for the purpose of eavesdropping
  • ARP spoofing for the purpose of denial of service
• Other possible attacks include MAC flooding, which can cause a switch to behave like a hub and flood the device for a denial of service attack

ARP Spoofing Countermeasures

• Using static ARP table entries solves the problem, but is almost impossible to manage
• DHCP Snooping involves keeping a record of the MAC address of the machine connected on each port of the network device (e.g., switch), and it checks any received ARP Announcement before forwarding it to the network
  • Implemented by CISCO, D-Link, Allied Telesis
• Looking for cloned MAC addresses may involve performing inverse ARP, which could return the IP address associated with a MAC address
  • If more than one address is returned, this indicates an ARP spoof

Packet Sniffing

• Packet sniffers "read" information traversing a network
• Packet sniffers intercept network packets, using ARP cache poisoning
• Packet sniffers can be used as legitimate tools to analyze a network to monitor network usage, filter network traffic, and analyze network problems
• Packet sniffers can also be used maliciously to steal information (i.e., passwords, conversations, etc.), by analyzing network information to prepare an attack
• Packet sniffers can be either software or hardware-based and are dependent on network setup

Detecting Packet Sniffing

• Sniffers are almost always passive
• Sniffers collect data and do not attempt “entry” to “steal” data which makes them extremely hard to detect
• Most detection methods require suspicion which means some sort of “ping” of the sniffer is necessary and should be a broadcast that will cause a response only from a sniffer
• Another solution on switched hubs is ARP watch, which monitors the ARP cache for duplicate entries of a machine that raises an alarm if duplicates appear
• This has the problem of false alarms, because specifically DHCP networks can have multiple entries for a single machine

Stopping Packet Sniffing

• To encrypt packets securely, Sniffers can capture the packets, but they are meaningless
• Using SSH with private/public key pairs makes sniffing virtually useless
• On switched networks, almost all attacks will be via ARP spoofing
  • Add machines to a permanent store in the cache, which cannot be modified via a broadcast reply and ensure a sniffer cannot redirect an address to itself
• Best security is to not let them in the network in the first place
• Sniffers need to be on your subnet in a switched hub in the first place
• All sniffers need to somehow access root at some point to start themselves up

Wireshark

• Wireshark is a packet sniffer and protocol analyzer that captures and analyzes frames, and supports plugins
• Wireshark typically requires administrator privileges to run
• Setting the network interface in promiscuous mode captures traffic across the entire LAN segment and not just frames addressed to the machine
• Freely available at http://www.wireshark.org/