4.2. False ARP-server in a network Internet

As already was repeatedly emphasized, in computer networks the connection between two remoted hosts is carried out by transfer on a network of the messages, which are made in packages of an exchange. The package, generally transmitted on a network, irrespective of the used protocol and such as a network (Token Ring, Ethernet, X.25 etc.) consists of heading of a package and field of the data. In heading of a package the service information determined by the used protocol of an exchange and necessary for addressing of a package, necessary for identification, transformation and etc. In a field of the data the data, or other package more high level OSI are located or directly. So, for example, the package of a transport level can be enclosed in a package of a network level, which, in turn, is enclosed in a package of a channel level. It is possible to approve this statement on network OS, using the protocols TCP/IP,, that the package TCP (transport level) is enclosed in a package IP (network level), which, in turn, is enclosed in a package Ethernet (channel level). The following circuit evidently illustrates as, for example, TCP-package in a network Internet looks:

Fig. 4.2. Structure of a TCP-package

Let's consider the circuit addressing of packages in a network Internet and problems, arising at it, of safety. As is known, the base network protocol of an exchange in a network Internet is the protocol IP (Internet Protocol). The protocol IP is a gateway protocol allowing to transfer a IP-package in any point a global network. For addressing at a network level (IP-level) in a network Internet everyone host has unique 32-digit IP-address. Care of a IP-package on host it is necessary to specify in IP-heading of a package in a field Destination Address IP-address given to host. However, as it is visible from a fig. 4.2, the IP-package is inside a hardware package (in case of environment of transfer Ethernet IP a package is inside a Ethernet-package), therefore each package in networks of any type and with any protocols of an exchange at the end is addressed on the hardware address of the network adapter which is directly carrying out reception and transfer of packages in a network (in further we we shall consider only Ethernet-networks).

From all above stated it is visible, that for addressing of IP-packages in a network Internet except for IP-addresses of hosts is necessary still or Ethernet-address of his its network adapter (in a case addressing inside one subhost), or Ethernet-address router  (in case of gateway addressing). Originally host can not have the information on Ethernet-addresses others hosts, taking place with it him in one segment, including about Ethernet-address router. Hence, before host  there is a standard problem solved with the help of algorithm of remote search. In a network Internet for the decision of this problem the protocol ARP (Address Resolution Protocol) is used. The protocol ARP allows to receive mutually unequivocal conformity IP- and Ethernet-addresses for hosts, taking place inside one segment. It is achieved as follows: At the first reference to network resources host  sends broadcasting ARP-inquiry about Ethernet-address FFFFFFFFFFFFh, in which specifies IP-address router  and asks to inform its Ethernet-address (IP-address router is obligatory parameter, which always is established manually at adjustment anyone network OS in a network Internet). This broadcasting inquiry will be received by all stations in the given segment of a network, including router. Having received the given inquiry, router will bring record about requested host  to the ARP-table, and then will send on requested host ARP-answer, in which Ethernet-address will inform. Ethernet-address, received in ARP-answer, will be brought in the ARP-table taking place in memory of operational system on requested host  and containing records, of which has requested, IP- and Ethernet-addresses for hosts inside one segment. Let's note, that in a case addressing to host, located in same subhost, ARP-protocol also is used and the considered above circuit completely repeats.

From item 3.2.3.2 follows, that in case of use in allocated VT of algorithms of the remote search there is an opportunity of realization in such network of the typical remote attack "False object VT". From the analysis of safety of the protocol ARP it becomes clear, that, having intercepted on attacking to host  inside the given segment of a network the broadcasting ARP-inquiry, is possible to send false ARP-answer, in which to announce itself required host (for example, router), and further actively to supervise and to influence the network traffic "deceived" host  under the circuit " False object VT " (item 3.2.3.3).

Let's consider the generalized function chart false ARP-server (fig. 4.3):

·      expectation of ARP-inquiry;

·      at reception of ARP-inquiry transfer on a network on requested Host  of false ARP-answer, in which the address of the network adapter of attacking station (false ARP-server) or that Ethernet-address is underlined, on which will accept packages false ARP-server (completely unessentially to specify in false ARP-answer present Ethernet-address, as at work directly with the network adapter it can be programmed on reception of packages on any Ethernet-address);

·      reception, analysis, influence and transfer of packages of an exchange between cooperating hosts (influence on the intercepted information see item 3.2.2.3).

Fig. 4.3. False ARP-server.

The intercepted information on false ARP-serverе.

The gives circuit of attack requires some specification. In practice the authors have confronted that frequently even the very much qualified network managers and the programmers do not know or do not understand subtleties of work of the protocol ARP. It, probably, is connected that at usual adjustment network OS, supporting the protocols TCP/IP, the adjustment of the module ARP (us is required met by any network OS, where creation "manually" ARP-tables) necessarily would be required. Therefore protocol ARP remains as though "transparent" for the managers. Further, it is necessary to pay attention to that fact, that at router too there is a ARP-table, which contains the information about IP- and Ethernet-addresses, appropriate to them, all hosts  from a segment of a network connected to router. The information in this ARP-table on router also is usually brought not manually, and through the protocol ARP. For this reason so it is easy in one segment of a IP-network to appropriate another's IP-address: To give out a team network OS on installation of new IP-address, then to address to a network - broadcasting ARP-inquiry at once will be sent, and router, having received this inquiry, automatically will update record in the ARP-table (will put according to another's IP-address Ehternet-address of your network card), therefore the owner of given IP-address will lose connection with the external world (all packages addressed on its former IP-address and coming on router, will be directed router on Ethernet-address attacking). The truth, some OS analyze all broadcasting ARP-inquiries, transmitted on a network. For example, OS Windows ' 95 or SunOS 5.3 at reception of ARP-inquiry with IP-address, specified in it conterminous to IP-address of the given system, give out the warning message that host  with such Ethernet-address tries to appropriate to itself (naturally, given IP-address is successful).

