Page 584 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 584

Local Caches


               A local cache is anything that is temporarily stored on the client for
               future reuse. There are many local caches on a typical client, including
               Address Resolution Protocol (ARP) cache, Domain Name System
               (DNS) cache, and internet files cache. ARP cache poisoning is caused
               by an attack responding to ARP broadcast queries in order to send

               back falsified replies. If the false reply is received by the client before
               the valid reply, then the false reply is used to populate the ARP cache
               and the valid reply is discarded as being outside an open query. The
               dynamic content of ARP cache, whether poisoned or legitimate, will
               remain in cache until a timeout occurs (which is usually under 10
               minutes). ARP is used to resolve an Internet Protocol (IP) address into
               the appropriate MAC address in order to craft the Ethernet header for

               data transmission. Once an IP-to-MAC mapping falls out of cache,
               then the attacker gains another opportunity to poison the ARP cache
               when the client re-performs the ARP broadcast query.

               A second form of ARP cache poisoning is to create static ARP entries.
               This is done via the ARP command and must be done locally. But this
               is easily accomplished through a script that gets executed on the client
               through either a Trojan horse, buffer overflow, or social engineering

               attack. Static ARP entries are permanent, even across system reboots.
               Once ARP poisoning has occurred, whether against a permanent entry
               or a dynamic one, the traffic transmitted from the client will be sent to
               a different system than intended. This is due to having the wrong or a
               different hardware address (that is, the MAC address) associated with
               an IP address. ARP cache poisoning or just ARP poisoning is one

               means of setting up a man-in-the-middle attack.

               Another popular means of performing a man-in-the-middle attack is
               through DNS cache poisoning. Similar to ARP cache, once a client
               receives a response from DNS, that response will be cached for future
               use. If false information can be fed into the DNS cache, then
               misdirecting communications is trivially easy. There are many means

               of performing DNS cache poisoning, including HOSTS poisoning,
               authorized DNS server attacks, caching DNS server attacks, DNS
               lookup address changing, and DNS query spoofing.
   579   580   581   582   583   584   585   586   587   588   589