Possible workaround for IP-MAC binding security feature on routers
I have been reading about the IP-MAC binding security feature on routers, and have found a possible technique to bypass it (have yet to test it, currently in the theory phase). Let's assume the following scenario: a router gateway acting as the DHCP server on a LAN, with an attacker machine and a device that has yet to join the network.
With the following background knowledge (correct me if I'm wrong):
- The DHCP server (router) assigns an IP address to a new device without checking its ARP cache table if there is actually an IP address to MAC entry present already.
- The router and the device would send a gratuitous ARP broadcast packet to the assigned IP address to verify if its already in use.
- The router updates its IP-MAC binding according to ARP messages (before an entry for a particular IP address exists in the ARP cache)
With these information in mind, I have thought of the following scenario:
- Attacker machine floods the router with ARP packets to spoof the IP-MAC mapping for all the IP addresses in the subnet to be linked to the attacker's MAC address. The router would drop all the packets for where there is already an IP-MAC entry in the cache, but would likely accept those that are not present.
- When a new device connects to the network, it will receive an offer for an IP address from the DHCP server (router). Before the router actually offers an IP address, it will send a gratuitous ARP broadcast packet to verify if it actually exists. If the IP address happens to be one that has been poisoned in the ARP cache of the router, the ARP packet would be sent to the attacker machine, where it could just simply drop it, tricking the router that this IP address is not in use. The same could be done for the device verification process.
Consequently, from the view of the router, the IP address of the victim device would be linked to the MAC address of the attacker machine.
Consequences
- Even though my initial thought was that all inbound traffic travelling back to the new device would be redirected to the attacker instead, I realised that the initial packet sent from the victim device to the router gateway would be rejected
- Due to the IP-MAC binding rules on the router, the source IP address would be linked to the attacker's MAC address instead of the actual victim's one, causing it to be dropped by the router.
- This would cause a denial-of-service situation for the victim device instead
- From the DoS situation, it could be a precursor social engineering tactic for other attacks such as evil twin.
Are there any points I am missing, or other security features that could prevent this? Also, how likely is this attack scenario going to work?
Resources:
IP-MAC binding (TP-LINK firewall configuration): https://www.tp-link.com/us/configuration-guides/configuring_firewall/?configurationId=18571#anti_arp_spoofing_2_1
Evil twin attack: https://usa.kaspersky.com/resource-center/preemptive-safety/evil-twin-attacks