ARP spoofing
From Wikipedia, the free encyclopedia
ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a switched local area network (LAN) or stop the traffic altogether (known as a denial of service attack).
The principle of ARP spoofing is to send fake, or 'spoofed', ARP messages to an Ethernet LAN. These frames contain false MAC addresses, confusing network devices, such as network switches. As a result frames intended for one machine can be mistakenly sent to another (allowing the packets to be sniffed) or an unreachable host (a denial of service attack). ARP spoofing can also be used in a man-in-the-middle attack in which all traffic is forwarded through a host with the use of ARP spoofing and analyzed for passwords and other information.
Using static ARP records can be effective methods of defence against ARP spoofing attacks. There are also certain tools available that watch the local ARP cache and report to the administrator if anything unusual happens.
[edit] Legitimate usage
ARP spoofing can also be used for legitimate reasons. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. PacketFence is one product that uses ARP spoofing for this purpose.
[edit] External links
- NetCut - Admin Network with ARP protocol
- Introduction to APR (Arp Poison Routing) by MAO
- GRC's Arp Poisoning Explanation
- Sniffing in a Switched Network
- XArp - Spoofing detection software
