ARP poisoning

This test checks that the access switch inspects all received ARP packets and only allows those through that have a correct source MAC in the Ethernet header and source MAC/source IP in the ARP payload. If customers can send spoofed ARP packets, the network is vulnerable to man-in-the-middle attacks against other customers, as well as to denial-of-service attacks. The testing is done by attempting to send spoofed ARP packets as well as trying to perform an attack.

Note: Commonly the correct and allowed MAC/IP address pair is detected by a switch by snooping DHCP packets, i.e. the switch knows what MAC address has been assigned a certain IP address.

Impact: MITM, DoS

Test process

  • Malicious sends ARP replies to Customer using real addresses.
  • Malicious sends ARP replies to Customer using a fake IP address.
  • Malicious sends ARP replies to ISP using a fake IP address.
  • Malicious sends ARP replies to Customer using fake IP and MAC addresses.
  • Malicious sends ARP replies to ISP using fake IP and MAC addresses.
  • Malicious sends ARP replies with IP address from Customer and own MAC address while UDP packets are sent from ISP to Customer.

Fail criteria

  • An ARP reply with fake IP or MAC address arrives at Customer or ISP.
  • A packet intended for Customer arrives at Malicious in the last step of the test.

References

This test conforms to SEC Access Certification ID "SEC-V4-ARP-1" and to SAVI RFC 6959 sections 3.1.3 and 3.2.1.

Parameters

General

  • Malicious Customer: A customer interface performing malicious actions.
  • Customer: One or more customers that Malicious will affect.
  • ISP: A central node on a trusted port. The test requires that the ISP reside in the same Layer 2 network as Malicious and Customer.

Advanced

  • Source UDP port: Source UDP port for traffic sent from ISP to Customer. Range: 1 ... 65535. Default: 41234.
  • Destination UDP port: Destination UDP port for traffic sent from ISP to Customer. Range: 1 ... 65535. Default: 24567.
Have more questions? Submit a request

Comments

Powered by Zendesk