Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Frame - MAC Address Threats & Vulnerabilities
1. FRAME - MAC ADDRESS THREATS & VULNERABILITIES
ETHERNET FRAMES - MAC SUBLAYER - 802.3
By Marc-Andre Heroux
CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
V. 1.0
Security & Compliance Advisor
2. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME
In this demonstration, we have the machine2.mydomain.net (IP: 10.0.0.2)
sending to machine3.mydomain.net (IP: 10.0.1.2).
Router/firewall uses datagrams at layer 3 with two components: a header and
a payload. Ethernet works at layer 2 with frames (data link layer) and Address
Resolution Protocol (ARP) is used (e.g.: MAC address resolution).
All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0
10.0.0.2
What is MAC address of 10.0.1.2?
10.0.1.2
Initial transmission request
Frame sent to all ports
Broadcasting
3. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME
MAC ADDRESS DESCRIPTION
All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0
4. HOW FRAMES ARE SENT? MAN-IN-THE-MIDDLE ATTACK
If the switch ARP cache table does not contain any entry for 10.0.1.2, the
frame is sent to all ports. If any IP address corresponds to 10.0.1.2, the ARP
reply will contain the destination MAC. If not found at the switch level, the
frame will sent to all ports. If a switch or a router is connected, they will
receive the ARP request.
10.0.0.2
What is MAC address of 10.0.1.2?
Potential Man-In-THE-MIDDLE Attack on MAC HEADER
IN the data payload section.
All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0
10.0.1.2
Uses it’s own
source MAC when
sending request
Initial transmission request
Frame sent to all ports
Broadcasting
MAC not found
5. EXAMPLE OF THE USE OF MAC ADDRESS AT THE LAYER 2 FRAME
The router will then respond with it's MAC and the switch will update it’s table,
a new MAC header will usually be created and frames will be sent to router
and the discovery/transmission will continue to the next hop. In our example,
we have many organizational routable subnets divided by routers and
connected to various switches.
10.0.0.2
What is MAC address of 10.0.1.2?
MAC not found
Potential Man-In-THE-MIDDLE Attack on MAC HEADER
IN the data payload section.
All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0
10.0.1.2
Uses is own
source MAC
when sending
request
Initial transmission request
Frame sent to all ports
Broadcasting
6. CONCLUSION
Prevent threat agent to connect to your local network and
avoid many incidents against Ethernet frame;
Detect and stop abnormal activities;
Most networks are running IPV4 and uses ARP. The same
principles exist for IPV6 and Neighbor Discovery Protocol
(NDP).
Monitoring Logging Detection Correlation Alerting Correction
All Right Reserved Marc-Andre Heroux, ARP Threats, version 1.0