How Arp Spoofing Attacks A Network - D-Link xStack User Manual

xStack

How ARP Spoofing Attacks a Network

ARP spoofing, also known as ARP poisoning, is a method to attack an Ethernet network which may allow an attacker to sniff data
frames on a LAN, modify the traffic, or stop the traffic altogether (known as a Denial of Service – DoS attack). The principle of
ARP spoofing is to send the fake, or spoofed ARP messages to an Ethernet network. Generally, the aim is to associate the
attacker's or random MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP
address would be mistakenly re-directed to the node specified by the attacker.
IP spoofing attack is caused by Gratuitous ARP that occurs when a host sends an ARP request to resolve its own IP address.
Figure-4 shows a hacker within a LAN to initiate ARP spoofing attack.
Figure 4
In the Gratuitous ARP packet, the "Sender protocol address" and "Target protocol address" are filled with the same source IP
address itself. The "Sender H/W Address" and "Target H/W address" are filled with the same source MAC address itself. The
destination MAC address is the Ethernet broadcast address (FF-FF-FF-FF-FF-FF). All nodes within the network will immediately
update their own ARP table in accordance with the sender's MAC and IP address. The format of Gratuitous ARP is shown in the
.
following table
Table 5
Ethernet Header
Destination Source
Address Address
(6-byte) (6-byte)
FF-FF-FF-FF-FF-FF 00-20-5C-01-11-11
A common DoS attack today can be done by associating a nonexistent or any specified MAC address to the IP address of the
network's default gateway. The malicious attacker only needs to broadcast one Gratuitous ARP to the network claiming it is the
gateway so that the whole network operation will be turned down as all packets to the Internet will be directed to the wrong node.
Likewise, the attacker can either choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data
before forwarding it (man-in-the-middle attack). The hacker cheats the victim PC that it is a router and cheats the router that it is
the victim. As can be seen in Figure 5 all traffic will be then sniffed by the hacker but the users will not discover.
®
DGS-3400 Series Layer 2 Gigabit Ethernet Managed Switch
Ethernet H/W Type Protocol
Type Type
(2-byte) (2-byte) (2-byte)
0806
Gratuitous ARP
H/W Protocol Operation
Address Address
Length Length
(1-byte) (1-byte) (2-byte)
ARP relay
325
Sender H/W Sender Target H/W
Address Protocol
Address
(6-byte) (4-byte) (6-byte)
00-20-5C-01-11-11 10.10.10.254 00-20-5C-01-11-11
Target
Address Protocol
Address
(4-byte)
10.10.10.254