Vulnerability of ARP


ARP ( Address Resolution Protocol ) is used in a local area networks for resolution of a MAC address of a host, when it's IP address is known.

Let's look at normal algorithm of interaction betweet SERVER and CLIENT, when IP protocol is used:
    1. CLIENT sends broadcast datagram called "arp-request"
       with SERVER's IP address.
    2. SERVER sends datagram to CLIENT, called "arp-reply"
       with SERVER's MAC address.
    3. CLIENT uses received MAC address for further interaction
       with SERVER.

All information about MAC and IP addresses are stored in arp-table. It can be viewed using command arp -a .

However, such method is very vulnerable. ATTACKER can easily form fake "arp-reply", and associate any MAC address with IP of a SERVER in arp-table of CLIENT. Here is possible variant of such attack:
    1. Client sends broadcast datagram called "arp-request"
       with SERVER's IP address.
    2. In the same time, ATTACKER uninterruptedly sends fake "arp-replies"
       to CLIENT.
    3. SERVER sends datagram to CLIENT, called "arp-reply"
       with SERVER's MAC address.
    4. However, CLIENT receives datagram from ATTACKER before
       datagram from SERVER.
    5. CLIENT uses received fake MAC address for further interaction
       with SERVER.

This attack is usually called "fake arp-replies storm". ATTACKER can use this method for:
    1. Listening of traffic between CLIENT and SERVER
    2. Cutting off CLIENT fron SERVER


Press here to download source code of an example called "Arp Reply", which can be used for generating fake "arp-replies". Example is written using Microsoft Visual C++ 6.0, MFC and Win32 NDIS Framework ( http://www.pcausa.com/ ). You may read description of an example in the file "usage.txt" supplied with "Arp Reply".

Nickolsky Artyom, 2002

Hosted by uCoz