ARP Spoofing and ARP Poisoning

---

ARP poisoning is a network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient.

• common means of perpetrating an on-path attack
• how it works
  • broadcasting unsolicited ARP reply packets, aka gratuitous ARP replies
    • with a source address that spoofs a legitimate host or router interface
  • ARP has no security, so all devices in the same broadcast domain trust this
    • update their MAC:IP address cache table with spoofed address
  • ARP cache is now poisoned
  • threat actor broadcasts endless ARP replies, overwhelming the legitimate interface
• usual target is subnet’s default gateway
  • if attack is successful,
    • all traffic destined for remote networks will be sent to the attacker
    • threat actor can then perform on-path attack to monitor communications
      • can forward them to router to avoid detection
      • can also modify packet before forwarding
      • ARP poisoning can also perform a DoS attack by not forwarding
• can be difficult to detect without closely monitoring network traffic
  • attempts at ARP spoofing are likely to cause sporadic communications difficulties
    • e.g., unreachable default gateway
    • performing network captures and examining ARP packets may reveal the poison packets
    • examining local ARP caches for multiple IP addresses mapping to the same MAC address may also reveal the poison packets

Info

Technically, ARP spoofing is the broadcast of the unsolicited ARP replies, while ARP poisoning is the injection of spoofed MAC:IP mappings into the victim cache.

• often used interchangeably
• ARP poisoning could include other methods of injecting fake mappings
  • e.g., local host being infected with malware

Info

• IPv6 does not use ARP
• is vulnerable to layer 2 spoofing if
  • Neighbor Discovery (ND) protocol is used
  • can be abused for router advertisement (RA) spoofing