Page 932 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 932

If you find the idea of misdirecting traffic through the abuse


                  of the ARP system interesting, then consider experimenting with
                  attacking tools that perform this function. Some of the well-known
                  tools for performing ARP spoofing attacks include Ettercap, Cain &
                  Abel, and arpspoof. Using these tools in combination with a
                  network sniffer (so you can watch the results) will give you great
                  insight into this form of network attack. However, as always,

                  perform these activities only on networks where you have proper
                  approval; otherwise, your attacker activities could land you in legal
                  trouble.



               ARP mappings can be attacked through spoofing. ARP spoofing
               provides false MAC addresses for requested IP-addressed systems to
               redirect traffic to alternate destinations. ARP attacks are often an
               element in man-in-the-middle attacks. Such attacks involve an
               intruder’s system spoofing its MAC address against the destination’s

               IP address into the source’s ARP cache. All packets received from the
               source system are inspected and then forwarded to the actual intended
               destination system. You can take measures to fight ARP attacks, such
               as defining static ARP mappings for critical systems, monitoring ARP
               caches for MAC-to-IP-address mappings, or using an IDS to detect
               anomalies in system traffic and changes in ARP traffic.


               DNS Poisoning, Spoofing, and Hijacking


               DNS poisoning and DNS spoofing are also known as resolution
               attacks. Domain Name System (DNS) poisoning occurs when an
               attacker alters the domain-name-to-IP-address mappings in a DNS
               system to redirect traffic to a rogue system or to simply perform a
               denial of service against a system. DNS spoofing occurs when an

               attacker sends false replies to a requesting system, beating the real
               reply from the valid DNS server. This is also technically an
               exploitation of race conditions. Protections against false DNS results
               caused by poisoning and spoofing include allowing only authorized
               changes to DNS, restricting zone transfers, and logging all privileged
               DNS activity.
   927   928   929   930   931   932   933   934   935   936   937