-: Address Resolution Protocol (ARP) Attacks :-
What Does ARP Mean?
Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. This being said, by mapping a 32 bit IP address to an associated
48 bit MAC address via attached Ethernet devices, a communication between local nodes can be made.
On a majority of operating systems, such as Linux, FreeBSD,
and other UNIX based operating systems, and even including
Windows, the "arp" program is present. This program can be
used to display and/or modify ARP cache entries.
An example of the "arp" utility's output would look like the following:
> arp -a
Interface: 192.168.1.100 .- 0x10003
Internet Address Physical Address Type
192.168.1.1 00-13-10-23-9a-53 dynamic
$ arp -na
? (192.168.1.1) at 00:90:B1:DC:F8:C0 [ether] on eth0
$ arp -na
? (192.168.1.1) at 00:00:0c:3e:4d:49 on bge0
How ARP works?
Specifically for Internet Protocol Version 4 (IPv4), ARP
maps IP addresses between the Network layer and Data Link
layer of the Open System Interconnection (OSI) model.
For a more complete and thorough explanation of how address
resolution works, and protocol specifics, please consult RFC 826.
ARP Protocol Flaws :-
ARP's main flaw is in its cache. Knowing that it is possible
for ARP to update existing entries as well as add to the
cache, this leads one to believe that forged replies can be
made, which result in ARP cache poisoning attacks.
Terms & Definitions :-
ARP Cache Poisoning : Broadcasting forged ARP replies on a local network. In a
sense, "fooling" nodes on the network. This can be done
because ARP lacks authentication features, thus blindly
accepting any request and reply that is received or sent.
MAC Address Flooding : An ARP cache poisoning attack that is mainly used in
switched environments. By flooding a switch with fake MAC
addresses, a switch is overloaded. Because of this, it
broadcasts all network traffic to every connected node.
This outcome is referred to as "broadcast mode" because,
all traffic passing through the switch is broadcasted out
like a Hub would do. This then can result in sniffing all
The ARP Attacks :-
1] Connection Hijacking & Interception : Packet or connection hijacking and interception is the act
in which any connected client can be victimized into getting
their connection manipulated in a way that it is possible to
take complete control over.
2] Connection Resetting : The name explains itself very well. When we are resetting
a client's connection, we are cutting their connection to
the system. This can be easily done using specially crafted
code to do so. Luckily, we have wonderful software that was
made to aid us in doing so.
3] Man In The Middle : One of the more prominent ways of attacking another user in
order to hijack their traffic, is by means of a Man In The
Middle (MITM) attack. Unlike the other attacks, a MITM is
more a packet manipulation attack which in the end however
does result in packet redirection to the attacker . all
traffic will get sent to the attacker doing the MITM
attack. This attack however is specific. As opposed to MAC
Address Flooding or other attacks against a router/switch,
the MITM attack is against a victim, and also can be done
outside of a switched environment. Thus meaning, an attack
can be executed against a person on the other side of the
4] Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the
network is segmented via a hub, rather than a switch. It is of course possible to sniff on a switched environment
by performing a MAC flood attack. As a result of the MAC flood, the switch will act as a hub,
and allow the entire network to be sniffed. This gives you a
chance to use any sort of sniffing software available to you
to use against the network, and gather packets.
5] Denial of Service : MAC Address Flooding can be
considered a Denial of service attack. The main idea of the
MAC flood, is to generate enough packet data to send toward
a switch, attempting to make it panic. This will
cause the switch to drop into broadcast mode and broadcast
all packet data. This however did not result in a crash, or
the service to be dropped, but to be overloaded.