Attacking LAN hosts with ARP spoofing 2023

In this article we will learn about Attacking LAN hosts with ARP spoofing.

1.Introduction to Attacking LAN hosts with ARP spoofing:

This article introduces the OSI model of Internet communication and describes ARP spoofing. It is used to attack hosts on a local area network (LAN). Passive and active sniffing are described. Finally, mitigation of ARP spoofing is briefly discussed.

2. The OSI model

This model describes the structure of Internet communication. The idea was to prepare a reference model that would allow different manufacturers to create network solutions that can work together. The OSI model consists of seven layers:

Layer 7: Application
Layer 6: Presentation
Layer 5: Session
Layer 4: Transport
Layer 3: Network
Layer 2: Data link
Layer 1: Physical

I will discuss how data goes from sender to receiver. From the sender’s point of view, data goes from layer 7 to layer 1. From the receiver’s point of view, data goes from layer 1 to layer 7.

Also read:Theoretical Methodology for Detecting ICMP Reflected Attacks: SMURF Attacks 2023

I will explain what happens when data goes from layer 7 to layer 1. At each stage (from layer 7 to layer 6, from layer 6 to layer 5, etc.), the upper layer data is included in the lower layer data (encapsulation). On the receiving end, the opposite process occurs and is called decapsulation. This is how the different OSI layers interact. In reality, it’s more complicated – for example, application layer data can be segmented at the transport layer (before being sent to the network layer) and fragmented at the network layer (before being sent to the data link layer).

Finally, let’s look at the classification of network devices with reference to the layers of the OSI model:

Layer 1 devices: repeater, hub
Layer 2 devices: bridge, switch
Layer 3 device: router

ARP spoofing is related to the ARP protocol (described in the next section of the article), which is used to bind IP and MAC addresses (from the network and data layers of the OSI model; Ethernet is commonly used at the data link layer. )

3. ARP protocol

Suppose two computers, COMP1 and COMP2, are on the same LAN and want to communicate with each other. COMP1 knows the IP address of COMP2 (labeled COMP2_IP in the article), but it actually needs COMP2’s MAC address (labeled COMP2_MAC) to send a message to COMP2. The ARP protocol is used here. COMP1 sends an ARP request to everyone on the LAN (broadcast).

This request can be understood something like this: “Hello COMP2_IP, would you mind telling me your MAC address (COMP2_MAC)?” The following is an ARP reply with COMP2_MAC. Now COMP1 can send a message to COMP2 because it knows the COMP2_MAC address. That’s how it should work. However, there may be an attacker who spoofs ARP responses. Let’s see how it works in this case.

4. ARP protocol – spoofing ARP responses

Let’s continue the story from the previous section and label the attacker’s computer with COMP_ATTACKER, the IP address of COMP_ATTACKER with COMP_ATTACKER_IP, and the MAC of COMP_ATTACKER with COMP_ATTACKER_MAC.

Now let’s recall the description of the ARP protocol from the previous part of the article and change one thing – when sending an ARP request, COMP_ATTACKER will respond (ARP reply) with its own MAC address (COMP_ATTACKER_MAC). Then COMP1 thinks they are sending the message to COMP2, but they are actually sending it to COMP_ATTACKER because they received COMP_ATTACKER_MAC in the ARP reply.

In addition, COMP_ATTACKER sends an ARP request to everyone on the LAN to learn the COMP2_MAC. At this point, COMP_ATTACKER knows COMP2_MAC and can forward the message (received form COMP1) to COMP2. Before forwarding the message, COMP_ATTACKER can read and/or modify the message if it is not protected. This is how ARP spoofing works. As we can see, this attack can lead to serious problems.

5. Passive and active sniffing

Switches know the MAC addresses attached to their ports and only send messages to the port the target host is attached to. This way, other hosts cannot see the messages or monitor the traffic. As we have already seen, ARP spoofing can be used to overcome this problem from an attacker’s perspective. ARP spoofing is an active attack because it involves sending a fake ARP reply.

Now let’s go back to the old days and discuss centers. These devices operate at layer 1 of the OSI model. A message received by the hub is sent to all of its ports. Normally, the host reads the messages that are sent to it. However, the host can be put into promiscuous mode to see all messages. This is how passive sniffing works: the attacker just watches the traffic.

6. Mitigation of ARP spoofing

Normally, entries in a host’s ARP table are dynamic. These entries can be predefined (static) to solve the ARP spoofing problem. However, this approach has an administrative overhead.

Another idea is to delegate the problem to higher layers of the OSI model and use cryptography to ensure authentication (digital certificates), data confidentiality (symmetric encryption) and data integrity (HMAC). This is where SSL/TLS can be used (it works between the application and transport layers of the OSI model.) This way we can detect if something has happened to the message and prevent it from being read.

7. Summary

The OSI model of Internet communication was introduced. Then the ARP protocol and ARP spoofing were discussed. The difference between active and passive sniffing was presented. Finally, mitigation of ARP spoofing was briefly analyzed.