ARP spoofing

The Address Resolution Protocol (ARP) is a widely used communications protocol for resolving internet layer addresses into link layer addresses. When an Internet Protocol (IP) datagram is sent from one host to another in a local area network, the destination IP address must be resolved to a MAC address for transmission via the data link layer. The first host sends a broadcast packet on the local network. This packet is known as an ARP request. The second host with the IP in the ARP request then responds with a broadcast ARP reply that contains the MAC address associated with its IP. ==Attack anatomy==

The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN or from an attacker's machine that is connected directly to the target LAN. Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped. ==Defenses==

Static ARP entries The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host. Hosts don't need to transmit ARP requests where such entries exist. While static entries provide some security against spoofing, they increase maintenance effort as address mappings for all systems in the network must be generated and distributed. Securing ARP in this manner for all participants does not scale on a large network since the mapping has to be set for each pair of machines resulting in n2-n ARP entries that have to be configured when n machines are present; On each machine there must be an ARP entry for every other machine on the network; n-1 ARP entries on each of the n machines. Detection and prevention software Software that detects ARP spoofing generally relies on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are then blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach, a device listens for ARP replies on a network and sends a notification via email when an ARP entry changes. AntiARP also provides Windows-based spoofing prevention at the kernel level. ArpStar is a Linux module for kernel 2.6 and Linksys routers that drops invalid packets that violate mapping, and contains an option to repoison or heal. Some virtualized environments, such as KVM, also provide security mechanisms to prevent MAC spoofing between guests running on the same host. Additionally, some Ethernet adapters provide MAC and VLAN anti-spoofing features. OpenBSD watches passively for hosts impersonating the local host and notifies in case of any attempt to overwrite a permanent entry. OS security Operating systems react differently. Linux ignores unsolicited replies, but, on the other hand, uses responses to requests from other machines to update its cache. Solaris accepts updates on entries only after a timeout. In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount. ==Legitimate usage==

The techniques that are used in ARP spoofing can also be used to implement redundancy of network services. For example, some software allows a backup server to issue a gratuitous ARP request in order to take over for a defective server and transparently offer redundancy. Circle and CUJO are two companies that have commercialized products centered around this strategy. ARP spoofing is often used by developers to debug IP traffic between two hosts when a switch is in use: if host A and host B are communicating through an Ethernet switch, their traffic would normally be invisible to a third monitoring host M. The developer configures A to have M's MAC address for B, and B to have M's MAC address for A; and also configures M to forward packets. M can now monitor the traffic, exactly as in a man-in-the-middle attack. ==Tools==

Defense Spoofing Some of the tools that can be used to carry out ARP spoofing attacks: • Dsniff • Ettercap • arping • Cain and Abel ==See also==