727624
U2.2 Switches, ARP
- addressing
- MAC
- media access control
- unique identifier for NICs
- source and destination in ethernet frames
- 48 bit value
- media access control
- IP
- 32 bits long
- 4 octects
- 4 octects
- reserved ranges for
private networks
- 10.0.0.0 - 10.255.255.255
- 172.16.0.0-172.31.255.255
- 192.168.0.0-192.168.255.255
- 10.0.0.0 - 10.255.255.255
- RFC 1918
- 32 bits long
- MAC
- ARP
- address resolution protocol
- protocol that translates MAC
addresses to IP addresses
- protocol that translates MAC
addresses to IP addresses
- steps
- 1. Device broadcasts to network: who has IP 192.168.0.x?
- ARP Query
- ARP Query
- 2. All devices receive request and evaluate.
- 3. Device with 192.168.0.x responds with MAC address
- ARP Reply
- ARP Reply
- 4. Querying device updates its ARP table
- 1. Device broadcasts to network: who has IP 192.168.0.x?
- address resolution protocol
- switches
- network topology like hub
- only sends frames to
intended recipient (rather
than broadcasting like hub)
- generally more efficient than
hubs because of this routing
- generally more efficient than
hubs because of this routing
- maps ports to MAC addresses
- layer 2
- network topology like hub
- ARP spoofing
- type of attack that uses ARP
protocol to allow one network
device to masquerade as another.
- ARP spoofing steps (see note)
- ARP spoofing steps (see note)
- tools: DSniff
http://www.monkey.org/~dugsong/dsniff/
- defense
- statically
define ARP
cache
- big maintenance
overhead
- big maintenance
overhead
- lock down
port-MAC
mapping
- inflexible
- inflexible
- issue
notification
of port-MAC
change
- statically
define ARP
cache
- legitimate use: failover
scenario, crashed server
- type of attack that uses ARP
protocol to allow one network
device to masquerade as another.
- MAC flooding attack
- type of attack where the switch becomes
overwhelmed and does one of 2 things
- switch does not
accept any more
mappings, freshly
booted devices
denied
- switch stops
routing and
broadcasts all
messages
- switch does not
accept any more
mappings, freshly
booted devices
denied
- steps
- 1. Attacker floods network with
gratuitous ARP replies with fake
MAC addresses.
- 2. Switch attempts to
map fake addresses and
fills up its mapping table.
- 1. Attacker floods network with
gratuitous ARP replies with fake
MAC addresses.
- defense
- configure to
ignore MAC
address floods
- could deny
legitimate
traffic
- could deny
legitimate
traffic
- send admin
alerts on MAC
address floods
- configure to
ignore MAC
address floods
- type of attack where the switch becomes
overwhelmed and does one of 2 things
Want to create your own Mind Maps for free with GoConqr? Learn more.