An Attack at Indiana University ARP Poison Routing David A. Greenberg, GSEC, GCWN, GCFA Principal Security Engineer University Information Security Office.

Slides:



Advertisements
Similar presentations
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Advertisements

DNS Attack Dalia Solomon. CONFIGURATION KNOPPIX SDT STD stands for security tools distribution A bootable CD with Linux OS, Linux kernel STD focuses.
Web Hosting Lan Vu. How does a Website work ? Web development concepts Web Design Web Hosting Domain Name.
ARP Caching Christopher Avilla. What is ARP all about? Background Packet Structure Probe Announcement Inverse and Reverse Proxy Tools Poisoning MAC Flooding.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
A Client Side Defense against Address Resolution Protocol (ARP) Poisoning George Mason University INFS 612, Spring 2013 Group #3 (C. Blair, N. Eisele,
Mobility Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101
Chapter 5 Link Layer Computer Networking: A Top Down Approach 6th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 A note on the use of these.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Wireless and Switch Security NETS David Mitchell.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Adrian Crenshaw.  I run Irongeek.com  I have an interest in InfoSec education  I don’t know everything - I’m.
ITIS 6167/8167: Network and Information Security Weichao Wang.
Demonstrating HTTP Session Hijacking through ARP Cache Poisoning and Man-in-the-Middle Attack and exploring HTTPS and VOIP session vulnerabilities Mainuddin.
COS 461: Computer Networks
Chapter 23: ARP, ICMP, DHCP IS333 Spring 2015.
COEN 252: Computer Forensics Router Investigation.
Network Registration and User Tracking An Open Source Approach Mark Berman Ashley Frost Williams College.
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Module 7: Configuring TCP/IP Addressing and Name Resolution.
JMU GenCyber Boot Camp Summer, Network Sniffing Sometimes it is possible observe/record traffic traveling on a network Network traffic may contain.
DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.
Examining TCP/IP.
Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.
1/28/2010 Network Plus Network Device Review. Physical Layer Devices Repeater –Repeats all signals or bits from one port to the other –Can be used extend.
A day in the life: scenario
Link Layer 5-1 Link layer, LAN s: outline 5.1 introduction, services 5.2 error detection, correction 5.3 multiple access protocols 5.4 LANs  addressing,
Introduction to ITE Chapter 9 Computer Security. Why Study Security?  This is a huge area for computer technicians.  Security isn’t just anti-virus.
DHCP Security DHCP Snooping and Security David Mitchell 03/19/2008.
Securing Wired Local Area Networks(LANs)
Mahindra-British Telecom Ltd. Exploiting Layer 2 By Balwant Rathore.
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
CHAPTER 9 Sniffing.
Chapter 23: ARP, ICMP, DHCP CS332, IS333 Spring 2014.
1 CSCD 433 Network Programming Fall 2011 Lecture 5 VLAN's.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Attack and Malicious Code Andrew Anaruk. Security Threats Denial of Service (DoS) Attacks Spoofing Social Engineering Attacks on Encrypted Data Software.
Networks Part 3: Packet Paths + Wireshark NYU-Poly: HSWP Instructor: Mandy Galante.
Chapter 6: Securing the Local Area Network
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
An Introduction To ARP Spoofing & Other Attacks
Intro to Networks (part 1)
or call for office visit Chapter 6 - IPsec (IP Secure)
Exploiting Layer 2 By Balwant Rathore.
Troubleshooting ip Chapter 5e.
Layer 2 Attacks and Security
Link Layer 5.1 Introduction and services
A Typical Connection Scenario
CS 280: Summary: A day in the life of a web request
MAC Addresses and ARP 32-bit IP address:
LAN Vulnerabilities.
Using MIS 2e Chapter 6 Appendix
ARP: Address Resolution Protocol
Introduction An introduction to the software and organization of the Internet Lab.
Network Security: DNS Spoofing, SQL Injection, ARP Poisoning
Troubleshooting ip Chapter 5e.
Sécurisation au niveau 2 pour certains matériels Cisco
Chapter 5: Link Layer 5.1 Introduction and services
Presentation transcript:

An Attack at Indiana University ARP Poison Routing David A. Greenberg, GSEC, GCWN, GCFA Principal Security Engineer University Information Security Office Information and Infrastructure Assurance Office of the Vice President for Information Technology and CIO Indiana University

Introduction About Indiana University Address Resolution Protocol (ARP) ARP Attacks The Incident Future Mitigation

Indiana University Eight IU campuses Home of: REN-ISAC Internet2 Network NOC Big Red Supercomputer Jacobs School of Music

Indiana University 100,000 Students enrolled 17,000 Faculty and Staff In Bloomington and Indianapolis: 30,000 University owned computers 59,000 Estimated personal computers Source: factbook.indiana.edu

Address Resolution Protocol

Ethernet uses Media Access Control (MAC) addresses Internet uses Internet Protocol (IP) Addresses Address Resolution Protocol (ARP) ties these two together

ARP Request Who has IP address ? Tell is at MAC: IP: MAC: IP:

Look It Up The word gullible was removed from the 2008 edition of the unabridged Meriam-Webster dictionary.

