Comment Re:FTFA... (Score 1) 73
If the ARP data is being falsified, visitors to the site could be directed to an alternate clone server, hosting pages with content the same as the original server but also including malicious code. If this is the case then the actual webserver has not been compromised, but users are still being exposed to the malicious code through the cloned server.
For example:
Say the webserver of the victim site has a public IP of (1.1.1.1), and a MAC address of (11:11:11:11:11:11). Its home page is (index.html).
The victim site's ISP decides to perform an ARP attack. They set up a server which hosts a clone of the victim site. This server has a MAC address of (22:22:22:22:22:22). However, they modify (index.html) to include malicious code.
The ISP sets up their managed switch so that instead of mapping (1.1.1.1) to (11:11:11:11:11:11), which would be correct, they map (1.1.1.1) to (22:22:22:22:22:22). Now, when users try to visit (1.1.1.1), they will visit the cloned server instead of the original server, and be exposed to the malicious code on the modified (index.html), even though the original server has not been compromised.
For example:
Say the webserver of the victim site has a public IP of (1.1.1.1), and a MAC address of (11:11:11:11:11:11). Its home page is (index.html).
The victim site's ISP decides to perform an ARP attack. They set up a server which hosts a clone of the victim site. This server has a MAC address of (22:22:22:22:22:22). However, they modify (index.html) to include malicious code.
The ISP sets up their managed switch so that instead of mapping (1.1.1.1) to (11:11:11:11:11:11), which would be correct, they map (1.1.1.1) to (22:22:22:22:22:22). Now, when users try to visit (1.1.1.1), they will visit the cloned server instead of the original server, and be exposed to the malicious code on the modified (index.html), even though the original server has not been compromised.
