ARP spoofing is a type of hack that uses vulnerabilities in the Address Resolution Protocol to hijack, redirect, or spy on network data. It takes advantage of the way ARP translates IP addresses into Media Access Control (MAC) addresses.
Hackers need only access to one machine directly connected to the LAN to launch this attack. They send fake ARP responses to the default network gateway, altering its ARP table by linking their MAC address with their target's IP.
ARP Cache Poisoning
Address Resolution Protocol translates between addresses at the data link layer and network layer addresses, typically IP addresses. When devices need to connect, send out requests asking for their addresses. Suppose an ARP cache with their information exists nearby. In that case, they will respond with their MAC address allowing subsequent communications with that individual or device to reach its correct destination more quickly. Attackers can take advantage of this by flooding ARP tables with false replies (ARP poisoning or spoofing).
ARP Spoofing Attacks Are Possible Due to the Weakness of the ARP Protocol by default; it lacks security features that allow hackers to manipulate communication between machines on local networks. Attackers use ARP Spoofing as an entryway into organization networks for various attacks, such as Man-in-the-Middle attacks, host impersonation, or Denial of Service attacks.
An ARP attack requires creating a list of MAC and IP addresses that correspond to those belonging to their target, then using an ARP spoofing tool such as Arpspoof or Cain & Abel to scan their target's local network for hosts with matching MAC/IP combinations, sending large volumes of fake ARP requests which overload its switches causing their forwarding functions to stop working correctly and interrupt its forwarding functions altogether.
Once an ARP table of one or more machines has been falsified with fake entries, all traffic from those machines will go through an attacker's computer and may be modified or diverted from its intended destination. An attacker could inspect or change this traffic before redirecting it so it never reaches its original target.
Man-in-the-Middle Attacks
Man-in-the-middle attacks are cyber-attacks in which an attacker inserts themselves between two victims to intercept communications, impersonate the application used by one or both, or steal sensitive information from both. While man-in-the-middle attackers could be controlled by individuals or groups acting illicitly, more commonly, they are controlled by software controlled by them and often used to gain passwords, bank account details, or any personal details for use against one or both victims.
Devices on local networks communicate using physical hardware addresses called MAC (Media Access Control) addresses. Each MAC address is a unique 48-bit number that identifies each device on a network card. Attackers can exploit this fact to spoof addresses by flooding a network with fake ARP replies containing falsified addresses that allow hackers to pose as the router when requested MAC addresses are asked; then, any data packets going towards those requested addresses can be intercepted before reaching their destinations.
An attacker can utilize ARP spoofing to gain entry to a network by redirecting connections from connected devices to their own. For instance, they could create a website that looks like that of your bank and wait until you enter your password into its official website - using one of the various spoofing techniques mentioned here, they could decipher it using one of these tactics.
Spoof DNS servers using DHCP (Dynamic Host Configuration Protocol). In this approach, an attacker sets up a DHCP (Dynamic Host Configuration Protocol) server on their LAN and replaces your default gateway and DNS servers with their versions - giving them control of any web requests you make that try to reach genuine websites or applications that you are trying to reach.
Using a fraudulent public key, an attacker can perform a man-in-the-middle attack against secure encrypted communications. First, they intercept a message from one of your colleagues that contains their public key; they then intercept any subsequent replies enciphered using that public key and re-encrypt them with another key of their own; finally, they send this enciphered reply to your colleague who thinks it came from you due to having your public key!
Denial-of-Service Attacks
Attacks involving ARP spoofing can overwhelm devices with packets they cannot process, temporarily rendering the victim device unavailable. Because IP sender addresses may have been falsified during such attacks, attackers may use multiple attack machines simultaneously to generate large volumes of attacks that become difficult for defence mechanisms to stop.
Other ARP attack methods involve sending an endless stream of malfunctioned or malicious pings to a network device, rendering it completely inoperable. Teardrop attacks take advantage of flaws in how older operating systems (OSes) handle fragmented IP packets; for instance, teardrop attacks exploit older OSes' failure to correctly specify fragment offsets within ARP packets to force receiver hosts to reassemble incorrect fragment data and provide responses larger than its maximum packet size (65535 bytes over Ethernet).
Modern security technologies can defend against most denial-of-service (DoS) attacks; however, specific attacks rely on bugs in the targeted system to generate buffer overflows that destabilize or even crash it.
Countermeasures
Organizations should take multiple measures against attacks rather than relying on one solution as the only answer. While this requires time and culture change in an organization, this also tests employees' wits while teaching them to be more analytical when doing their work.
Utilize up-to-date anti-virus and anti-Trojan software to secure your network hardware and protocols to avoid data eavesdropping or modification between two devices. Use firewall rules and egress filtering to block traffic from suspicious IP addresses while using DHCP snooping bindings to check the source of packets entering the network - any coming from suspicious addresses will be denied entry.
Monitor network traffic closely to detect and respond swiftly to attacks by monitoring its traffic flow. This requires analyzing network packet header information to establish an average packet rate across an entire flow. Change-point detection isolates changes in network statistics; activity profiling measures typical activity levels of network flows; and wavelet analysis provides insights into an input signal regarding spectral components.
Another way to protect against spoofing attacks is implementing DNS filtering in routers to deny traffic from reflecting servers and enable firewalls to filter out return packets from reflection attacks.
Networks can thwart DDoS attacks by employing egress filtering that scans all packets leaving their network for any suspicious IP addresses or signs of attack. They stop those packets before they reach servers and complete TCP three-way handshake.
