How Arp Spoofing Attacks A Network - D-Link DGS-3200 SERIES Cli Manual

How ARP Spoofing Attacks a Network

ARP spoofing, also known as ARP poisoning, is a method to attack an Ethernet network which may allow an attacker to
sniff data frames on a LAN, modify the traffic, or stop the traffic altogether (known as a Denial of Service – DoS attack).
The principle of ARP spoofing is to send the fake, or spoofed ARP messages to an Ethernet network. Generally, the
aim is to associate the attacker's or random MAC address with the IP address of another node (such as the default
gateway). Any traffic meant for that IP address would be mistakenly re-directed to the node specified by the attacker.
IP spoofing attack is caused by Gratuitous ARP that occurs when a host sends an ARP request to resolve its own IP
address. Figure-4 shows a hacker within a LAN to initiate ARP spoofing attack.
Figure-4
In the Gratuitous ARP packet, the "Sender protocol address" and "Target protocol address" are filled with the same
source IP address itself. The "Sender H/W Address" and "Target H/W address" are filled with the same source MAC
address itself. The destination MAC address is the Ethernet broadcast address (FF-FF-FF-FF-FF-FF). All nodes within
the network will immediately update their own ARP table in accordance with the sender's MAC and IP address. The
format of Gratuitous ARP is shown in the following table.
Table-5
Ethernet Header
Destination Source
address address
(6-byte) (6-byte)
FF-FF-FF-FF-FF-FF 00-20-5C-01-11-11
DGS-3200 Series Layer 2 Gigabit Managed Switch CLI Manual
Ethernet H/W type Protocol
type type
(2-byte) (2-byte) (2-byte)
806
H/W Protocol Operation
address address
length length
(1-byte) (1-byte) (2-byte)
ARP reply
439
Sender H/W Sender Target H/W
address protocol address
address
(6-byte) (4-byte) (6-byte)
00-20-5C-01-11-11 10.10.10.254 00-20-5C-01-11-11
Target
protocol
address
(4-byte)
10.10.10.254