1 00:00:00,240 --> 00:00:01,740 In this lesson, we're going to discuss 2 00:00:01,740 --> 00:00:04,170 Address Resolution Protocol attacks. 3 00:00:04,170 --> 00:00:06,450 Now, Address Resolution Protocol, or ARP, 4 00:00:06,450 --> 00:00:08,730 is a fundamental concept in IP networking 5 00:00:08,730 --> 00:00:11,100 that's used to map an IP address to a MAC address 6 00:00:11,100 --> 00:00:13,020 on a given local area network. 7 00:00:13,020 --> 00:00:15,600 Unfortunately, ARP is a really old protocol, 8 00:00:15,600 --> 00:00:17,640 and it doesn't have a lot of security built into it, 9 00:00:17,640 --> 00:00:19,920 so, it's vulnerable to attacks such as ARP spoofing, 10 00:00:19,920 --> 00:00:21,390 and ARP poisoning. 11 00:00:21,390 --> 00:00:23,760 First, let's consider ARP spoofing. 12 00:00:23,760 --> 00:00:26,040 Now, ARP spoofing is an attack where an attacker 13 00:00:26,040 --> 00:00:27,990 is going to send falsified ARP messages 14 00:00:27,990 --> 00:00:29,760 over the local area network. 15 00:00:29,760 --> 00:00:31,890 This can result in linking the attacker's MAC address 16 00:00:31,890 --> 00:00:33,750 with the IP address of a legitimate computer 17 00:00:33,750 --> 00:00:36,240 or server that's already on that network. 18 00:00:36,240 --> 00:00:37,680 Now, the goal here for the attacker 19 00:00:37,680 --> 00:00:39,090 is to get the attacker's MAC address 20 00:00:39,090 --> 00:00:40,920 to become associated with an IP address 21 00:00:40,920 --> 00:00:42,450 for legitimate service. 22 00:00:42,450 --> 00:00:43,830 This will then allow the attacker 23 00:00:43,830 --> 00:00:45,390 to begin receiving any data that was meant 24 00:00:45,390 --> 00:00:47,160 for that legitimate IP address, 25 00:00:47,160 --> 00:00:49,200 and this allows them to intercept, modify, 26 00:00:49,200 --> 00:00:51,960 or even stop data in transit if they want to. 27 00:00:51,960 --> 00:00:54,210 In fact, this kind of ARP spoofing can be used 28 00:00:54,210 --> 00:00:55,683 to initiate an on-path attack inside 29 00:00:55,683 --> 00:00:57,780 of your layer 2 networks. 30 00:00:57,780 --> 00:00:59,940 Second, we have ARP poisoning. 31 00:00:59,940 --> 00:01:01,830 Now, ARP poisoning is a form of attack 32 00:01:01,830 --> 00:01:03,810 that corrupts the ARP cache in the network, 33 00:01:03,810 --> 00:01:05,940 which is also known as your ARP table. 34 00:01:05,940 --> 00:01:08,340 The ARP poisoning involves sending malicious ARP packets 35 00:01:08,340 --> 00:01:10,050 to a default gateway on a LAN 36 00:01:10,050 --> 00:01:11,910 to try to associate the attacker's MAC address 37 00:01:11,910 --> 00:01:14,640 with the IP address of each LAN device. 38 00:01:14,640 --> 00:01:16,980 By using ARP poisoning, an attacker can alter 39 00:01:16,980 --> 00:01:19,740 the network traffic flow and enable data interception, 40 00:01:19,740 --> 00:01:22,620 session hijacking, or denial of service attacks. 41 00:01:22,620 --> 00:01:24,540 Now, I know these sound very similar, 42 00:01:24,540 --> 00:01:26,490 so, let me highlight the difference between ARP spoofing 43 00:01:26,490 --> 00:01:28,230 and ARP poisoning for you. 44 00:01:28,230 --> 00:01:30,450 In an ARP spoofing attack, the attacker is aiming 45 00:01:30,450 --> 00:01:32,160 to conduct a more targeted attack 46 00:01:32,160 --> 00:01:34,530 so that their machine replaces a legitimate network host 47 00:01:34,530 --> 00:01:36,870 inside the ARP cache or ARP table, 48 00:01:36,870 --> 00:01:38,490 but in an ARP poisoning attack, 49 00:01:38,490 --> 00:01:40,590 the attacker's attempting to send malicious ARP messages 50 00:01:40,590 --> 00:01:42,090 to the network's default gateway 51 00:01:42,090 --> 00:01:43,920 so that their own MAC address will be associated 52 00:01:43,920 --> 00:01:46,020 with multiple IP addresses for any 53 00:01:46,020 --> 00:01:48,900 or all of the devices inside of that LAN. 54 00:01:48,900 --> 00:01:52,200 So, an ARP spoof goes after a single host traffic, 55 00:01:52,200 --> 00:01:54,930 whereas poisoning is really a larger scale version of this, 56 00:01:54,930 --> 00:01:56,190 where they're trying to affect most 57 00:01:56,190 --> 00:01:58,650 or all of the hosts on a given LAN. 58 00:01:58,650 --> 00:02:00,660 Now, attackers like to attempt ARP attacks, 59 00:02:00,660 --> 00:02:02,610 because it allows them to intercept their data, 60 00:02:02,610 --> 00:02:05,520 conduct on-path attacks, and cause network disruptions. 