Section 5.2 Network Layer Attacks
Subsection 5.2.1 MAC Spoofing/MAC Cloning
Most networks expect that a MAC address will correspond to the unique numbers on a network interface controller (NIC), but it is actually quite easy to change. Virtual networking necessitates the ability to use a different MAC address and this feature is built into most modern operating systems. MAC spoofing is when an attacker sets their MAC address to the MAC address of another machine on the network in an effort to initiate an attack. For example, them may set themselves up as a gateway to launch a MitM attack.
Subsection 5.2.2 MAC Flooding
Switches are tasked with keeping track of which MAC addresses correspond to which ports on the switch. They use this to make sure that traffic is only routed where it needs to go. Given that MAC addresses can be changed, an attacker could flood a switch with packets from many different MAC addresses and possibly overflow the MAC-port routing table. Some switches may default to hub-like functionality and send frames to all ports in an effort to keep traffic flowing. This then allows an attacker to capture traffic from other machines on the network.
Subsection 5.2.3 ARP Poisoning
The diagram is divided into two sections. The top section, titled "Routing under normal operation," depicts a standard network setup. A "LAN User" is shown connected to a "Hub/switch," which in turn connects to a "LAN Gateway." The "LAN Gateway" then provides access to the "Internet." Black bidirectional arrows indicate the normal flow of communication between these components.
The bottom section, titled "Routing subject to ARP cache poisoning," illustrates how this normal flow is disrupted by an attack. The same "LAN User," "Hub/switch," "LAN Gateway," and "Internet" are present. However, a "Malicious User" is now also connected to the "Hub/switch." Red arrows show that traffic from the "LAN User," instead of going directly to the "LAN Gateway" via the "Hub/switch," is now rerouted. Specifically, traffic from the "LAN User" goes to the "Hub/switch" and is then directed to the "Malicious User." Subsequently, traffic from the "Malicious User" is sent back through the "Hub/switch" and then on to the "LAN Gateway" and the "Internet." This demonstrates the malicious user successfully inserting themselves into the communication path between the LAN User and the LAN Gateway, enabling them to intercept or manipulate the data.
ARP Spoofing by 0x5534C, see page for license via Wikimedia Commons
1
commons.wikimedia.org/wiki/File:ARP_Spoofing.svgAn attacker may also use ARP packets to impersonate another machine on the network, such as a gateway router. By repeatedly sending out ARP packets, gratuitous arp, redirecting packets bound for the gateway’s IP to the attackers MAC address an attacker can set up a MitM scenario. This is particularly difficult because depending on the TTL of the ARP cache it may take up to 20 minutes for normal network operations to resume.
You have attempted 1 of 1 activities on this page.
