Arp Poisoning: Man-in-the-Middle Attacks

One of the most dangerous attack against networks is the “Man-in-the-Middle” attack (MITM). In this attack, the intruder inserts his computer between your system and the rest of the network. As you communicate, the intruder eavesdrops on all your messages as they are transmitted on the web.

Network switches were supposed to stop attacks like this. Instead of blindly retransmitting every packet that a switch gets, it will only send packets on the line that are bound to to a specific machine or network, so all the traffic does not reach every node on the switch. The switch in this case acts like a traffic cop, directing traffic to its destination. So, if switches will only transmit data bound for the destination machines, how do people intercept this traffic?

This intelligent data flow is compromised by a weakness in the Address Resolution Protocol (ARP). Each computer keeps a map of which network address corresponds to what physical network card. So network address 1 belongs to the switch, address 2 belongs to the user Bill and address 3 belongs to our attacker Joe. Bill’s machine communicates to and from the switch.

 

Now, Joe, our attacker, modifies or poisons the ARP tables on Bill’s machine and the Switch. He tells the switch that he is Bill at address 2. He then tells Bill’s machine that he is the switch located at address 1. So, all data transmitted from Bill will now go to Joe’s machine and all data from the switch headed for Bill will go to Joe’s machine. Joe’s machine passes all traffic back and forth, placing himself in the middle between Bill and the Router. Thus the name, “Man-in-the-Middle” attack.

Joe is now able to intercept all of Bill’s traffic. He is able to view websites that Bill is on, grab passwords, login credentials and with the right tools, he can even intercept and read encrypted data from Bill.

This is just a simple explanation of the Man-in-the Middle attack. In the near future we will cover some of the attackers tools used and how to defend against this type of attack. For more information on MITM attacks, see wikipedia.

D. Dieterle

~ by D. Dieterle on March 20, 2010.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: