Global Information Assurance Certification Paper
`
`Copyright SANS Institute
`Author Retains Full Rights
`
`This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
`
`Interested in learning more?
`Check out the list of upcoming events offering
`"Hacker Tools, Techniques, Exploits, and Incident Handling (Security 504)"
`at http://www.giac.org/registration/gcih
`
`Microsoft Ex. 1021, p. 1
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`“Real World ARP Spoofing”
`
`Raúl Siles
`August, 2003
`
`GIAC Certified Incident Handler (GCIH) Practical
`(Version 2.1a – Option 1: Exploit in Action)
`
`GIAC Certification Administrivia Version 2.5b
`
`
`
`
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 2
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 2
`
`Abstract
`
`This paper pretends to explore ARP, from its design and specifications point of
`view, the Internet RFCs, to its real world implementations, that is, how the
`operating systems analyzed behave. It explains how when dealing with ARP
`works, how to manipulate and configure the elements that constitute the ARP
`modules inside the TCP/IP stacks of different OS and how the protocol can be
`exposed from a security perspective.
`
`It describes the security vulnerabilities that could be exploited using ARP to take
`control over the network traffic that flows between two systems in a Local Area
`Network, called “ARP spoofing or poisoning”, redirecting the traffic to a box
`owned by an attacker, and proposing some of the different advanced attacks
`that could be developed based on it.
`
`The goal of this paper is trying to research and discover every small detail and
`component of the ARP protocol that will allow an attacker to get control over an
`unauthorized system, and to provide enough information for an administrator to
`be able to protect its network infrastructure.
`
`The main motivation for this paper’s research was originated after more than
`two years of internal Penetration Testing over production environments,
`meaning by internal the situation where the security auditor plays the attacker’s
`role as an insider: employee, subcontractor, third-party support engineer or
`consultant…
`
`Although the “ARP spoofing” technique is very simple in concept, in real world
`situations over heterogeneous networks, the obtained results are not always as
`expected, because both the operating system and network topology influences
`the way ARP behaves. Therefore, more information about how the ARP
`protocol and the “ARP spoofing” attack work should be obtained to be able to
`have as much control as possible over the ARP redirection games.
`
`Layer 2 vulnerabilities are typically underestimated because they are associated
`with the attacker physically located next to the target system, but this is an
`incorrect approach. Once an attacker has got control over a system from
`outside, he is in the same situation as any insider.
`
`From the author’s point of view, it is a must to understand every detail about
`how the ARP protocol and every implementation work and to play the potential
`role of an attacker to be prepared to defend the network against the different
`ARP attacks and their security vulnerabilities. For this reason sometimes this
`paper will analyze a specific aspect to reach the attacker’s goal, and sometimes
`it will focus on defending against the protocol exploitation.
`
`Due to the fact that this is a very ambitious project, it will evolve and go into a
`deeper research of some areas in future versions, as, for example, covering
`additional operating systems and network traffic situations, such as those based
`on high availability solutions. The final goal will be to reach a similar work as the
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 3
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 3
`
`one developed by Ofir Arkin about the ICMP protocol [OFIR1] but focusing on
`the ARP protocol. Sorry for being so ambitious, but using Ofir’s paper as a
`reference is well worth.
`
`This paper pretends to be the foundation of a future project called “The SARP:
`The Security ARP Research Project”. My willing is to make this project available
`for the Internet community in the next few months.
`
`To be able to agglutinate a huge knowledge around the ARP protocol, the
`Internet community should share information, so the new proposed ARP project
`could be a knowledge repository. Its main goal will be offering a database of the
`different ARP behaviours classified by OS. In the past there were similar
`projects, covering nearest
`information security areas, but
`they were
`unsuccessful [SSP1].
`
`Some areas this project should include would be:
`- Packet taxonomy: stimulus-response ARP traffic or how different OS
`respond to every possible ARP packet and how their ARP tables are
`populated, including big anomalies in packets.
`- ARP table timeout behaviour: how each ARP timer work and how to
`configure it through OS kernel parameters.
`- ARP bootstrap and shutdown times analysis.
`- ARP behaviour when activating/deactivating network interfaces.
`- ARP operating system fingerprinting.
`
`Acknowledgements
`
`
`“Mónica, there are no words to be able to express
`my feelings about you. Thanks so much for your
`support and help, and for reviewing this paper ;-)”
`
`“To you, mum, to overcome any problem in this life
`with your energy and vitality”
`
`“Marta, Jorge, David, thanks for your
`valuable contribution”
`
`Revision
`
`First version: 1.0
`
`
`
`
`
`
`August, 2003 – Author: Raúl Siles
`Originally created for the SANS GIAC Practical paper
`needed to obtain the GCIH certification.
