ARP spoofing

From Wikipedia, the free encyclopedia

A typical Ethernet frame. A spoofed frame could have false source MAC addresses to trick devices on the network.

Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack).

The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.

ARP Spoofing attacks can be run from a compromised host, a Jack Box, or a hacker's machine that is connected directly onto the target Ethernet segment.

[edit] Application

ARP is a Layer 2 protocol. ARP request is considered broadcast traffic, while legitimate ARP Replies are not. As such, it is not designed to allow for any ID validation on the transaction. While ARP Spoofing can occur in the course of ARP transactions, creating a race condition, the more common utilization is the distribution of unsolicited ARP responses which are cached by the clients creating the ARP Cache Poison scenario.

[edit] Defenses

The only method of completely preventing ARP spoofing is the use of static, non-changing ARP entries (each entry maps a MAC address to corresponding IP address). However, this is not practical on a large network, due to the large overhead of keeping ARP tables up to date. Therefore another method, such as DHCP snooping, can be utilised on larger networks. Via DHCP, the network device keeps a record of the MAC addresses that are connected to each port, so it can readily detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, Extreme Networks and Allied Telesis.

Detection is another avenue for defending against ARP spoofing. Arpwatch is a Unix program which listens for ARP replies on a network, and sends a notification via email when an ARP entry changes. Under Windows the GUI-driven software XArp v2 is available. It performs ARP packet inspection on a per network interface basis with configurable inspection filters and active verification modules.

Checking for the existence of MAC address cloning may also provide a clue as to the presence of ARP spoofing, though there are legitimate uses of MAC address cloning. Reverse ARP (RARP) is a protocol used to query the a MAC address for its associated IP address(es). If more than one IP address is returned, MAC cloning is present.

[edit] Legitimate usage

ARP spoofing can also be used for legitimate reasons. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network.

Another legitimate implementation of ARP spoofing is used in hotels to allow traveling laptop users to access the Internet from their room, using a device known as a head end processor (HEP), regardless of their IP address.

ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over a defective server and transparently offer redundancy.

[edit] History

One of the earliest articles on ARP spoofing was written by Yuri Volobuev in ARP and ICMP redirection games

[edit] ARP Spoofing Tools

Arpspoof (part of the DSniff suite of tools), Arpoison, Cain and Abel, Ettercap, and netcut are some of the tools that can be used to carry out ARP poisoning attacks.

[edit] See also

• Ethernet
• Ettercap
• arping
• Arpwatch

[edit] External links

• Quick Detect ARP Poisoning/Spoofing Live Demo
• NetCut - Admin Network with ARP protocol
• Introduction to APR (Arp Poison Routing) by MAO
• ARPDefender - Hardware ARP Spoofing detection appliance
• GRC's Arp Poisoning Explanation
• XArp2 ARP spoofing detection tool performing packet inspection using active and passive methods
• AntiARP - Professional defence ARP spoof/poison/attack
• ARP Spoofing How to