| 1 | An ARP spoofing experiment where the attacker puts himself in between two nodes and then modifies their traffic. There are two classes of experiments that need to be combined: |
| 2 | a. an experiment where ARP poisoning happens between two nodes by the attacker |
| 3 | b. an experiment where an attacker changes traffic passing through it |
| 4 | |
| 5 | |
| 6 | == Example 3: ARP poisoning with MITM attack == |
| 7 | |
| 8 | This example used two metadescriptions. The first was ARP poisoning which is a flavor of cache poisoning, and the other is MITM attack. |
| 9 | |
| 10 | |
| 11 | === ARP poisoning metadescription === |
| 12 | |
| 13 | This is a special case of cache poisoning where the target is ARP cache. I've highlighted customizations from the general cache poisoning metadescriptions to arrive at this one. |
| 14 | |
| 15 | Dimensions: |
| 16 | * '''Logical topology:''' |
| 17 | [[Image(arpcpobj.jpg)]] |
| 18 | |
| 19 | (in English: There is one attacker node. There is a fakeIP of type IPaddress. A cache is simply a collection of ARPRecord items, one or more. These are subtypes of Info and in the domain knowledge DB there's syntax defined for an ARPRecord. Cache does not reside at the attacker.) |
| 20 | |
| 21 | |
| 22 | * '''Timeline of events: ''' |
| 23 | |
| 24 | [[Image(arpwf.jpg, 50%)]] |
| 25 | |
| 26 | (in English: Attacker sends the ARP reply with mapping of an ARP address to somebody's IP. This really could be anybody's ARP address but in most cases it is the attacker's.) |
| 27 | |
| 28 | * '''Invariants:''' |
| 29 | |
| 30 | Nothing in addition to the topology and timeline above. |
| 31 | |
| 32 | === MITM attack metadescription === |
| 33 | |
| 34 | Dimensions: |
| 35 | * '''Logical topology:''' |
| 36 | [[Image(mitmobj.jpg)]] |
| 37 | |
| 38 | (in English: There is one attacker node, and two regular nodes who want to communicate. These are all different nodes.) |
| 39 | |
| 40 | |
| 41 | * '''Timeline of events: ''' |
| 42 | |
| 43 | [[Image(mitmwf.jpg, 70%)]] |
| 44 | |
| 45 | (in English: Attacker replaces each msg between nodes with some modification.) |
| 46 | |
| 47 | * '''Invariants:''' |
| 48 | |
| 49 | Nothing in addition to the topology and timeline above. |
| 50 | |
| 51 | === Experiment design === |
| 52 | |
| 53 | Now I'm a user who wants to design an experiment. I need to combine two metadescriptions (ARP poisoning and MITM attack) and somehow tie them down to generator choices. To combine I'll do something like this: |
| 54 | |
| 55 | [[Image(arpmitmcomb.jpg)]] |
| 56 | |
| 57 | i.e. the ARP experiment needs to be run twice to generate the mappings at node1 and node2 necessary for the attacker to appear on the path from node1 to node2. The cache we're poisoning is at node1 and node2. Poison links the IP address of node2 and node1 respectively with the attacker's ARP address. |
| 58 | |
| 59 | The system now needs to offer me several generators: |
| 60 | |
| 61 | * It should offer a topology generator and map the nodes (Node1, Node2, Attacker) to the topology that gets generated. Caches have to reside at Node1 and Node2. |
| 62 | * It should offer event generator for each of the events: reply (for ARP), and mod(for message). |