TP-Link T1700X-16TS User Manual page 214

Suppose there are three Hosts in LAN connected with one another through a switch.
Host A: IP address is 192.168.0.101; MAC address is 00-00-00-11-11-11.
Host B: IP address is 192.168.0.102; MAC address is 00-00-00-22-22-22.
Attacker: IP address is 192.168.0.103; MAC address is 00-00-00-33-33-33.
1. First, the attacker sends the false ARP response packets.
2. Upon receiving the ARP response packets, Host A and Host B updates the ARP table of their
own.
3. When Host A communicates with Host B, it will send the packets to the false destination MAC
address, i.e. to the attacker, according to the updated ARP table.
4. After receiving the communication packets between Host A and Host B, the attacker
processes and forwards the packets to the correct destination MAC address, which makes
Host A and Host B keep a normal-appearing communication.
5. The attacker continuously sends the false ARP packets to the Host A and Host B so as to
make the Hosts always maintain the wrong ARP table.
In the view of Host A and Host B, their packets are directly sent to each other. But in fact, there is a
Man-In-The-Middle stolen the packets information during the communication procedure. This kind
of ARP attack is called Man-In-The-Middle attack.
ARP Flooding Attack

The attacker broadcasts a mass of various fake ARP packets in a network segment to occupy the
network bandwidth viciously, which results in a dramatic slowdown of network speed. Meantime,
the Gateway learns the false IP address-to-MAC address mapping entries from these ARP
packets and updates its ARP table. As a result, the ARP table is fully occupied by the false entries
and unable to learn the ARP entries of legal Hosts, which causes that the legal Hosts cannot
access the external network.
Figure 12-14 Man-In-The-Middle Attack
202