DES-3028 DES-3028P DES-3028G DES-3052 DES-3052P Layer 2 Fast Ethernet Switch CLI Reference Manual
347
How ARP spoofing attacks a network
ARP spoofing, also known as ARP poisoning, is a method to attack an Ethernet network which may allow an attacker to sniff data
frames on a LAN, modify the traffic, or stop the traffic altogether (known as a Denial of Service - DoS attack). The principle of
ARP spoofing is to send the fake, or spoofed ARP messages to an Ethernet network. Generally, the aim is to associate the
attacker's or random MAC addresses with the IP address of another node (such as the default gateway). Any traffic meant for that
IP address would be mistakenly re-directed to the node specified by the attacker.
IP spoofing attacks are caused by Gratuitous ARPs that occur when a host sends an ARP request to resolve its own IP address.
Figure-4 shows a hacker within a LAN to initiate ARP spoofing attack.
Figure – 4
In the Gratuitous ARP packet, the “Sender protocol address” and “Target protocol address” are filled with the same source IP
address itself. The “Sender H/W Address” and “Target H/W address” are filled with the same source MAC address. The
destination MAC address is the Ethernet broadcast address (FF-FF-FF-FF-FF-FF). All nodes within the network will immediately
update their own ARP table in accordance with the sender’s MAC and IP address. The format of Gratuitous ARP is shown in
Table – 5.
Port 1
Port 23
Port 2
Port 24
A
IP: 10.10.10.1
MAC: 00-20-5C-01-11-11
B
DNS server
Router
IP: 10.10.10.253
MAC: 00-20-5C-01-53-53
IP: 10.10.10.2
MAC: 00-20-5C-01-22-22
A wrong ARP entry spreads over
the network to spoof all PCs
Internet
Hacker
IP: 10.10.10.254
MAC: 00-20-5C-01-54-54
C
IP: 10.10.10.3
MAC: 00-20-5C-01-33-33
Port 3