61 00:02:05,520 --> 00:02:08,190 Data interception can occur if the attacker's MAC address 62 00:02:08,190 --> 00:02:10,680 can become associated with a legitimate IP address, 63 00:02:10,680 --> 00:02:12,750 and that way, any sensitive data that's destined 64 00:02:12,750 --> 00:02:15,270 for that legitimate IP address will be intercepted, 65 00:02:15,270 --> 00:02:18,300 and then altered before reaching its intended destination. 66 00:02:18,300 --> 00:02:20,580 ARP spoofing is often used as a precursor 67 00:02:20,580 --> 00:02:22,110 for on-path attacks, too, 68 00:02:22,110 --> 00:02:24,630 where the attacker can intercept and modify communication 69 00:02:24,630 --> 00:02:27,090 between two parties without their knowledge. 70 00:02:27,090 --> 00:02:29,280 Additionally, the use of ARP poisoning can lead 71 00:02:29,280 --> 00:02:30,870 to significant network disruptions, 72 00:02:30,870 --> 00:02:32,580 and this makes it a good option in conducting 73 00:02:32,580 --> 00:02:35,490 denial of service attacks on a local area network. 74 00:02:35,490 --> 00:02:37,200 In order to perform an ARP attack, 75 00:02:37,200 --> 00:02:38,640 the attacker will first scan the network 76 00:02:38,640 --> 00:02:40,890 to capture IP addresses and MAC addresses 77 00:02:40,890 --> 00:02:42,720 that are linked together in pairs. 78 00:02:42,720 --> 00:02:44,490 Using a specialized software tool, 79 00:02:44,490 --> 00:02:47,100 the attacker can then send out fake ARP responses. 80 00:02:47,100 --> 00:02:49,800 These responses will try to convince devices on the network 81 00:02:49,800 --> 00:02:52,080 that the attacker's MAC address actually corresponds 82 00:02:52,080 --> 00:02:53,640 to a legitimate IP address, 83 00:02:53,640 --> 00:02:56,580 which is often going to be using the gateway IP. 84 00:02:56,580 --> 00:02:58,380 Another common technique is to conduct 85 00:02:58,380 --> 00:03:00,500 an ARP poisoning attack by conducting an ARP flood 86 00:03:00,500 --> 00:03:02,520 on the network with malicious ARP packets 87 00:03:02,520 --> 00:03:04,650 that are used to associate the attacker's MAC address 88 00:03:04,650 --> 00:03:07,830 with the IP addresses of other devices on that network. 89 00:03:07,830 --> 00:03:09,450 By using either of these techniques, 90 00:03:09,450 --> 00:03:11,070 the ARP cache can be corrupted, 91 00:03:11,070 --> 00:03:12,750 because the devices on the network will be storing 92 00:03:12,750 --> 00:03:14,790 the malicious MAC-IP address mappings 93 00:03:14,790 --> 00:03:16,230 in their own ARP caches, 94 00:03:16,230 --> 00:03:17,700 and this will then cause them to send traffic 95 00:03:17,700 --> 00:03:19,500 to the attacker instead of the real host 96 00:03:19,500 --> 00:03:21,330 or legitimate IP address. 97 00:03:21,330 --> 00:03:24,240 To detect ARP attacks, you need to use ARP monitoring tools 98 00:03:24,240 --> 00:03:25,860 to monitor ARP address mappings, 99 00:03:25,860 --> 00:03:27,270 and then alert your network administrators 100 00:03:27,270 --> 00:03:29,370 of any unusual ARP traffic patterns 101 00:03:29,370 --> 00:03:32,250 that might suggest possible ARP spoofing is occurring. 102 00:03:32,250 --> 00:03:35,010 Also, you can configure your Intrusion Detection Systems, 103 00:03:35,010 --> 00:03:37,890 or IDSs, to detect anomalies and traffic patterns, 104 00:03:37,890 --> 00:03:39,600 and to potentially identify ARP spoofing 105 00:03:39,600 --> 00:03:42,180 or poisoning activities on your networks. 