Identifying the user

Identifying the user

This section describes methods for authorising and tracking users and preventing them from changing their identity on the network.

IP spoofing and tracking

Unknown users who attempt to change IP address—to circumvent billing or to hide their identity—can be a problem for administrators.

Changing IP address for malicious reasons is most commonly called IP spoofing, and is also known as ARP spoofing, ARP poisoning, and ARP poison routing (APR). The net result is the same for all of these: the victim ends up with false information in its ARP table.

The trouble with ARP

IP Spoofing takes advantage of the inherently insecure design of ARP. In an Ethernet network, a client may use a Gratuitous ARP (GARP), or merely send an ARP request or reply with false information, to announce a phoney identity to the local subnet.

A phoney announcement may be made in a number of ways for a number of reasons. The following table briefly explains these factors.

If the ARP or GARP packet contains...

Then...

MAC that does not exist on network and IP address that does not exist on network

the attacker may be trying to fill up the IP ARP table so that the subnet’s router cannot learn more addresses. As a result, return (routed) traffic may not be forwarded.

MAC that is owned by attacker and

the attacker is using an IP address that the

IP address that does not exist on network

administrator has not assigned and so may be trying

 

to avoid traceability.

 

 

MAC that is owned by attacker and

the attacker is trying to intercept traffic destined for

IP address that is owned by another host

this host.

 

 

MAC that is owned by attacker and

the attacker is trying to intercept all traffic leaving

IP address that is owned by the subnet router

the subnet.

 

 

MAC does not exist on network and

the attacker is trying to cause traffic to this IP

IP address that exists on network

address to flood to all hosts in the subnet. However,

 

hosts disregard the flooded traffic because it is not

 

addressed with any host’s MAC address. This means

 

that the attacker receives the traffic and its intended

 

recipient ignores it.

 

 

The techniques for protecting the network are the same for all these phoney announcements: reject gratuitous ARPs, and control access to ports with DHCP snooping and ARP security. The following sections describe these solutions in detail.

Create A Secure Network With Allied Telesis Managed Layer 3 Switches

14

Page 14
Image 14
Allied Telesis Layer 3 Switches manual Identifying the user, IP spoofing and tracking, Trouble with ARP