What is ARP attack?

ARP attacks are an attack technique for Ethernet Address Resolution Protocol (ARP). Such an attack could allow an attacker to obtain data packets on the local area network or even tamper with the packet, and to make it impossible for a particular computer or all computers on the network to connect properly. The first article to explore ARP attack is written by Yuri Volobue, "Arp and ICMP turn game".

ARP attack principle

ARP attack is to spoof IP address and MAC address to achieve ARP spoofing, can generate a large number of ARP traffic in the network blocking the network, the attacker as long as the continuous issue of fake ARP response packets can change the target host ARP cache IP-MAC entries, resulting in network interruption or man-in-the-middle attack.

ARP attacks are mainly in the LAN network, if there is a computer in the LAN Arp Trojan, then the system infected with the ARP will attempt to "ARP spoofing" means to intercept other computers in the network communication information, and therefore caused the network of other computers communication failure.

A machine A to send a message to Host B, will query the local ARP cache table, find the IP address of B corresponding MAC address, it will be data transmission. If not found, then a broadcasts an ARP request message (carries host A's IP address ia--Physical address PA), requests the IP address for IB's Host B to answer the physical address PB. All hosts on the internet, including B, receive ARP requests, but only Host B recognizes their IP address, and sends back an ARP response message to a host. It contains the MAC address of B, and a receives a reply from B, and the local ARP cache is updated. The MAC address is then used to send the data (the MAC address is appended to the NIC). Therefore, this ARP table for local caching is the basis for local network flow, and this cache is dynamic.