Address Resolution Protocol
The ARP protocol works at the Data Link Layer and provides addressing capability. Whereas the transport layer uses the IP protocol for addressing, the data link layer uses what's referred to as the Media Access Control (MAC) address. The MAC address is programmed into the NIC by the manufacturer and is a combination of an ID unique to the manufacturer, and an ID that the manufacturer assigns. When systems communicate on a network, the data layer needs to be able to add the MAC address for the intended recipient. For it to be able to do this, it must be able to look at the IP address the transport layer used and resolve it to a MAC address. This is done through the ARP protocol. ARP maintains a table, or cache, that lists which IP address corresponds which MAC. If there is no MAC listed for an IP address, ARP can send a broadcast packet requesting the MAC address of whatever system has a certain IP.
A common attack against ARP is known as ARP cache poisining. When ARP was designed, there was no security built into the protocol. The vulnerability lies in that ARP does not authenticate where other ARP packets come from. Because of this, any system can send an ARP reply, unsolicited, to another system claiming to have a certain IP address. The target will accept this packet and update it's ARP cache. From then on, anytime a packet needs to be sent to that IP address, it will be instead routed to the attacker. This is a simple way to perform a man-in-the-middle attack.
Dynamic Host Configuration Protocol
DHCP is a protocol that can assign systems IP addresses in real time. DHCP functions over UDP and is commonly implemented as a service on routers. DHCP leases out IP addresses from a set range and maintains a table of currently leased out IP addresses. This prevents any two systems from accidentally receiving the same IP address which would cause a conflict. Each IP address that is assigned is given a lease time. When the time expires, the system must renew its IP address. The steps to receive an IP address via DHCP are listed below:
- A client computer connects to a network and sends a DHCP discover packet.
- The DHCP server responds with a DHCP offer packet, which gives the client an available IP address and details configuration settings.
- The client responds with a DHCP request packet confirming its acceptance of the settings.
- Finally, the DHCP server responds with a DHCP ack packet which acknowledges the client's acceptance and includes the lease period of the address.
Internet Control Message Protocol
ICMP is used for testing connectivity and sending messages. Perhaps its most well know implementation is through the ping utility. When administrators wish to test if they are able to connect to a system, they may ping it to see if they get a reply. When ping is used, an ICMP echo request packet is sent. If the intended recipient receives the packet, it will reply with an ICMP echo reply packet. This packet can tell the sender that the message was received and provide information about the connection, such as response time. ICMP is also commonly used by routers to gain information about the state of connections. When a problem occurs with a route, ICMP can be used to send information to surrounding routers letting them know about the issues. Routers also use ICMP to send information about packets that were not able to reach their target.
There are a couple of attacks that use ICMP to cause damage. One such attack is the ping of death. ICMP packets are normally set to not exceed 65,536 bytes. If an attacker crafts a packet larger than this common size, the receiver may freeze or become unstable, bringing the system down. Another attack is know as the smurf attack. This attack takes advantage of the fact that most system actively listen for and respond to ICMP traffic. An attacker can craft an ICMP echo request packet with an address of a system that they wish to attack. This packet is sent to all the other systems who, upon receiving it, send an ICMP echo reply to the target system. The target then receives so many ICMP packets at once that it doesn't know what to do and goes down.
Simple Network Management Protocol
SNMP was developed in the late 1980's to aid in network management. The protocol functions with a manager/agent relationship. The manager is the server portion which periodically polls the agents to request new information. Each agent is assigned a group of objects that it is to watch and maintain information about. This information is tracked in a database-like structure called the Management Information Base (MIB). An MIB is a logical grouping of related objects that contain data used for specific management tasks and status checks. The manager will periodically poll the agents requesting the information in the MIB. This gives the administrator a good way to monitor the network as a whole.