-: Address Resolution Protocol (ARP) Attacks :-

What Does ARP Mean?

Address Resolution Protocol (ARP) is a stateless protocol, was designed to map I
nternet Protocol addresses (IP) to their associated Media Access Control (MAC) a
ddresses. This being said, by mapping a 32 bit IP address to an associated 48 bi
t MAC address via attached Ethernet devices, a communication between local nodes
can be made.
On a majority of operating systems, such as Linux, FreeBSD, and other UNIX based
operating systems, and even including Windows, the "arp" program is present. Th
is program can be used to display and/or modify ARP cache entries.
An example of the "arp" utility's output would look like the following:
Windows:
> arp -a
Interface: 192.168.1.100 .- 0x10003
Internet Address Physical Address Type
192.168.1.1 00-13-10-23-9a-53 dynamic
Linux:
$ arp -na
? (192.168.1.1) at 00:90:B1:DC:F8:C0 [ether] on eth0
FreeBSD:
$ arp -na
? (192.168.1.1) at 00:00:0c:3e:4d:49 on bge0

How ARP works?

Specifically for Internet Protocol Version 4 (IPv4), ARP maps IP addresses betwe
en the Network layer and Data Link layer of the Open System Interconnection (OSI
) model.
For a more complete and thorough explanation of how address resolution works, an
d protocol specifics, please consult RFC 826.

ARP Protocol Flaws :-

ARP's main flaw is in its cache. Knowing that it is possible for ARP to update e
xisting entries as well as add to the cache, this leads one to believe that forg
ed replies can be made, which result in ARP cache poisoning attacks.

Terms & Definitions :-

ARP Cache Poisoning : Broadcasting forged ARP replies on a local network. In a s
ense, "fooling" nodes on the network. This can be done because ARP lacks authent
ication features, thus blindly accepting any request and reply that is received
or sent.
MAC Address Flooding : An ARP cache poisoning attack that is mainly used in swit
ched environments. By flooding a switch with fake MAC addresses, a switch is ove
rloaded. Because of this, it broadcasts all network traffic to every connected n
ode. This outcome is referred to as "broadcast mode" because, all traffic passin
g through the switch is broadcasted out like a Hub would do. This then can resul
t in sniffing all network traffic.

The ARP Attacks :-

1] Connection Hijacking & Interception : Packet or connection hijacking and inte
rception is the act in which any connected client can be victimized into getting
their connection manipulated in a way that it is possible to take complete cont
rol over.
2] Connection Resetting : The name explains itself very well. When we are resett
ing a client's connection, we are cutting their connection to the system. This c
an be easily done using specially crafted code to do so. Luckily, we have wonder
ful software that was made to aid us in doing so.
3] Man In The Middle : One of the more prominent ways of attacking another user
in order to hijack their traffic, is by means of a Man In The Middle (MITM) atta
ck. Unlike the other attacks, a MITM is more a packet manipulation attack which
in the end however does result in packet redirection to the attacker . all traff
ic will get sent to the attacker doing the MITM attack. This attack however is s
pecific. As opposed to MAC Address Flooding or other attacks against a router/sw
itch, the MITM attack is against a victim, and also can be done outside of a swi
tched environment. Thus meaning, an attack can be executed against a person on t
he other side of the country.
4] Packet Sniffing : Sniffing on a Local Area Network (LAN) is quite easy if the
network is segmented via a hub, rather than a switch. It is of course possible
to sniff on a switched environment by performing a MAC flood attack. As a result
of the MAC flood, the switch will act as a hub, and allow the entire network to
be sniffed. This gives you a chance to use any sort of sniffing software availa
ble to you to use against the network, and gather packets.
5] Denial of Service : MAC Address Flooding can be considered a Denial of servic
e attack. The main idea of the MAC flood, is to generate enough packet data to s
end toward a switch, attempting to make it panic. This will cause the switch to
drop into broadcast mode and broadcast all packet data. This however did not res
ult in a crash, or the service to be dropped, but to be overloaded.