Securebits Blog

In this entry, I will sum up the ways to intercept (or hijack) network traffic; also, I’ll categorize these ways based on the scope of the interception method. There are more than 10 ways to intercept network traffic – and the TCP/IP protocols used in these methods are ARP, ICMP, DHCP, HSRP, STP, DNS, and BGP. Based on the TCP/IP layer of operation, the 10 ways can be divided into two categories:

1- Layer2 Interception:
Layer2 Interception works by manipulating (e.g. spoofing or faking) addresses at the Layer 2, i.e. the MAC addresses. The attacker (who is trying intercept traffic) tries to cause abnormal behavior at the Layer 2 of the network. The protocols that fall into this category are ARP and STP.

2- Layer3 Interception:
Layer3 Interception works by manipulating (e.g. spoofing or faking) addresses at the Layer 3, i.e. IP addresses. This can be done through routing protocols, spoofing gateways, IP traffic redirection, and so on.

And based on the scope of the interception, the methods can be divided into another two categories:

1- Local:
The impact of an interception method is said to be “local” when the attacker is able only to intercept traffic within the local subnet. The method in this category cannot be used beyond that subnet. Methods that achieve “local” interception can be either Layer2 or Layer3 method. A layer2 method is like ARP or STP; and a layer3 method is like DHCP.

2- Global:
When the attacker is able to intercept traffic beyond the local subnet, i.e. over a LAN or WAN, the interception is called “global.” Global methods can also work locally within the subnet; however, they are not restricted to that local scope.

Here are the best ways for Traffic Interception:

• ARP Poisoning
The attacker poisons the ARP-Cache of two or more victims; a victim can be a host or a router/gateway. ARP poisoning injects false entries that map the victims’ IP addresses to the MAC address of the attacker. ARP poisoning is a “layer2” method and its scope is “local”

• ICMP Redirect
In the standard TCP/IP implementation, the default gateway can send an ICMP Redirect message to a host in the local subnet instructing it to send future IP packets to a different router. The attacker can exploit this feature by sending a spoofed ICMP Redirect message to the host to send the packets to the attacker’s machine. The attacker would, then, forwards those packets to the legitimate default gateway. This interception method works at “layer3” and its impact is “local.”

• DHCP Spoofing
One of the parameters that the DHCP server passes dynamically to LAN hosts is the default gateway IP address. An attacker can setup a rogue DHCP server in a subnet that responds to DHCP requests. The attacker sets the parameter of the “default gateway” to her machine’s IP address. Local hosts would then all traffic destined beyond the local subnet to the attacker’s machine which in turns forwards such traffic to the legitimate default gateway. This interception attacks works at “layer3” and its impact is “local.”

• HSRP “Active”
Hot Standby Router Protocol (HSRP) is developed by Cisco Systems to provide router redundancy. Two routers would be configured in an active-standby mode using a virtual IP address. These two routers send HSRP packets frequently between them to decide who is active and who is standby. HSRP uses clear-text authentication string. An attacker can sniff the string and inject specially crafted HSRP packets that disrupt the current router state and dictate her system as the active router. By doing so, she will receive all traffic from the local subnet destined to the outside world. This attack works at “layer3” and its impact is “local.”

• STP “Root”
To prevent single-point of failure, administrators may deply redundant switches on the network so that in case one switch fails, traffic is ensured to pass through the network. The protocol that enables switches to decide which “path” is active at a specific time is called Spanning Tree Protocol (STP). It is a layer2 protocol that uses the MAC addresses of the switches. An attacker within a local subnet could become part of the switch topology and can also become the root of the topology. In this case, traffic within the local subnet will be directed to the attacker’s machine. Intercepting traffic by spoofing STP is a layer2 method and its impact is “local.”

• Browser Proxy
Web browsers can be configured to use a proxy server. All web traffic initiated by the browser will be sent to the proxy server. If the attacker can successfully alter the proxy configuration of the victim’s browser, she would receive the web traffic. Altering proxy configuration can be made using a malicious script, for example. This is a layer3 method and its impact is “global.”

• IE6 Proxy Auto-Config
Internet Explorer (v6 & v7) can automatically discover “proxy server” on the LAN using Web Proxy Auto-Discovery Protocol (WPAD). If WPAD is enabled, the browser tries to connect to a host with the name “WPAD” (it should be resolvable by either DNS or NetBIOS) and download the JavaScript file wpad.dat. The file instructs the browser which proxy server to use. An attacker who can insert a system with the name “WPAD” in the network would be able to influence the user’s browser to use a proxy server under her control; thus, intercepting network traffic. This is a layer3 attack and its impact is “global”

• DNS Spoofing
DNS Spoofing could be performed in two ways: either the attacker would reply directly to a DNS request issued by a client or he would inject a false entry into a DNS server. The first way can be done only within a local subnet since the attacker has the ability to sniff the request along with its Transaction ID (TXID). The second way can be done over the LAN or Internet; and there are various techniques for that (many of which have been fixed). After a successful DNS spoofing, the attacker can intercept traffic between the client (the victim) and the site/server of which the IP has been spoofed. Intercepting traffic using DNS Spoofing is always a Layer3 method, however the impact can be either “local” or “global.”

• BGP Spoofing
At Defcon 16, Anton Kapela and Alex Pilosov demonstrated a new way to hijack Internet traffic by inserting fake BGP entries. The attack is based on the fact that there is no proper “identification” of the source that is registering new Autonomous Systems and Internet routes. This method works at layer3 and its impact is “global.”