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 4
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 4
`
`Table of Contents
`
`PART 1 – THE EXPLOIT
`
`Name
`Operating Systems
`Protocols/Services/Applications
`Brief Description
`Variants
`References
`Terminology and conventions
`
`PART 2 – THE ATTACK
`
`Description and diagram of network
`Protocol description
`What is the purpose of the ARP protocol?
`MAC addresses: the lowest level network name
`MAC addresses types: Unicast & Broadcast & Multicast
`ARP packet format
`How does the ARP protocol work?
`RFCs security analysis
`RFC 826: the ARP protocol
`RFC 1122: ARP requirements for Internet hosts
`RFC 1812: ARP requirements for Internet routers
`RFC 1027: Transparent Subnet Gateways – Proxy ARP
`RFC 1868: ARP extension – UNARP
`ARP packet types
`How the exploit works
`Description and diagram of the attack
`How can the attacker verify if the attack was successful?
`ARP spoofing persistence
`Network citizens
`ARP spoofing tools
`Arpplet
`Other tools available
`Advanced attacks based on ARP Spoofing
`Sniffing
`Denial of Service
`Transparent proxy
`Smart IP spoofing
`ARP protocol security research
`ARP packet taxonomy: analyzing all ARP packet variations
`ARP packet taxonomy tests
`ARP big anomalies tests
`ARP timeouts: analyzing the ARP cache table
`ARP timeouts tests
`OS fingerprinting based on ARP packets
`Bootstrap and shutdown times research
`Activating/Deactivating network interfaces
`ARP parameters by operating system
`
`8
`
`8
`8
`10
`10
`12
`13
`13
`
`14
`
`14
`15
`15
`16
`17
`18
`20
`26
`26
`31
`33
`34
`35
`37
`38
`40
`42
`43
`45
`46
`46
`47
`49
`49
`49
`49
`50
`51
`51
`54
`63
`63
`65
`68
`69
`73
`74
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 5
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`HA solutions
`DHCP systems
`Signature of the attack
`Using real or fake MAC addresses: pros and cons
`Signatures based on MAC address selection
`How to protect against it
`Physical security
`Static ARP entries
`Encryption
`Filtering devices
`Switches: advanced network devices
`“Duplicate IP address” message
`NIDS
`HIDS
`TTL signature
`Authentication: 802.1x
`Private VLANS
`VACLs
`
`PART 3 – THE INCIDENT HANDLING PROCESS
`
`Preparation
`Identification
`Containment
`Eradication
`Recovery
`Lessons Learned
`Extras
`
`LIST OF REFERENCES
`
`APPENDIX I: OPERATING SYSTEMS RESEARCHED
`
`APPENDIX II: RESEARCH LAB DESCRIPTION
`
`APPENDIX III: ARP TIMEOUTS RESEARCH
`
`Local tests: [TestTLn]
`Remote tests: [TestTRn]
`
`APPENDIX IV: ARP SPOOFING RESEARCH SCRIPTS
`
`ARP spoofing preparation script
`ARP table status scripts
`Cisco IOS
`Unix: HP-UX and Linux
`Windows
`Solaris
`ARP timeouts scripts
`
`Page 5
`
`86
`87
`88
`89
`91
`93
`93
`94
`95
`95
`96
`102
`105
`106
`108
`108
`110
`112
`
`113
`
`113
`114
`116
`118
`119
`119
`120
`
`122
`
`130
`
`131
`
`133
`
`133
`134
`
`137
`
`137
`138
`138
`138
`139
`140
`140
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 6
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`ARP packet taxonomy scripts
`Tests BH
`Test SK
`Results
`
`APPENDIX V: THE “ARP” COMMAND
`
`General arguments comparison
`Cisco IOS
`Cisco CatOS
`HP-UX 11
`Linux: kernel 2.4
`Windows 2000 SP3
`Solaris 8
`Execution privileges
`Output format per Operating System
`
`APPENDIX VI: FIRST TRAFFIC SEEN IN THE NETWORK
`
`APPENDIX VII: ARP FLUX
`
`APPENDIX VIII: ARP TABLE SNAPSHOTS
`
`ARP static entries for its IP address
`ARP static entries for another IP network
`Cisco IOS router or switch
`HP-UX 10.20
`HP-UX 11 and 11i
`Linux kernel 2.4
`Windows 2000 SP3
`Solaris 8
`ARP entries without response
`Cisco IOS
`HP-UX 10.20
`Linux kernel 2.4
`Windows 2000
`Solaris 8
`
`APPENDIX IX: “ARPPLET” SOURCE CODE
`
`APPENDIX XI: GOOGLE STATE OF THE ART
`
`
`
`Page 6
`
`141
`143
`143
`144
`
`145
`
`145
`145
`147
`148
`148
`149
`149
`149
`150
`
`152
`
`153
`
`154
`
`154
`155
`155
`155
`155
`155
`155
`155
`156
`156
`156
`156
`156
`156
`
`157
`
`166
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 7
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 37
`
`•
`
`It will also allow the usage of Denial of Service attacks in cases where
`the particular OS doesn’t check the “Hardware Address Length” field,
`as it will update the entry associated to the packet IP address with a
`MAC address of zero. From now on the communication with this IP
`address won’t be possible.