ARP Spoofing / Gratuitous ARP 1. ARP Request2. ARP Reply 2. Spoofed ARP Reply 1. Who has IP address ? Tell is at a is at ?

ARP Spoofing Cain & Abel Dsniff Ettercap

Router Impersonation

Server Side ARP Spoofing October 4, 2007 ARP spoofing at a shared hosting site / index.php/2007/10/04/arp-spoofing-is- your-web-hosting-service-protected/

Incident at the University “http issues and possible security problem”

Symptoms Intermittent - comes and goes Slow loading web pages handful of users reporting problem Injecting code in web sites Affecting multiple Operating Systems

Intermittent First contact: Mon, 24 Sep :50: Problem seen on: Friday 9/14 (early afternoon – 4:30) Monday 9/17 (afternoon) Monday 9/24 (noon – afternoon)

Slow Loading Web Sites or...

Problem noticed by: Windows users Mac users DHCP users Student labs and Departmental builds But only about 7 users reported experiencing the problem. Not Static IP users?

Investigation DNS logs 157 machines on the vlan looked up the malware domain on 9/24/2007 Still, department only reported a handful of affected computers

Possible Causes The machines themselves are compromised Injection happening locally on each machine Web sites compromised Rogue DHCP ARP - MITM

Local Machine Compromised? Windows XP, Mac OS X All running up to date Anti Virus software Problem not persistent Two builds affected, each maintained by different group Student Technology Center users run as limited users Identical machines at other locations not affected

Web Sites Compromised? Code only visible from computers on one virtual lan (vlan) Visible in many unrelated websites located around the world (cnn.com google.com, indiana.edu, etc.)

DHCP ? Indiana University runs one central DHCP service All computers were communicating with the DHCP server normally. Nothing abnormal in the DHCP logs

ARP MITM? Intra-vlan traffic not visible to University sniffers ARP traffic not recorded anywhere Machines still communicate with external sites

On-site Investigation Support provider prepared a laptop with Wireshark and waited until… Morning of September 28, 2007 As we thought… Friday Plugged laptop into problem network and captured traffic

Wireshark – ARP Flooding

MAC Registration 00:16:36:69:36:3f AB Department: Department X Computer name: iub-83643e60024 Username: User5 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: ) Gecko/ Firefox/

Network Police Room 418, Jack K Student laptop Collected and imaged

Interesting Bits of the Timeline 9/24/2007 9:36:42 AM191 mymsn[9].htm 9/24/2007 9:36:42 AM1,809 9A993DE690A360E44D7240[1].jpg 9/24/2007 9:36:43 AM5,448 mymsn[7].js 9/24/2007 9:36:43 AM81,920 index.dat 9/24/2007 9:36:52 AM21,292 A exe 9/24/2007 9:36:52 AM15,762 A dll 9/24/2007 9:36:54 AM61,440 WanPacket.dll 9/24/2007 9:36:54 AM81,920 Packet.dll 9/24/2007 9:36:54 AM233,472 wpcap.dll

Malicious Software File A exe received on :16:12 (CET) VirusToal: Ikarus Trojan-Downloader.Win32.Zlob.and C:\Program Files\PaqTool\keylog\icosdll.dll

Mitigation Static ARP Tables Port Security One MAC per port Private VLANs Arpwatch tool DHCP Snooping + Dynamic ARP Inspection

Static ARP Tables Only choice for static IP addresses Build off of DHCP tables for DHCP addresses

One MAC Per Port Prevent easy MAC spoofing

Private VLANs VLAN within a VLAN Hosts on private VLAN can only talk to a single trusted port One way interception still possible

Arpwatch Arpwatch keeps track for ethernet/ip address pairings. It syslogs activity and reports certain changes via . Arpwatch uses pcap(3) to listen for arp packets on a local ethernet interface.pcap /etc/arpwatch.conf eth0 -n /8 From:

Dynamic ARP Inspection Switch intercepts all ARP packets Verify MAC to IP binding in local cache Compare to trusted database built by DHCP Snooping and user configured entries

Questions?

An Attack at Indiana University ARP Spoofing David A. Greenberg, GSEC, GCWN, GCFA Principal Security Engineer University Information Security Office Information and Infrastructure Assurance Office of the Vice President for Information Technology and CIO Indiana University

Support Slides

An Ethernet Frame

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.