Address Resolution Protocol (ARP) Attacks

**prashant_uniyal** · 08-21-2010, 03:59 PM

What Does ARP Mean?
Address Resolution Protocol (ARP) is a stateless protocol, was designed to map Internet Protocol addresses (IP) to their associated Media Access Control (MAC) addresses. This being said, by mapping a 32 bit IP address to an associated 48 bit MAC address via attached Ethernet devices, a communication between local nodes can be made.

On a majority of operating systems, such as Linux, FreeBSD, and other UNIX based operating systems, and even including Windows, the "arp" program is present. This program can be used to display and/or modify ARP cache entries.

An example of the "arp" utility's output would look like the following:

Windows:
> arp -a
Interface: 192.168.1.100 .- 0x10003
Internet Address Physical Address Type
192.168.1.1 00-13-10-23-9a-53 dynamic

Linux:
$ arp -na
? (192.168.1.1) at 00:90:B1

C:F8:C0 [ether] on eth0

FreeBSD:
$ arp -na
? (192.168.1.1) at 00:00:0c:3e:4d:49 on bge0

How ARP works?
Specifically for Internet Protocol Version 4 (IPv4), ARP maps IP addresses between the Network layer and Data Link layer of the Open System Interconnection (OSI) model.
For a more complete and thorough explanation of how address resolution works, and protocol specifics, please consult RFC 826.

ARP Protocol Flaws
ARP's main flaw is in its cache. Knowing that it is possible for ARP to update existing entries as well as add to the cache, this leads one to believe that forged replies can be made, which result in ARP cache poisoning attacks.

Some terms:
ARP Cache Poisoning : Broadcasting forged ARP replies on a local network. In a sense, "fooling" nodes on the network. This can be done because ARP lacks authentication features, thus blindly accepting any request and reply that is received or sent.

MAC Address Flooding : An ARP cache poisoning attack that is mainly used in switched environments. By flooding a switch with fake MAC addresses, a switch is overloaded. Because of this, it broadcasts all network traffic to every connected node. This outcome is referred to as "broadcast mode" because, all traffic passing through the switch is broadcasted out like a Hub would do. This then can result in sniffing all network traffic.

# Connection Hijacking & Interception : Packet or connection hijacking and interception is the act in which any connected client can be victimized into getting their connection manipulated in a way that it is possible to take complete control over.

# Connection Resetting : The name explains itself very well. When we are resetting a client's connection, we are cutting their connection to the system. This can be easily done using specially crafted code to do so. Luckily, we have wonderful software that was made to aid us in doing so.

# Man In The Middle : One of the more prominent ways of attacking another user in order to hijack their traffic, is by means of a Man In The Middle (MITM) attack. Unlike the other attacks, a MITM is more a packet manipulation attack which in the end however does result in packet redirection to the attacker . all traffic will get sent to the attacker doing the MITM attack. This attack however is specific. As opposed to MAC Address Flooding or other attacks against a router/switch, the MITM attack is against a victim, and also can be done outside of a switched environment. Thus meaning, an attack can be executed against a person on the other side of the count

# Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the network is segmented via a hub, rather than a switch. It is of course possible to sniff on a switched environment by performing a MAC flood attack. As a result of the MAC flood, the switch will act as a hub, and allow the entire network to be sniffed. This gives you a chance to use any sort of sniffing software available to you to use against the network, and gather packets.

# Denial of Service : MAC Address Flooding can be considered a Denial of service attack. The main idea of the MAC flood, is to generate enough packet data to send toward a switch, attempting to make it panic. This will cause the switch to drop into broadcast mode and broadcast all packet data. This however did not result in a crash, or the service to be dropped, but to be overloaded.

**steve_ron** · 08-23-2010, 08:43 AM

thanks Prashant, very informative

**prashant_uniyal** · 08-23-2010, 11:57 AM

Thanks for appreciating sir

**g-man-rocks** · 08-27-2010, 12:12 AM

Wow! so much to learn. I better start at the beginning.

**pr3dat0r** · 09-24-2010, 07:35 PM

Nice post.

Here are some countermeasures for ARP attacks. Try to create a switched network rather than HUB network.
Use switch instead of hub if possible. Hub broadcasts so, that is an advantage for attacker when he/she is using sniffers.
By sniffing attacker gains information by analyzing the packets travelling on wire.
Switch port security feature in Switch can be used to defeat ARP. In this we use static arp entries in Switch's Content Addressable Memory(CAM).

**b0nd** · 09-25-2010, 05:43 AM

Agree with you pr3dat0r. Switch environment is definitely better than hub environment in both, functionality wise and security wise.

But ARP attacks still can be launched in switch n/w, including the sniffing. Moreover hubs are hard to find in networks now. They are getting obsolete.

**pr3dat0r** · 09-27-2010, 11:25 PM

Yes arp attacks can be surely launched in switch n/w.
Actually sniffing can be classified into 2 types:
1. Active sniffing
2. Passive sniffing

In passive sniffing attacker don't need to do anything. He/She can just install a sniffer on his/her machine and analyse the packets on wire. This process happens in HUB environment. Because they broadcast.
So replacing them with switch can only halt passive sniffing not active sniffing.
In active sniffing an attacker performs some actions like performing arp spoofing, mac flooding and mac spoofing etc. after performing any of these actions successfully , only then attacker can start sniffing.
And regarding HUB environment , ya they are becoming rare but still you can find many places where they rule the network like cafe, homes, small offices, colleges, schools etc.

**AnArKI** · 09-27-2010, 11:32 PM

ARP posioning & then sniffing the traffic is deadly....Cain & Abel and Ettercap is best examples to demonstrate this theory.....no network is protected from sniffing

**pr3dat0r** · 10-31-2010, 08:03 PM

The better countermeasure against sniffing should be use of encryption.

**mandi** · 12-23-2010, 03:55 PM

To protect our network from ARP poisoning and Sniffing we can do the following
1)First use a switch instead of hub
2)Use a managable switch like CISCO 1,Because it is easy for you to connect the IDS On the trunk port of the switch
3)Also cisco switches are very hard to flood
4)Also install arp watches on the servers to monitor any deviations or changes in the mac table of the switch,you will eb get notified if any changes occur to the mac table of the switch
5)Also have some tools (I forget the exact name) to detect the NIC's in promicious mode,Because i had seen some tools written based on this mode to listen or capture all the traffic from the wire,But as switches uses mirco segmentation ,it is tough for the attacker,but still this is an effective solution..

@------->pr3dat0r
I believe usage of encryption protocols like IP-SEC with in the LAN will severely limits the function of various Network security devices like NIDS,NIPS,fire-walls unless you have some ssl-bridge filtering implemented on the network(which is unlikely in most networks)....

@---->prashant_uniyal
Thanks for the posting this,Very help-full.

Thread: Address Resolution Protocol (ARP) Attacks

LinkBack

Thread Tools

Search Thread

Display