`
`ARP packet types
`
`This section has a summary of the different possible ARP packet types, based
`both on the described RFCs and in all the other references used along this
`paper:
`
`
`ARP request:
`Standard request to broadcast address.
`Directed request to a unicast address to validate entry.
`ARP reply:
`Standard solicited reply to the host we received a request.
`Standard solicited reply in behalf of other: Proxy ARP.
`Unsolicited Gratuitous ARP reply: host announcement.
`Unsolicited UNARP reply: disconnecting from network.
`Unsolicited Trailer negotiation ARP reply.
`
`RFC
`826
`826,1122
`
`826
`1027
`N/A
`1868
`1122, 1812
`
`
`From all these packets the “Gratuitous ARP packet” is the one not explicitly
`studied in any of the RFCs analyzed.
`
`Gratuitous ARP packet
`A “Gratuitous ARP packet” consists of an ARP request or reply packet where
`the “Sender IP address” and the “Target IP address” are the same. Usually it is
`addressed to all hosts using the broadcast address for both, Ethernet
`“Destination MAC address” and “ARP “Target MAC address”, although this is
`implementation dependent.
`
`
`ARP gratuitous packet
`Target MAC addr.
`FF:FF:FF:FF:FF:FF
`0x0806
`0x0001
`0x0800
`1 or 2
`6
`4
`Sender MAC address.
`Host IP addr.
`FF:FF:FF:FF:FF:FF or implementation
`Host IP addr.
`
`
`
`Figure 2.11. ARP gratuitous request and reply packets
`
`
`This type of packet is typically used in two situations:
`• ARP reply [GRAT1]: when a host wants to announce its own IP-MAC
`addresses pair, for example in high availability clustering solutions (see
`“HA solutions” section).
`Due to the fact that the ARP request packets are also used to learn new
`IP-MAC addresses associations, an ARP request packet could be used
`for the same purpose.
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 8
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 38
`
`• ARP request [STEV1]: when a host wants to check if there is a conflict
`with its IP address in the network, probably because another host is
`already configured with the same IP address. This situation generates a
`“Duplicated IP address message” when a reply is received (see
`““Duplicate IP address” message” section).
`This type of checking is commonly done at bootstrap time (see
`“Bootstrap and shutdown times research” section), when they are
`initializing their IP stack.
`
`How the exploit works
`
`One of the reasons why ARP must be exposed is due to the open and flexible
`elements specified in the RFC and its interpretation in every implementation. All
`the questions and shapes stoop out along this paper may introduce potential
`vulnerabilities.
`
`So the reason why this exploit could work lays on the ARP protocol design, and
`given the fact that the design is driven by the RFC, the simplicity and
`performance goals influenced the protocol security. It must be considered that
`security was not one of the main goals by the time when ARP was designed.
`
`The ARP poisoning attack has been described in several papers [SEAN1]
`[ROB1] [VISV1] [DATA1] [SANS1].
`
`For completeness we are going to include a brief description of how it works.
`
`
`
`
`System A:
`192.168.1.2
`IPA:
`MACA: 0E:0E:0E:00:00:02
`
`Hacker:
`192.168.1.99
`IPH:
`MACH: 0E:0E:0E:00:00:99
`
`ARP packet (B is H)
`
`ARP packet (A is H)
`
`TRAFFIC (from A to B)
`
`OR
`
`System B:
`192.168.1.3
`IPB:
`MACB: 0E:0E:0E:00:00:03
`
`
`
`Figure 2.12. ARP spoofing attack: network diagram
`
`
`The attacker’s, “Hacker” system, goal is redirecting traffic going back and forth
`between both target systems, A and B, to be able to inspect it or develop more
`advanced attacks (see “Advanced attacks based on ARP Spoofing”).
