ARP resolves the IP addresses of systems to their hardware addresses (also known as their media access control, or MAC addresses) and stores them in an area of memory known as the ARP cache. If you’re planning to take the Security+ exam, you should have a basic understanding of various types of attacks such as ARP poisoning attacks.
For example, can you answer this question?
Q. You are troubleshooting an intermittent connectivity issue with a web server. After examining the logs, you identify repeated connection attempts from various IP addresses. You realize these connection attempts are overloading the server, preventing it from responding to other connections. Which of the following is MOST likely occurring?
A. DDoS attack
B. DoS attack
C. Smurf attack
D. Salting attack
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Several common types of attacks launched against systems and networks. Some of them are generic, such as denial-of-service attacks, and others are very specific. This post covers ARP poisoning attacks.
ARP Poisoning Attacks
Address Resolution Protocol (ARP) poisoning is an attack that misleads computers or switches about the actual MAC address of a system. The MAC address is the physical address, or hardware address, assigned to the network interface card (NIC). ARP resolves the IP addresses of systems to their hardware address and stores the result in an area of memory known as the ARP cache.
TCP/IP uses the IP address to get a packet to a destination network. Once the packet arrives on the destination network, it uses the MAC address to get it to the correct host. ARP uses two primary messages:
- ARP request. The ARP request broadcasts the IP address and essentially asks, “Who has this IP address?”
- ARP reply. The computer with the IP address in the ARP request responds with its MAC address. The computer that sent the ARP request caches the MAC address for the IP. In many operating systems, all computers that hear the ARP reply also cache the MAC address.
A vulnerability with ARP is that it is very trusting. It will believe any ARP reply packet. Attackers can easily create ARP reply packets with spoofed or bogus MAC addresses, and poison the ARP cache on systems in the network. Two possible attacks from ARP poisoning are a man-in-the-middle attack and a DoS attack.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
ARP Man-in-the-Middle Attacks
In a man-in-the-middle attack, an attacker can redirect network traffic, and in some cases insert malicious code. Consider the following figure. Normally, traffic from the user to the Internet will go through the switch directly to the router, as shown in the top of figure. However, after poisoning the ARP cache of the victim, traffic is redirected to the attacker.
ARP poisoning used to redirect traffic
The victim’s ARP cache should include this entry to send data to the router:
192.168.1.1, 01-23-45-01-01-01
However, after poisoning the ARP cache, it includes this entry:
192.168.1.1, 01-23-45-66-66-66
The victim now sends all traffic destined for the router to the attacker. The attacker captures the data for analysis later. It also uses another method such as IP forwarding to send the traffic to the router so that the victim is unaware of the attack.
ARP DoS Attack
An attacker can also use ARP poisoning in a DoS attack. For example, an attacker can send an ARP reply with a bogus MAC address for the default gateway. The default gateway is the IP address of a router connection that provides a path out of the network. If all of the computers cache a bogus MAC address for the default gateway, none of them can reach it, and it stops all traffic out of the network.
Q. You are troubleshooting an intermittent connectivity issue with a web server. After examining the logs, you identify repeated connection attempts from various IP addresses. You realize these connection attempts are overloading the server, preventing it from responding to other connections. Which of the following is MOST likely occurring?
A. DDoS attack
B. DoS attack
C. Smurf attack
D. Salting attack
Answer is A. A distributed denial-of-service (DDoS) attack includes attacks from multiple systems with the goal of depleting the target’s resources and this scenario indicates multiple connection attempts from different IP addresses.
A DoS attack comes from a single system, and a SYN flood is an example of a DoS attack.
A smurf attack doesn’t attempt to connect to systems but instead sends pings.
Salting is a method used to prevent brute force attacks to discover passwords.
You might also like to view the blog post about System Attacks Disrupting User’s Access.
