3

Expanding to a previous question where I asked if it would be possible to redirect traffic on a port from another device to my local device, if a PC on my network (device A) has the IP address 192.168.1.2, would it be possible for another PC (device B) that has an IP address 192.168.1.3 to force-use the IP address 192.168.1.2 in a way that causes device A to lose network access through that IP? If yes, how would that be possible or how can I prevent this type of attack?

For testing, I tried to use the IP 192.168.1.2 on 2 devices on the same network with ARP checking disabled. Only device A was responding, but I'm not sure if there is a type of attack that can cause device A to stop responding and I wasn't able to find this information online, so any answer would be greatly appreciated!

Jonathan T
  • 31
  • 1
  • 3
  • Is it wired or wireless? – user2497 Aug 05 '17 at 06:44
  • @user2497 Mostly wireless, but device A was wired while device B was wireless when I did the test. I do not think it would make a difference, but I can connect both of them to wireless/wired. – Jonathan T Aug 05 '17 at 10:01

3 Answers3

1

This would be an "attack" that would prevent only devices that don't know the MAC address/IP correspondence to talk to Device A. Under normal circumstances they would have the MAC address of Device A in their ARP cache.

If however this cache expires or a new device is connected to the LAN (the same broadcast domain) then the ARP request "who has 192.168.1.2" would be answered by two different machines. Quoting from Networking Basics: How ARP Works:

In the case where multiple machines have the same IP address, you may get multiple responses. The one that gets placed in the ARP table can vary depending on the networking implementation, how busy hosts are, and how quickly they respond, etc...

Your concern is unavailability of Device A but another thing that can happen is for an attacker to be a man-in-the-middle: Inform you Device A that he has the IP of the gateway and inform the gateway that he has the IP of Device A. He will thus make all traffic to and from Device A pass from the eavesdropping system in the middle.

George
  • 2,813
  • 2
  • 23
  • 39
1

This question is asking about forcing a client to release its IP address. Yes, if it is a wifi network you can cause the device to be dropped, and for wired you can drop the host from the network as well. But to answer the question about forcing a client to give up its IP, without completely dropping it, would be possible through DHCP as outlined in rfc3203 by sending the client a FORCERENEW:

http://www.ietf.org/rfc/rfc3203.txt

That being said, you would be depending on all the clients to actually obey, and not all do. https://social.technet.microsoft.com/Forums/windowsserver/en-US/1bb50932-29bc-4446-a1a4-081037207f36/dhcp-forcerenew-message?forum=winserverNIS

Thomas Carlisle
  • 809
  • 5
  • 9
0

You can boot a client from a wireless network thus: iwpriv wlanX kickmac 00:de:ad:be:ef:01. http://madwifi-project.org/wiki/UserDocs/iwpriv The IP will be available for a moment until reconnect. Look into isc-dhcpd as well.

user2497
  • 580
  • 2
  • 7