All devices on your network have an ARP table that matches network ip address to the physcial MAC address of your computer. Here is an example of how a normal ARP communication works. Megan, the receptionist, tells her computer the print a document. Her computer (IP address 192.168.15.100) wants to send the print job to the HP Inkjet printer (ip 192.168.15.102). So Megan’s computer broadcasts an ARP request to the entire network asking who has the IP address 192.168.15.102. All the devices on the network except the printer who recognizes its own IP and sends an ARP reply saying “Hey, that me, my mac address is 00:39:6F:14:FD:6Q”. Now that Megan’s computer knows the mac it sends the print job to that mac address.
ARP was designed to so that it would be efficient and fast, unfortunately, this leads to major insecurity. There is no authentication it is all based on trust.
Since ARP will just blindly trust all ARP entries sent hacker can flood the network with fake ARP reply’s telling your router the attacker is you and you that the attacker is the router and all traffic will now flow through the attacker. The attacker can now analyze or manipulate your web traffic.
All network devices have an ARP table, a short-term memory of all the IP addresses and MAC addresses the device has already matched together. The ARP table ensures that the device doesn’t have to repeat ARP Requests for devices it has already communicated with.
Here’s an example of a normal ARP communication. Jessica, the receptionist, tells Word to print the latest company contact list. This is her first print job today. Her computer (IP address 192.168.0.16) wants to send the print job to the office’s HP LaserJet printer (IP address 192.168.0.45). So Jessica’s computer broadcasts an ARP Request to the entire local network asking, “Who has the IP address, 192.168.0.45?” as seen in Diagram 1.
All the devices on the network ignore this ARP Request, except for the HP LaserJet printer. The printer recognizes its own IP in the request and sends an ARP Reply: “Hey, my IP address is 192.168.0.45. Here is my MAC address: 00:90:7F:12:DE:7F,” as in Diagram 2.
Now Jessica’s computer knows the printer’s MAC address. It sends the print job to the correct device, and it also associates the printer’s MAC address of 00:90:7F:12:DE:7F with the printer’s IP address of 192.168.0.45 in its ARP table.
Hey ARP, Did You Know Gullible Is Not in the Dictionary?
The founders of networking probably simplified the communication process for ARP so that it would function efficiently. Unfortunately, this simplicity also leads to major insecurity. Know why my short description of ARP doesn’t mention any sort of authentication method? Because in ARP, there is none.
ARP is very trusting, as in, gullible. When a networked device sends an ARP request, it simply trusts that when the ARP reply comes in, it really does come from the correct device. ARP provides no way to verify that the responding device is really who it says it is. In fact, many operating systems implement ARP so trustingly that devices that have not made an ARP request still accept ARP replies from other devices.
OK, so think like a malicious hacker. You just learned that the ARP protocol has no way of verifying ARP replies. You’ve learned many devices accept ARP replies before even requesting them. Hmmm. Well, why don’t I craft a perfectly valid, yet malicious, ARP reply containing any arbitrary IP and MAC address I choose? Since my victim’s computer will blindly accept the ARP entry into its ARP table, I can force my victim’s gullible computer into thinking any IP is related to any MAC address I want. Better yet, I can broadcast my faked ARP reply to my victim’s entire network and fool all his computers. Muahahahahaa!
Back to reality. Now you probably understand why this common technique is called ARP Cache Poisoning (or just ARP Poisoning): the attacker lies to a device on your network, corrupting or “poisoning” its understanding of where other devices are. This frighteningly simple procedure enables the hacker to cause a variety of networking woes, described next.
All Your ARP Are Belong To Us!
The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service, Man in the Middle, and MAC Flooding.
Denial of Service
A hacker can easily associate an operationally significant IP address to a false MAC address. For instance, a hacker can send an ARP reply associating your network router’s IP address with a MAC address that doesn’t exist. Your computers believe they know where your default gateway is, but in reality they’re sending any packet whose destination is not on the local segment, into the Great Bit Bucket in the Sky. In one move, the hacker has cut off your network from the Internet.
Man in the Middle
A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network. For instance, let’s say the hacker wants to see all the traffic between your computer, 192.168.0.12, and your Internet router, 192.168.0.1. The hacker begins by sending a malicious ARP “reply” (for which there was no previous request) to your router, associating his computer’s MAC address with 192.168.0.12 (see Diagram 3).
Now your router thinks the hacker’s computer is your computer.
Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with 192.168.0.1 (see Diagram 4).
Now your machine thinks the hacker’s computer is your router.
Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker’s machine to forward any network traffic it receives from your computer to the router (shown in Diagram 5).
Now, whenever you try to go to the Internet, your computer sends the network traffic to the hacker’s machine, which it then forwards to the real router. Since the hacker is still forwarding your traffic to the Internet router, you remain unaware that he is intercepting all your network traffic and perhaps also sniffing your clear text passwords or hijacking your secured Internet sessions.
MAC Flooding is an ARP Cache Poisoning technique aimed at network switches. (If you need a reminder about the difference between a hub and a switch, see this sidebar.) When certain switches are overloaded they often drop into a “hub” mode. In “hub” mode, the switch is too busy to enforce its port security features and just broadcasts all network traffic to every computer in your network. By flooding a switch’s ARP table with a ton of spoofed ARP replies, a hacker can overload many vendor’s switches and then packet sniff your network while the switch is in “hub” mode.