Now we shall return directly to the described earlier circuit of attack " false ARP-server ". From the analysis of mechanisms addressing, described above, it becomes clear, that, as the search ARP-inquiry except for attacking will receive and router, in its table there will be an appropriate record about IP- and Ethernet-address attacked host. Hence, when on router the package directed on IP-address attacked host will come it will be transferred not on false ARP-server, and is direct on host. Thus the circuit of transfer of packages in this case will be following:

·      attacked host transfers packages on false ARP-server;

·      false ARP-server transfers accepted from attacked host  a package on router;

·      router, in case of reception of the answer on the transferred{*handed*} inquiry, transfers it directly on attacked hsot , passing false ARP-server.

Fig. 4.3.4. The loopback circuit of interception of the information

False АRP-server.

In this case last phase connected with " by reception, analysis, influence and transfer of packages of an exchange " between attacked host and, for example, router (or anyone by another host  in the same segment) will pass any more in a mode of complete interception of packages false servers (bridge circuit), and mode "half-Interception" (loopback circuit). Really, in a mode of complete interception the route of all packages sent as in one, and in another of the party, necessarily passes through the false server-bridge; and in a mode "half-Interception " the route of packages forms a loop, which can be seen in figure 4.3.4. It is necessary to pay attention to this loopback circuit of interception of the information false server, as further two variants of attack will be considered on the basis of the protocols DNS and ICMP, which result - interception of the information under the circuit " the False object VT ", and there also can arise a loopback route.

Nevertheless it is rather simple to think up some ways allowing to function false ARP-serverу on bridge circuit of interception (complete interception). For example, it is possible, having received ARP-inquiry, itself to send same inquiry and to appropriate to itself given IP-address (truth, in this case false ARP-serverу it will be not possible to remain unnoticed, so some network OS (for example Windows ' 95 and SunOS 5.3), as it was marked earlier, having intercepted this inquiry, will give out the warning of use of their IP-address). Other, considerably more preferable way: to send ARP-inquiry, having specified as IP-address anyone free in the given segment IP-address, and further to conduct work from given IP-address both with router, and with " deceived " hosts (by the way, it is the typical proxy-circuit).

In the conclusion of the story about vulnerability of the protocol ARP it is necessary to show, as various network OS use this protocol for change of the information in the ARP-tables. At research various network OS was found out, that in OS Linux 1.2.8 at addressing to host, taking place in one subhost with the this host, at absence in the ARP-table of the appropriate record about Ethernet-address the ARP-inquiry is transferred and at subsequent applies to given host the message of ARP-inquiry does not occur. In SunOS 5.3, at each new reference to host there is a transfer of ARP-inquiry, and, hence, ARP-table is dynamically updated. OS Windows ' 95 at the reference to host, from the point of view of use of the protocol ARP, behaves the same as and OS Linux, except that this operational system periodically (each minute) sends ARP-inquiry about Ethernet-address of router (probably, the programmers of firm Microsoft considered, what router can constantly change Ethernet-address?!), and as a result within several minutes all local network with Windows ' 95 with ease is amazed with the help false ARP-server. As to Windows NT 4.0, the experiments have shown, that there dynamically changeable ARP-table also is used and the ARP-inquiries about Ethernet-address of router are transferred with periodicity about 10 minutes.

The special interest has caused the following question: and whether it will be possible toy carr out the given remote attack on UNIX-compatible OS, protected on a class B1 (mandatory and discrete network policy of differentiation of access plus the special circuit of functioning SUID/SGID of processes), established on the dual-processor minicomputer. This system is one of best in the world full-function network PC. So, during the analysis of security it firewall concerning the remote influences which are carried out on channels of connection, at its testing was found out, that in case of base (after all standard adjustments) configuration OS this protected UNIX-system also is amazed false ARP-server.

In summary we shall note, that, first, reason of success of the given remote attack include, not  so much in Internet, as in broadcasting environment Ethernet and, secondly, it is obvious, that this remote attack is inside segment and consequently represents for you threat only in case of a presence attacking inside your segment of a network. However, as is known from statistics of infringements of information safety of computer networks, the majority of holding breakings of networks was made from within to own employees. The reasons it are clear. As was emphasized earlier, to carry out inside segment remote attack much more easy, than intersegment. Besides practically all organizations have local networks (including IP-networks), though is far from being at all local networks are connected to a global network Internet. It is explained both reasons of safety, and necessity of such connection for organization. And, at last, to employees of the  organization knowing a subtleties of the internal computer network, it is much easier to carry out breaking, than somebody. Therefore managers of safety cannot underestimate the given remote attack, even if its source is inside their local IP-network.