ARP Backscatter
From SCADApedia
ARP Backscatter[ing] is a technique by which devices that act as a gateway (routers, switches, and firewalls) or perform IP forwarding (nat-ed devices) can be detected.
Contents |
How ARP Backscattering Works
ARP Backsatters rely on artifacts in gateway devices' responses to ARP requests for IP addresses that do not exist on the local segment. To perform an ARP Backscatter perform an ArpScan on IP addresses that are believed to exist on segments on the other side of the gateway device. These IP ranges may be gleaned from sniffing network traffic, looking at host tables, pulled from netstat results etc. If an address exists on the other side of the gateway device, the device will reply that the external IP address exists at it's (the gateways) MAC address. If the address is unknown no response will occur.
ARP Backscatters are not always effective against all types of gateways but can be very useful in finding network interconnects.
ARP Backscatter Example
If you are on a network segment that is 10.4.4.* with a suspected gateway device at 10.4.4.44 with a MAC address of 00:01:DE:AD:BE:EF and have seen network traffic to 192.168.10.23 you can perform an ArpScan on 192.168.10.1-255. The ArpScan results could look like:
Unicast reply from 192.168.10.23 [00:01:DE:AD:BE:EF] 0.810ms
Unicast reply from 192.168.10.31 [00:01:DE:AD:BE:EF] 0.607ms
Unicast reply from 192.168.10.35 [00:01:DE:AD:BE:EF] 0.602ms
Unicast reply from 192.168.10.64 [00:01:DE:AD:BE:EF] 0.606ms
Which would indicate that 10.4.4.44 is acting as a gateway for the above listed devices.
ARP Backscatter in Control System Assesments
As Control System devices can be very time dependent and can crash when system latency increases due to active scanning techniques, ARP Backscattering can be effectively employed to locate gateways into control system segments, and nat-ed devices on the control system segment in a non-intrusive manner. Identifying these devices is critical in identifying all assets in a network environment, and in determining the system's electronic perimeter.
