Computer Science homework help. Career Relevancy
Network analysts are expected to know how to use sniffing tools and how to prevent MAC, DHCP, ARP, MAC spoofing and DNS poisoning attacks. The analyst must have knowledge of what law states that can be legally used to intercept data communications between two endpoints. This type of interception is used for surveillance on telecommunications, VoIP, data, and multiservice networks.
Sniffing is the process through which hackers can monitor and capture all packets passing through a given network. This practice is similar to tapping phone wires in order to listen to private conversations. It may also be referred to as “wiretapping” when applied to computer networks.
For this discussion, we will define network sniffing and its threats, how a sniffer works, active and passive sniffing, how an attacker hacks a network using sniffers, protocols vulnerable to sniffing, sniffing in the data link layer of the OSI model, hardware protocol analyzers, SPAN ports, wiretapping, and lawful interception.
As previously mentioned, packet sniffing includes monitoring and capturing all data packets passing through a given network by using a software application or a hardware device. Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that segment. However, most of today’s networks work on switches. A switch is an advanced computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network. An attacker needs to manipulate the functionality of the switch in order to see all the traffic passing through it. A packet sniffing program (also known as a “sniffer”) can capture data packets only from within a given subnet, meaning that it will not be able to sniff packets from another network.
The most common way of networking computers is through an Ethernet. A computer connected to a local area network (LAN) has two addresses: a MAC Address and an Internet Protocol (IP) Address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The Data Link Layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The Network Layer is responsible for mapping IP network addresses to the MAC address as required by the Data Link Protocol. It initially looks for the MAC address of the destination machine in a table, usually called the ARP cache. If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local sub-network. The machine with that particular address responds to the source machine with its MAC address. The source machine’s ARP cache adds this MAC address to the table. The source machine, in all its communications with the destination machine, then uses this MAC address.
Attackers use various sniffing techniques such as MAC attacks, DHCP attacks, ARP poisoning, spoofing attacks, DNS poisoning, etc. to steal and manipulate sensitive data. Attackers use these techniques to get control over the target network by reading captured data packets and then using that information to break into the network.
MAC flooding is a technique used to compromise the security of network switches that connect network segments or network devices. Attackers use the MAC flooding technique to force a switch to act as a hub, so that they can easily sniff the traffic.
In a switched network, an Ethernet switch contains a CAM table that stores all the MAC addresses of devices connected in the network. A switch acts as an intermediate device between one or more computers in a network. It looks for Ethernet frames, which carry the destination MAC address, tally this address with the MAC address in its CAM table, and forwards the traffic to the destined machine. Unlike the hub that broadcasts the data across the network, the switch sends data only to the intended recipient. Thus, a switched network is more secure when compared to a hub network. However, the size of CAM table is fixed, so it can only store a limited number of MAC addresses in it. An attacker could send a massive number of fake MAC address to the switch, filling the MAC address table, kicking the switch to “fail-open mode.” In the fail-open mode, the switch starts behaving like a hub and broadcasts the incoming traffic through all the ports in the network. The attacker then turns ON his machine’s NIC to promiscuous mode to enable the machine to accept all the traffic entering it. In this way, attackers can sniff the traffic easily, lifting sensitive information with little effort.
The Switch Port Stealing sniffing technique uses MAC flooding to sniff packets. The attacker floods the switch with forged, gratuitous ARP packets with target MAC address as the source and his/her own MAC address as the destination. A race condition of the attacker’s flooded packets and target host packets will occur, and thus, the switch has to change his MAC address binding constantly between two different ports. In such case, if the attacker is fast enough, he/she will able to direct the packets intended for the target host toward his switch port. Here, the attacker manages to steal the target host switch port and sends an ARP request to the stolen switch port to discover target hosts’ IP address. When the attacker gets an ARP reply, this indicates that the target host’s switch port binding has been restored, allowing the attacker the ability to sniff packets sent toward the targeted host.
Wiretapping a network can be controversial. Where should the line be drawn for spying on what others do? Explain your answer.
Computer Science homework help. Career Relevancy