ARP attack types | MAC Flooding, ARP spoofing, ARP poisoning
This page covers ARP attack basics and ARP attack types viz. MAC Flooding,ARP spoofing or ARP poisoning. It mentions prevention techniques from MAC Flooding and ARP spoofing.
What is ARP (Address Resolution Protocol)?
This protocol runs of layer-2 i.e. data link layer of OSI stack. ARP protocol resolves an IP address to a MAC address or physical address. In order to use internet, device must require unique MAC address. There is another protocol known as RARP which does conversion of MAC address to IP address.
How ARP protocol works?
Let us understand ARP protocol working operation with example network shown in the figure. Suppose Host-A requires to communicate with Host-B. In order to communicate Host-A needs MAC address of Host-B. Host-A first checks in its ARP table whether MAC address of Host-B having IP address 192.168.1.3 is available or not. If it is available, they can communicate directly. If it is not available, Host-A broadcasts "ARP request" message to all the connected systems on the LAN or network. ARP request contains destination ip address field as 192.168.1.3 and destination mac address as all zeros. The machine whose IP address matches with the destination ip address mentioned in the received packet will send "ARP response" back to the host-A. ARP response contains MAC address with corresponding IP address. In this case ARP response carry MAC address of Host-B having IP address 192.168.1.3. For more information of ARP working, refer packet structure and its actual contents of ARP request and response messages.
Above table is referred as ARP table or CAM table. It contains internet address (i.e. ip address) and physical address entries of all the connected systems. The table can be checked by issuing "arp -a" command on the command prompt.
ARP Attack types
Hackers can obtain details of their desired system by way of network and system sniffing. The network sniffing are mainly of two types viz. active sniffing and passive sniffing. In active sniffing, hacker directly communicates with the target system by sending packets or requests to it. ARP attack types viz. MAC flooding and ARP spoofing or ARP poisoning fall under active sniffing category.
The process of overloading CAM table of switch by sending huge amount of ARP replies to it is known as MAC flooding. When the switch gets overloaded, it enters into hub mode. In hub mode, switch forwards the traffic to all the computers connected on the network. As a result, attacker could able to capture all the traffic using sniffing software.
➨The "Macof" tool is used to fill CAM table of target switch in few seconds. This is possible as the tool
sends huge amount of MAC entries per minute. In order to do this, "Macof" command is run in the terminal.
➨Once CAM table is flooded, wireshark tool is used to capture the traffic in promiscuous mode.
ARP spoofing | ARP poisoning
This ARP attack type is used to attack the network in the middle of the communication link. This is achieved with the help of fake ARP replies.
As we know ARP protocol assumes that ARP response comes from the right terminal whose IP address matches with the one contained in ARP request message. Moreover there is no way to validate that ARP response was sent from the correct device. This design flow in the ARP protocol is being used by hackers.
In ARP spoofing technique, hacker sends spoofed ARP response to any computer on the network in order to believe that certain IP address is associated with certain MAC address. This helps attacker in poisoning ARP cache or ARP table which keeps track of IP to MAC addresses. Hence it is also known as ARP poisoning.
The figure depicts how hacker captures traffic flowing between Bob and Alice. To fulfill ARP spoofing, hacker sends two ARP responses one to the Bob and the other to the Alice.
IoT Wireless Technologies
Difference between useful networking terminologies
Difference between OSI and TCPIP layers
Difference between TCP UDP
FTP vs HTTP
FTP vs SMTP
FTP vs TFTP
ARP vs RARP
NAT vs PAT
RIP vs OSPF
SLIP vs PPP
IMAP4 vs POP3
IPV4 vs IPV6
Difference between Internet and Intranet