Friday, 28 June 2013

The Arp Protocol

This will be a theoretical introduction on DoS attack on LAN and Arp (Adress Resolution Protocol)

When a system on a LAN want to communicate with with another computer on the LAN it sends the data packet into the network, usually the packet will be accepted only by the destination. It is accomplished by the means of mac addresses(we are considering networks using ethernet). Mac address is a unique 6 byte of combination which is written into the hardware which cannot be modified (but can be spoofed :-D). So what usually happens is the source and destination of a data packet is present in the header of the ethernet packet. Systems on the LAN examines the header of each and every packet and only accepts the packet which has destination address matching its own address. The actual communication takes place with the help of mac address. So even if we know the private ip address of a system in a LAN we can send data to it only if we know its mac address. The arp protocol is used to interlink the mac and ip address of systems. If a computer want to know the mac address of system of known ip address it sends an arp request to the broadcast address(so that all systems will receive the data). The corresponding system with the ip address which is present in the arp packet responds to the arp request with a reply telling what is its mac address to the sender. On recieving the arp reply the the mac-ip combination is entered into arp cache, which is a table mapping ip address with mac address. This entry is used for further communication.
When a system want to communicate with the outer-world(say, packets will be sent to somewhere called default gateway, the gateway routes it, and after going through a series of routers the packet will reach the destination, similarly the reply (from facebook) reaches your system.

So far everything is good, but there is a serious problem, it is due to the arp protocol. When a system receives an arp-reply it will enter the combination it received into arp-cache without checking whether it asked the sender, this is the default behavior of the system. So if somebody wants to make your arp-cache holding wrong combination when you are using LAN, they can.
So what can be done is, somebody can send a spoofed packet to you saying that the gateway has a mac address which is not its actual one. Similarly he can lie to the gateway about your mac address and doing so, you will loose your network connection, this is a form of denial of service attack. The behavior of the gateway varies, it will either refresh the arp-cache with a default one after some time or keeps it for ever, in that case you will loose your internet until you manually correct it. So we will see how somebody manages to do so.
In the next post we discuss about arp-poisoning at the practical level.

Tags:-arp, poisoning, cache, mac, address, Dos, LAN