Many companies today are concerned about ensuring the information security of their infrastructure, some do so at the request of regulatory documents, and some from the moment the first incident occurs. Recent trends show that the number of incidents is growing, and the attacks themselves are becoming more sophisticated. But no need to go far, the danger is much closer. This time I would like to raise the topic of security of Internet providers. On a habr there are posts in which this topic was discussed at the application level. This article will discuss security at the network and data link levels.

How it all began


Some time ago, the Internet was transferred to the apartment from a new provider, earlier Internet services were delivered to the apartment using ADSL technology. Since I spend little time at home, mobile Internet was more in demand than home. With the transition to udalenka, I decided that the speed of 50-60 Mb/s for the home Internet was very small and decided to increase the speed. According to ADSL technology, for technical reasons, speeds above 60 Mb/s will not work. It was decided to switch to another provider with a different stated speed and already with the provision of services not on ADSL.

It could be somehow different


I contacted the representative of the Internet provider. The installers came, drilled a hole in the apartment, conducted an RJ-45 patch cord. They gave a contract and instructions with the network settings that need to be set on the router (dedicated ip, gateway, subnet mask and ip addresses of their DNS), took payment for the first month of work and left. When I entered the network settings that were given to me in the home router, the Internet burst into the apartment. The procedure for initial entry into the network of a new subscriber seemed to me too simple. No primary authorization was made, and my identifier was the ip address given to me. The Internet worked quickly and stably. A wifi router worked in the apartment and the connection speed sank a bit through the load-bearing wall. One day, it was necessary to download a file the size of two dozen gigabytes. I thought, why not connect the person going to the RJ-45 apartment directly to the PC.

Know your neighbor


Having downloaded the whole file, I decided to get to know my neighbors on the switch sockets closer.

In apartment buildings, the Internet connection often comes from the optics provider, enters a wiring closet in one of the switches and is distributed between entrances, apartments via Ethernet cables, if we consider the most primitive connection scheme. Yes, there is already technology when the optics go straight to the apartment (GPON), but this is not so widespread yet.

If we take a very simplified topology at the scale of one house, then it looks something like this:

ITKarma picture

It turns out that the clients of this provider, some neighboring apartments, work in the same local area network on the same switching equipment.

By enabling listening to the interface connected directly to the provider's network, you can see broadcast ARP traffic flying from all hosts on the network.

ITKarma picture

The provider decided not to bother with dividing the network into small segments, so broadcast traffic from 253 hosts could go for a walk on one switch, except for those that were turned off, thereby clogging the channel bandwidth.

Having scanned the network using nmap, we determined the number of active hosts from the entire address pool, software version, and open ports of the main switch:

ITKarma picture

ITKarma picture

And where ARP is near there and ARP-spoofing


The ettercap-graphical utility was used to carry out further actions, there are more modern analogues, but this software attracts with its primitive graphical interface and ease of use.

In the first column, IP addresses of all routers that responded to ping, in the second, their physical addresses.

The physical address is unique, it can be used to collect information about the geographic location of the router and more, so it will be hidden in this article.

ITKarma picture

Goal 1 add the main gateway with the address 192.168.xxx.1, goal 2 add one of the other addresses.

We introduce ourselves to the gateway as a host with the address 192.168.xxx.204, but with its own MAC address. Then we introduce ourselves to the user router as a gateway with the address 192.168.xxx.1 with its MAC. Details of this vulnerability of the ARP protocol are detailed in other articles that are easily google.

ITKarma picture

As a result of all the manipulations, we have traffic from hosts that goes through us, having previously enabled packet forwarding:

ITKarma picture

ITKarma picture

ITKarma picture

ITKarma picture

ITKarma picture

Yes, https is already used almost everywhere, but the network is still full of other insecure protocols. For example, the same DNS with a DNS-spoofing attack. The very fact that MITM attacks can be implemented gives rise to many other attacks. Things get worse when several dozen active hosts are available on the network. It is worth considering that this is a private sector, not a corporate network, and not everyone has the means to protect detection and counteract related attacks.

How to avoid this


The provider should be concerned about this problem; setting up protection against such attacks is very simple, in the case of the same Cisco switch.

ITKarma picture

Enabling Dynamic ARP Inspection (DAI) would prevent a MAC gateway spoofing. Breaking the broadcast domain into smaller segments prevented at least the spread of ARP traffic to all hosts in a row and a decrease in the number of hosts that could be attacked. The client, in turn, can protect itself from such manipulations by setting up the VPN client directly on the home router, most devices already support this functionality.

Conclusions


Most likely, providers do not care about this, all efforts are aimed at increasing the number of customers. This material was not written to demonstrate an attack, but to remind you that even your provider's network may not be very secure for transferring your data. I am sure that there will be many small regional providers of Internet services that have done nothing more than necessary for the basic operation of network equipment.

Source