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 9
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 68
`
`OS fingerprinting based on ARP packets
`
`Analyzing what types of ARP packets are generated by every operating system
`would allow to create an OS fingerprinting classification tree that will permit to
`find out what OS are participating in the network just by listening to their ARP
`traffic.
`
`ARP standard request analysis
`The most important field, not established at the RFC level, is the “Target MAC
`address”.
`
`The analysis performed has revealed that some OS set the “MAC Target
`Address” field in an ARP request to all ones, FF:FF:FF:FF:FF:FF, like Solaris,
`while others set it to all zeros, 00:00:00:00:00:00, such as Windows 2000, Linux
`kernel 2.4, Cisco IOS and HP-UX 10.20.
`
`Gratuitous ARP packets
`The initial gratuitous ARP packets also have a significantly different look and
`feel between different operating systems (see “Bootstrap and shutdown times
`research” section).
`
`Windows OS set “Target MAC address” field to all zeros while Unixes variants
`set it to all ones.
`
`Ethernet trailers and minimum packet size enforcement
`Another element that can help to fingerprint a host, determining its OS, is the
`Ethernet trailer information appended to the Ethernet frames. This additional
`data is added to reach the standard Ethernet boundaries. Each operating
`system implements this fill up process in a different way, although RFC 1042,
`specifies that "the data field should be padded (with octets of zero)”.
`
`ARP Ethernet packets only use 42 bytes of data, although the smallest legal
`Ethernet packet is 60 bytes, not including CRC (4 bytes) [ETHS1]. The OS pads
`an extra 18 bytes on to the end of ARP packets to meet this minimum length
`requirement. You don't have to worry about adding padding when generating
`ARP packets it will be added by the OS. Some systems may not enforce the
`minimum packet size, while others will.
`
`During year 2003 a new vulnerability was found, Etherleak [CERT2] [OFIR2],
`affecting lots of network interface device drivers. Vulnerable NICS incorrectly
`handle frame padding, allowing an attacker to view slices of previously
`transmitted packets or portions of kernel memory. Therefore the trailers
`visualize must be influenced by memory contents not being a fixed value.
`
`Conclusions
`When sending gratuitous ARP bootstrapping packets it is very rare to see
`memory data copied in the Ethernet frame because these are almost always the
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 10
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 69
`
`first traffic generated by a host (see “Bootstrap and shutdown times research”
`section).
`
`Solaris 8 always set the Ethernet frames trailers using the number 5 value; this
`is very helpful to guess the OS of a remote Solaris host. Other OS, such as
`Windows 2000 and HP-UX 10.20, suffer the described memory leak problem
`and garbage data can be seen inside the trailer portion. All these three OS use
`60 bytes Ethernet frames, enforcing the minimum packet size.
`
`Cisco follows the RFC recommendation and the trailer section is always set to
`zeros. Apart from that, its packet size is 60 bytes although some IOS versions
`generate 64 bytes frames.
`
`Linux kernel 2.4 enforces the minimum packet size, using 60 bytes, and uses
`zero values for padding.
`
`
`Minimum size
`OS
`60 and 64
`Cisco IOS
`60
`HP-UX 10.20
`60
`Linux kernel 2.4
`Windows 2000 SP3 60
`Solaris 8
`60
`
`Trailers
`Zero’s value
`Memory data
`Zero’s value
`Memory data
`Five’s value
`
`
`
`Figure 2.19. Minimum packet size and trailer values
`
`Bootstrap and shutdown times research
`
`Most hosts on a network will send out a gratuitous ARP packet (see “Gratuitous
`ARP packet” section) when they are initializing their IP stack, bootstrap time
`[STEV1]. This gratuitous ARP packet is typically an ARP request for their own
`IP address, which is used to check for a duplicate IP address. If there is a
`duplicate address, some stacks do not complete initialization, while others
`simply generate a warning message (see ““Duplicate IP address” message”
`section).
`
`To analyze the bootstrapping and shutdowning processes the same lab
`environment as the one for timeout research (see “APPENDIX II: Research lab
`description” section) was used. This lab was also implemented to analyze the
`network interfaces manipulation (next section).
`
`The process followed to test the ARP packets generated during the boot and
`shutdown time was:
`1. Activate network traces, called “boot-traces” because they are related to
`the boot process, in the analyzer host to capture all traffic (promiscuous
`mode).
`2. Wait for 2-5 minutes to check the existent traffic generated by the unique
`system already active in the network, the analyzer host. Traffic should be
`almost inexistent.
`3. Boot the target system, the one to be analyzed: “Boot Test”.
