Understanding Ethernet Operation and ARP Security in 1 Minute

Ethernet Operation

Access to the shared communications medium is determined by the MAC mechanism embedded in each network card. The MAC mechanism functions somewhat like multi-participant conference call. Everyone on the call must listen for a period of quiet before speaking (Carrier Sense). Once a pause occurs in communication, everyone has an equal chance to say something (Multiple Access). If two people starting talking at the same instant, they detect that fact and quit speaking (Collision Detection.) Bothe people will wait a random amount of time and try again. This CSMA/CD mechanism is invoked for every transmission on the network.

With Ethernet, after 16 consecutive collisions, the frame is aborted.

A collision domain is the set of devices which will see a frame transmitted by a given host.
A broadcast domain is the set of devices which will see a layer 2 broadcast frame (a frame with a destination MAC address of FF:FF:FF:FF:FF:FF, the Ethernet broadcast address) transmitted by a host.

Several devices are used when networking multiple Ethernet devices together, including: Hubs, Switches, Bridges.

A Hub operates at the OSI model's physical layer. It acts as a repeater. Hubs have one broadcast domain, and one collision domain.

A switch operates at the OSI model's data link layer. All switches examine incoming frames to dtermine the MAC address of the sender's interface. They use this information to build a MAC address table which has "MAC address:swithc port" pair. Using this table, the switch then sends received frames only out the port associated with that frame's destination MAC address. Switches have one broadcast domain and many collision domains. Every single port on the switch constitutes a separate collision domain.

Bridges is functionally and operationally equivalent to a switch. However, bridges have software-based frame-forwarding engines wile switch contain a hardware-based frame-forwarding engine.

Ethernet Security Concern - Attacking switch's MAC address table

Within a collision domain, any node sees all network traffic to or from every other node within that same collision domain. Usually, nodes ignore all received frames which are not addressed to either the node's MAC address or to the broadcast MAC address. However, most network interfaces can override this behavior by operating in promiscuous mode. In promiscuous mode, a network interface processes all received frames.

Switches, however, provide a barrier to protect hosts with promiscuous mode interface. On a switch, every port is a separate collision domain. As result, with switch, attached hosts operating in promiscuous mode only see broadcast frames and frames directly addressed to the host.

To sniff network traffic, a network attacker must overcome the obstacle switches provide and have a network interface operating in promiscuous mode. Often, this is done by flooding the switch with spoofed Ethernet frames for which the source MAC address is randomly generated. The switch must store the source address of these frames. By generating hundreds of bogus source MAC addresses, the attacker can fill the switch's MAC address table. Most switches revert to operation in hub mode when their MAC address table is full. There are tools like macoff can be used to source MAC address flooding. Switches provide MAC address lockout mechanism can also protect MAC address flooding.

Counteract : Detect Promiscuous Network Interfaces

As an administrator, you should monitor your network regularly to detect promiscuous mode interfaces. You can use the following approaches:
1. Send an ICMP echo request or ARP request to the suspected host with incorrect destination MAC address. If the remote interface is in promiscuous mode, it will respond to the echo/ARP request.
2. Send IP traffic with incorrect destination MAC address and spoofed source IP addresses to the remote host, then monitor the remote host's outbound traffic for reverse DNS lookup requests fro those spoofed source IP addresses.
3. Tools like sentinel available at http://packetstormsecurity.nl/UNIX/IDS/sentinel/ can test if remote host has promiscuous interface.

Additional related tools : snoop, libpcap library, tcpdump, Ethereal.

Review ARP Operation

Before an IP packet can be transmitted to another host, it must be encapsulated inside a layer 2 frame. When using Ethernet for layer 2, the frame must have a destination MAC address specifying the location of the recipient host. For this process to work, a mapping protocol which can determine the recipient's MAC address from the recipient's IP address is required. This mapping protocol is Address Resolution Protocol (ARP).

In typical ARP operation, host A seeking to contact an IP address of host B on the same subnet will issue a layer 2 broadcast ARP request. This request will broadcast the IP adddress of host B, asking host B's MAC address. Host B receiving the broadcast will respond to this request with a unicats ARP replay to host A. Host A then cache that information in its ARP table.

tcpdump capture of ARP operation,

Host A -> ff:ff:ff:ff:ff:ff ARP who has Tell
Host B -> Host A ARP is at 00:3c:ba:05:a8:d2

Examining the ARP cache,
/usr/sbin/arp -a
Device IP Address Mask Flags Phys Addr
------ ------------------- ---------- ------ --------------------
hme0 00:05:75:7a:81:1b

/usr/sbin/arp -d
/usr/sbin/arp -s 00:01:03:DE:A1:57

Additional Ethernet/IP security related information can be found in my blog "Analyzing IP and ARP Weaknesses in 1 Minute".