ARP spoofing: Difference between revisions

ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack).

The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a Denial of Service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.

ARP Spoofing attacks can be run from a compromised host, a Jack Box, or a hacker's machine that is connected directly onto the target Ethernet segment.

The only method of completely preventing ARP spoofing is the use of static, non-changing ARP entries (each entry maps a MAC address to corresponding IP address). However, this is not practical on a large network, due to the large overhead of keeping ARP tables up to date. Therefore another method, such as DHCP Snooping, can be utilised on larger networks. Via DHCP, the network device keeps a record of the MAC addresses that are connected to each port, so it can readily detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, Extreme Networks and Allied Telesis.

Detection is another avenue for defending against ARP spoofing. Arpwatch is a Unix program which listens for ARP replies on a network, and sends a notification via email when an ARP entry changes.

Checking for the existence of MAC address cloning may also provide a clue as to the presence of ARP spoofing, though there are legitimate uses of MAC address cloning. Reverse ARP (RARP) is a protocol used to query a MAC address for its associated IP address(es). If more than one IP address is returned, MAC cloning is present.

ARP spoofing can also be used for benevolent reasons. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network.

Another legitimate implementation of ARP spoofing is used in hotels to allow traveling laptop users to access the Internet from their room, using a device known as a head end processor (HEP), regardless of their IP address.

One of the earliest articles on ARP spoofing was written by Yuri Volobuev in ARP and ICMP redirection games

Arpspoof (part of the DSniff suite of tools), Arpoison, and Ettercap are some of the tools that can be used to carry out ARP poisoning attacks.

• Ethernet
• Ettercap
• arping
• Arpwatch

• How To Use Colasoft Capsa Troubleshoot ARP Spoofing Attacks
• NetCut - Admin Network with ARP protocol
• Introduction to APR (Arp Poison Routing) by MAO
• ARP Guard - ARP Spoofing protection software or appliance
• ARPDefender - Hardware ARP Spoofing detection appliance
• GRC's Arp Poisoning Explanation
• XArp ARP spoofing detection tool
• AntiARP - Professional defence ARP spoof/poison/attack
• PacketCreator - A tool for LAN based ARP Spoofing