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 11
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 74
`
`
`All gratuitous packets generated by the analyzed OS keep the same format as
`the packet analyzed during the bootstrapping process.
`
`Changing interfaces status
`These were the procedures followed to activate/deactivate network interfaces:
`
`OS
`Cisco IOS router:
`Cisco IOS switch:
`
`Interfaces administration procedures
`Cisco>en
`Password:
`Cisco#
`Cisco#conf t
`Enter configuration commands, one per line. End with CNTL/Z.
`Cisco(config)#int eth 0/0 or int vlan 1
`Cisco(config-if)#shutdown
`or
`Cisco(config-if)#no shutdown [1]
`“Start” – “Settings” – “Control Panel” – “Network and Dial-up
`Connections”, select the network interface, press right mouse
`button and select “Disable” option.
`“Start” – “Settings” – “Control Panel” – “Network”: it is not
`possible (NP) to simply disable the network interfaces because
`when changing network properties or protocol to network card
`bindings you are required to restart the system.
`# ifconfig <NIC-X> down
`# ifconfig <NIC-X> up
`
`Windows 2000
`
`Windows NT 4.0
`
`Unix (all variants)
`
`
`[1] When a new port is used in a switch, it executes, unless otherwise
`configured, the STP protocol state phases before activating the port, to avoid
`loops and to resolve the root bridge.
`
`ARP parameters by operating system
`
`The operating system’s configuration parameters allow setting up the timeout
`variables for the ARP algorithms and for other elements of the ARP module. All
`the ARP parameters related to the main operating systems analyzed by this
`paper will be described. Additional OS should be included in a future review.
`
`Cisco IOS
`The Cisco IOS allows changing the unique timeout associated to the expiration
`of ARP table entries. By default, an IOS router or switch maintains an ARP
`entry for four hours, 14400 seconds. This is an extremely high value compared
`with the timeouts used by the Unix and Windows OS.
`
`Parameter:
`
`Description:
`
`Actions:
`
`arp timeout
`It configures how long an entry remains in the ARP cache. Use the “arp
`timeout” command in interface configuration mode. To restore the
`default value, use the no form of this command.
`A value of zero means that entries are never cleared from the cache.
`GET:
`Router#show interfaces
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 12
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`

`

`“Real World ARP Spoofing” - Raúl Siles
`
`
`
`
`Page 152
`
`
`
`APPENDIX VI: First traffic seen in the network
`
`From the network side, and showing the importance of the ARP protocol, it is
`necessary to analyze, that commonly, the ARP traffic generated by a system
`constitute the first packet (or set of packets) seen by the network, and therefore,
`by any other systems in the same LAN coming from that system.
`
`This first traffic is really important in switching environments where the first
`packet seen from a host lets the switch learn a new CAM association, joining
`MAC address with a physical switch port. This first packet will be typically an
`ARP request or a gratuitous ARP packet.
`
`Other monitoring solutions, like “arpwatch”, could also learn information based
`on the first packets seen in the network. This increases the importance of this
`initial traffic too.
`
`If the first traffic seen is ARP, very frequently except in some cases defined
`bellow, two situations can occur: the system can be using name resolution,
`DNS, or not.
`
`If it is not using DNS, the first traffic can be addressed to:
`the local network, so a broadcast ARP request packet asking for
`•
`the end system constitutes the first packet thrown into the
`network.
`to a remote network, so the first traffic will be the same request
`but addressed to the local router.
`
`•
`
`
`If it is using DNS, the first ARP query will be addressed to the DNS server if it is
`located in the same LAN or to the router again if the DNS servers are placed in
`a remote subnet.
`
`There are some exceptions where the ARP packets are not the first ones seen
`in the network coming from a specific host:
`• BOOTP (Bootstrap Protocol) is used for bootstrapping diskless systems
`to find its IP address. It uses broadcast addresses and ARP is not
`involved at all.
`• DHCP (Dynamic Host Configuration Protocol) provides a framework for
`passing information to hosts on a TCP/IP network. DHCP is based on
`BOOTP.
`• Windows boxes generate tones of IP broadcasted traffic, associated to
`NetBIOS, that arrive to the whole subnet and doesn’t require a previous
`ARP mapping because it uses the MAC broadcast address.
`
`Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
`
`© SANS Institute 2003,
`
`As part of GIAC practical repository.
`
`Author retains full rights.
`
`© SANS Institute 2003, Author retains full rights.
`
`Microsoft Ex. 1021, p. 13
`Microsoft v. Daedalus Blue
`IPR2021-00832
`
`