106 00:03:42,180 --> 00:03:44,340 To help prevent ARP spoofing and ARP poisoning, 107 00:03:44,340 --> 00:03:47,280 you can use static ARP entries, dynamic ARP inspection, 108 00:03:47,280 --> 00:03:51,030 network segmentation, and VPNs, or encryption technologies. 109 00:03:51,030 --> 00:03:53,370 First, we have static ARP entries. 110 00:03:53,370 --> 00:03:56,040 By manually entering static ARP entries into your devices, 111 00:03:56,040 --> 00:03:57,960 you'll be able to prevent ARP spoofing. 112 00:03:57,960 --> 00:04:00,390 Unfortunately, though, this technique only works well 113 00:04:00,390 --> 00:04:01,470 in smaller networks, 114 00:04:01,470 --> 00:04:04,110 because it becomes impractical for large or dynamic networks 115 00:04:04,110 --> 00:04:05,670 'cause of all the overhead that would be involved 116 00:04:05,670 --> 00:04:07,710 in setting this up statically. 117 00:04:07,710 --> 00:04:10,620 Second, you can turn on Dynamic ARP Inspection. 118 00:04:10,620 --> 00:04:12,810 Dynamic ARP Inspection, or DAI, 119 00:04:12,810 --> 00:04:14,640 is a feature on most modern switches 120 00:04:14,640 --> 00:04:16,980 that can be used to inspect the ARP packets in the network 121 00:04:16,980 --> 00:04:18,839 and compare them against a trusted database 122 00:04:18,839 --> 00:04:20,579 of MAC-IP pairings. 123 00:04:20,579 --> 00:04:23,070 If any untrusted or suspicious mappings are found, 124 00:04:23,070 --> 00:04:25,020 the corresponding ARP packets will be dropped 125 00:04:25,020 --> 00:04:28,080 as they try to pass through the DAI-capable switch. 126 00:04:28,080 --> 00:04:30,450 Third, we have network segmentation. 127 00:04:30,450 --> 00:04:32,400 By dividing up our network into smaller segments 128 00:04:32,400 --> 00:04:33,900 by using things like VLANs, 129 00:04:33,900 --> 00:04:35,820 we can limit the scope of an ARP attack 130 00:04:35,820 --> 00:04:38,520 and make our network management much more straightforward. 131 00:04:38,520 --> 00:04:40,710 Fourth and finally, we have the use of VPNs 132 00:04:40,710 --> 00:04:42,270 and encryption technologies. 133 00:04:42,270 --> 00:04:44,340 By using VPNs and encrypting your data, 134 00:04:44,340 --> 00:04:45,600 you're going to be able to prevent attackers 135 00:04:45,600 --> 00:04:47,760 from reading or modifying intercepted data, 136 00:04:47,760 --> 00:04:50,610 even if their ARP spoofing attacks were successful. 137 00:04:50,610 --> 00:04:52,710 So remember, ARP spoofing and poisoning 138 00:04:52,710 --> 00:04:55,200 are significant security threats in network environments. 139 00:04:55,200 --> 00:04:56,400 They're designed to take advantage 140 00:04:56,400 --> 00:04:59,190 of the inherent vulnerabilities of the ARP protocol. 141 00:04:59,190 --> 00:05:01,380 ARP spoofing is an attack where an attacker 142 00:05:01,380 --> 00:05:03,210 is going to send falsified ARP messages 143 00:05:03,210 --> 00:05:05,160 over your local area network to result 144 00:05:05,160 --> 00:05:06,960 in the linking of an attacker's MAC address 145 00:05:06,960 --> 00:05:08,910 with the IP address of a legitimate computer 146 00:05:08,910 --> 00:05:10,770 or server on that network. 147 00:05:10,770 --> 00:05:12,390 ARP poisoning is a form of attack 148 00:05:12,390 --> 00:05:14,760 that corrupts the ARP cache or the ARP table, 149 00:05:14,760 --> 00:05:17,160 and ARP poisoning involves sending malicious ARP packets 150 00:05:17,160 --> 00:05:18,780 to a default gateway on the LAN 151 00:05:18,780 --> 00:05:20,640 to associate the attacker's MAC address 152 00:05:20,640 --> 00:05:23,190 with the IP address of each LAN device. 153 00:05:23,190 --> 00:05:25,680 To prevent ARP spoofing and ARP poisoning from occurring, 154 00:05:25,680 --> 00:05:27,420 you should implement vigilant monitoring, 155 00:05:27,420 --> 00:05:28,770 employ preventative technologies, 156 00:05:28,770 --> 00:05:30,360 like Dynamic ARP Inspection, 157 00:05:30,360 --> 00:05:32,400 and adhere to network security best practices 158 00:05:32,400 --> 00:05:34,410 to significantly mitigate the risks associated 159 00:05:34,410 --> 00:05:35,583 with ARP attacks.