What are ARP attacks?

ARP attacks use the Address Resolution Protocol to corrupts the IP to MAC address mapping on a machine in the local network. The ARP protocol is completely stateless and implements no security mechanisms. It is thus very easy to mascarade as another machine on the local network.

A successfull ARP attack be be used to eavesdrop, alter, inject or drop network traffic. A typical ARP attack example is a Man-in-the-Middle-Attack: Every network traffic that is exchanged between two machines on the local network traverses the attackers machine. Thus it is very easy to eavesdrop that traffic, inject or drop network packets.

A very good introduction to ARP spoofing attacks has been written by Sean Whalen: An Introduction to ARP spoofing. The corresponding slides are available here.

The first article about ARP spoofing attacks, called ARP and ICMP redirection games, was written by Yuri Volobuev.

More information on ARP attacks is available in the following documents:

• ARP spoofing detection on switched networks: a feasibility study, Carnut and Gondim
• The Ingredients to ARP Poison, Fogie and Peikari
• Hacking Layer 2: Fun with Ethernet Switches, Sean Convery
• Schutz vor ARP-Spoofing, ITELLIUM Systems Services GmbH
• Externe Innentäter: Eingeschleuste Hardware erhöht Gefährdung durch ARP-Angriffe, Andreas Rieke
• Gefahren durch ARP-Spoofing, Demuth
• Packet Sniffing on Layer 2 Switched Local Area Networks, Ryan Spangler
• Angriffstechniken im lokalen Netz: ARP-Spoofing und -Poisoning, Demuth
• Address Resolution Protocol Spoofing and Man-in-the-Middle Attacks, Robert Wagner
• SSL Man-in-the-Middle Attacks, Peter Burkholder
• Protecting Your Network from ARP Spoofing-Based Attacks, Josha Bronson
• Traffic Tricks - ARP spoofing and poisoning, Demuth and Leitner