ARP spoofing attack and defense

As described in Wikipedia, ARP spoofing (otherwise known as ARP poisoning or Arp Poison Routing – APR) is a Layer 2 attack that can be carried out in most internal networks and therefore is extremely dangerous. It’s main purpose is to sniff the communication of a client talking to a server, by intercepting or even modifying the traffic in order to decrypt the already encrypted traffic. This article will guide you through the process of understanding, demonstrating and protecting your network against this attack.

Before demonstrating ARP spoofing, we need to explain how does ARP work in the first place and in order to illustrate it we will use the client A (with IP and netmask and the server B (with IP and netmask Let’s say that client A wants to communicate to server B and all it knows is it’s IP address, however in order to communicate with it on Layer 2, it needs to know it’s MAC address and therefore it sends and ARP request on the broadcast address FF:FF:FF:FF:FF:FF asking the machine with IP address to respond with it’s MAC address. Sure enough, server B receives the ARP request and send an ARP reply which says that server B is the owner of the IP address and his MAC is 10:10:10:10:10:10. Now when client A knows the MAC address of server B, it can send packets to server B and hope that server B will be the only machine that is receiving them (this is supposedly the case with all Layer 2 switches).

The explanation above relates to the case where the client and the server (or any other two network devices that wish to communicate) are in the same network. When they are not in the same network (let’s say server B is with IP address and gateway C is with IP address, the process of Layer 2 communication is almost the same, with the exception that instead of asking for the MAC address of the server, client A will ask for the MAC address of the gateway. After the gateway responds with it’s MAC address, client A will send all packets directed to server B to the gateway, hoping that it will know better how to deliver them to server B.


OK, enough with the boring stuff, let’s throw in an attacker D (or a pentester for that matter, they will do the same) who want to intercept the traffic between client A and server B, which are communicating through gateway C. The attacker D will be placed in the same network segment as client A and gateway C so we will be using the following addresses for the explanation:

– client A, IP:, netmask, gateway, MAC: 10:10:10:10:10:10
– server B, IP:, netmask, gateway and MAC are irrelevant
– gateway C, IP:, netmask, MAC: 01:01:01:01:01:01
– attacker D, IP:, netmask, gateway, MAC: 30:30:30:30:30:30

Now, what the attacker will want to do is to convince client A that the MAC address of gateway C is not 01:01:01:01:01:01 but 30:30:30:30:30:30. He will also want to make sure that gateway C thinks that the MAC address of client A is not 10:10:10:10:10:10 but is again 30:30:30:30:30:30. This way, attacker D will intercept all communication from client A to the outside world and the only thing that he needs to make sure is that he forwards the packets, so that client A will never know that anything suspicious is happening.

Fast forward to the lab, we have the client, server and gateway setup in the way described above and additionally we will introduce an attacker who is running Backtrack and is connected to the same network as client A and gateway C. So in order to intercept the traffic, the attacker will have to execute the following commands:

# echo 1 > /proc/sys/net/ipv4/ip_forward

With the command above, he will ensure that all packets that are forwarded to his workstation will be then forwarded to their original destination, otherwise the client will not be able to communicate to anyone and will suspect that something is going on.

# arpspoof -t
# arpspoof -t

These will ensure that client A will send to attacker D all packets otherwise meant for gateway C (server B falls into this account) and vice versa. Now all that is left for the attacker to do is to run tcpdump or wireshark and record / analyze / sniff the communications:

# tcpdump -ni eth0 host and host

In some of the articles to follow, we will utilize Cain & Abel to perform even more sophisticated main-in-the-middle attacks, which will illustrate how easy it is to break encrypted protocols, if they are not configured properly.


Unfortunately, the mitigation of this attack is much harder than the attack itself. Cisco has developed a couple of countermeasures to fight with different Layer 2 attacks, and you will need to make use of all of them in order to be fully protected:
– DHCP snooping
– Dynamic ARP Inspection
– Port Security

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>