Essential Insecurities Part 4 — Ethernet

Essential Insecurities Part 4 — Ethernet

Network communication is divided up into seven layers: application, presentation, session, transport, network, data link, and physical. We will examine the primary data link protocol, Ethernet, in this entry.

Ethernet transports data between network devices. There are, as always, concerns about availability, integrity, and confidentiality. Attackers can block or disrupt the flow of Ethernet frames. Or they can quietly gather these frames, reassemble them, and glean confidential information. Ethernet passes information across a shared network media; an untrusted medium.

On a shared media, only one Ethernet device can talk at a time. Ethernet has methods to detect that some device is talking and to wait. These are CSMA/CD for wired and CSMA/CA for wireless connections. CD means detection and CA means avoidance. These can be thought of as listening for your turn versus raising your hand and asking to speak.

Both can be exploited to disrupt availability. For instance, if wired into the Lan, an attacker constantly talks. The victim patiently waits its turn to talk. When it never detects silence, the victim never sends its data. Now, imagine the attacker and victim both are on a wireless network. The victim requests to communicate with the access point. Basically, it raises its hand. The attacker then sends a response to wait. And the victim does, never transmitting. Silence is the result.

Instead of silencing the victim, however, the attacker may wish to listen in. The attacker puts his network card into promiscuous mode. Depending on one’s point of view, this might sound immoral or rather interesting. Actually, however, it simply means the attacker’s computer now receives all frames on the shared network media. The frames can then be reassembled and the confidential information gained.

On the network, assume no confidentiality. Wait, some people may say, this may be true for shared media like hubs and wireless connections. What about switched media, like network switches?

Switches were once sold partially as security devices. The rule of thumb was to never use a hub. Network hubs repeat traffic out all ports. This means that any device connected can listen in on all communications. Switches are better in that they only send traffic to the destination port. Time marches quickly in InfoSec, however, and it has been shown that switches can be subverted.

Suppose Alice’s computer talking to Bob’s. Alice asks for Bob’s computer by name. Her computer then turns the name into an IP address, and the IP address into an Ethernet MAC address. This last bit is done with ARP and the information is stored in the switch’s ARP cache. The attacker can poison this cache and trick Alice’s computer into sending Bob’s frames to the attacker’s MAC address. The attacker then can listen in to all network communications between Alice and Bob, even though they are on a switch.

ARP cache poisoning is a lot of work. An easier attack on confidentiality is to overload the switch’s firmware. Most vendors would rather degrade than fail. So instead of dropping connectivity, an overloaded switch downgrades to acting like a hub. Of course, this could break the network altogether.

If the network is down then all devices are down, of course, which brings us back full circle. The bottom line is that there are a number of ways an attacker can abuse the Ethernet protocol to disrupt the business or to gather confidential information.

Posted by