427 Botnet fm qxd

■
ARP spoofing
A host in a local subnet has decided to broadcast an
ARP packet to attempt to overwrite ARP caches in other hosts. As a
result, the spoofing host steals another host’s IP address on the subnet.
Thus the ARP cache entry for a benign host X that consists of X’s
IP, and Layer 2 MAC address are overwritten with evil host E’s MAC
address. Note that E is usurping X’s IP address. Our evil host E is
simply replacing X’s MAC with E’s MAC address in some third-party
host Z’s ARP cache. Now when Z tries to talk to X (good), the
packets first go to E (evil).Typically but not always, E tries to replace
the local router’s MAC address with its own address.This allows it to
see all the packets good hosts are trying to send to and from the
Internet and enables an entire bag full of possible man-in-the-middle
(MITM) attacks.This form of attack is sometimes called 
ARP poi-
soning
as well.
■
Switch forwarding table overflow 
One common way to implic-
itly disable Unicast segmentation is to send out enough MAC
addresses to cause the switch’s adaptive learning table (which has
many names, depending on the vendor, including CAM table, for-
warding table, and the like) to fill up with useless cruft. As a result,
Unicast segmentation may be turned off, and packets from A to B, as
in our previous example, will be flooded to C.This sort of attack is,
of course, not likely to be benign and is available via the Ettercap
tool or other similar tools.
The next worst thing to having a malefactor standing physically next to a
protected computer is to have the attacker within the same ARP broadcast
range of a protected host. Until recently there has been little useful protection
against some forms of attack in the same broadcast domain. One could also
point out that ARP and DHCP as fundamental networking protocols lack
authentication. Moreover, other protocols might assume that nearby hosts are
“safe” and hence use plain-text passwords to contact those systems, or simply
send in the clear data that’s possibly useful for identity theft.
Some have called having only a border firewall and no other defenses
“M&M security,” meaning that the border firewall represents a hard, crunchy
shell that, once pierced, leads to a soft, chewy middle. In a recent blog entry

Download 6,98 Mb.

Do'stlaringiz bilan baham: