ARP spoofing

from Wikipedia, the free encyclopedia

ARP spoofing (from the English. To spoof - dt. Fooled , fooled ) or ARP Poisoning Request (Engl about. Request falsification ) means sending fake ARP - packages . It is used to change the ARP tables in a network so that the data traffic between two (or more) systems in a computer network can then be intercepted or manipulated. It is a way of carrying out a man-in-the-middle attack in the local network.

Such an attack can also target IP telephony in order to eavesdrop on telephone calls.

Despite the popularity and the age of the attack, current operating systems do not offer any protection against ARP spoofing . This usually has to be retrofitted.


An ethernet frame. A corrupted frame can contain an incorrect source MAC address, for example

In order to intercept the data traffic between host A and host B, the attacker sends host A a manipulated ARP message to assign a certain IP address . This message contains its own MAC address instead of that of host B, so that in future host A will send the packets that are actually intended for host B to the attacker. The same thing happens with host B, so that it sends packets to the attacker unintentionally instead of directly to A. The attacker must now forward the packets received from A and B to the actual recipient so that an interceptable connection can be established. If this happens, the attacker works unnoticed as a proxy . One speaks of a man-in-the-middle attack . The attacker can of course also discard the network traffic in order to make communication between certain hosts impossible or to change the data traffic.

While mere eavesdropping on network traffic with the help of a sniffer only works in unswitched networks, this attack is also successful in switched networks. Software that implements this proxy function is available free of charge on the Internet for all common operating systems and is relatively easy to use (see Ettercap , Wireshark ).


This means that an attacker has almost a free hand to read and manipulate unprotected connections such as those used when sending e-mails or viewing websites . Encrypted and authenticated connections tend to be secure; they often use secure cryptographic algorithms and digital certificates to authenticate the remote station.

If an attacker locks into an HTTPS connection , for example, in order to manipulate home banking , the user recognizes this by a warning message from the browser about an invalid certificate. In practical scenarios, however, an attacker can prevent users from establishing TLS connections and can replace the requested HTTPS connections with those via HTTP. This makes it possible to intercept data that would otherwise be sent in encrypted form.

SSH connections are classified as secure (SSH version 1 not) if a changed fingerprint leads to the connection being aborted. After displaying the fingerprints, the user is often asked to decide whether he would like to continue establishing the connection.

Detect ARP spoofing

Detecting or preventing ARP spoofing is not easy. There are several possibilities for this. One of them is to leave out the ARP entirely and to work with static tables for converting IP addresses to hardware addresses. This option is not very efficient because the ARP tables have to be constantly updated. It is better to start with the basic problem: Every ARP response, whether requested or not, whether useful or not, is accepted by almost all operating systems. It can help here to leave the processing of ARP responses to programs with greater intelligence. These monitor who sends the answers and when, and what information the answers contain. Obviously forged ARP packets can be recognized and discarded. A corresponding warning can be issued to the system administrator by connecting to an intrusion detection system .

ARP spoofing can usually be seen well if you look at the ARP tables. In the following example, the computer with the MAC address c5: cb: df: 56: b5: f2 performs ARP spoofing in which it tells all hosts in the network that it is everyone else: It gives its MAC address for each IP (so that the network traffic reaches it to all hosts). However, it forwards the traffic transparently, so that the attack is actually imperceptible to all other hosts (although all traffic can of course be discarded and thus a complete blockage of all traffic would result). The ARP table of one of the victim computers in the network is shown. It is not clear who the attacker is; for this, the administrator would have to search for all MAC addresses. However, this could be prevented by MAC spoofing .

Address                  HWtype  HWaddress           Flags Mask            Iface              ether   c5:cb:df:56:b5:f2   C                     eth0              ether   c5:cb:df:56:b5:f2   C                     eth0    Der Angreifer!              ether   c5:cb:df:56:b5:f2   C                     eth0              ether   c5:cb:df:56:b5:f2   C                     eth0

In the following example, the attacker is more frugal: he only intercepts traffic to and from the Internet ( is the gateway).

Address                  HWtype  HWaddress           Flags Mask            Iface              ether   00:15:af:43:90:de   C                     eth0              ether   c5:cb:df:56:b5:f2   C                     eth0    Der Angreifer!              ether   c5:cb:df:56:b5:f2   C                     eth0    Eigentlich Router, wird aber durch gefälschte MAC-Adresse zum Angreifer geleitet              ether   a8:7b:39:dc:78:a3   C                     eth0 is the gateway of the network; the attacker (.8) also reads the traffic on the Internet.

On the victim host of the first example, a traceroute to a neighboring computer would look like this:

traceroute to (, 30 hops max, 60 byte packets
 1 (  2.629 ms  2.615 ms  2.604 ms      Der Angreifer, der alle Pakete weiterleitet!
 2 (  77.776 ms  78.261 ms  79.246 ms   Der Zielrechner

Without ARP spoofing, the output should look like this:

traceroute to (, 30 hops max, 60 byte packets
 1 (  134.356 ms  134.824 ms  135.314 ms

At the beginning of the attack, the attacker's packet traffic looks like this (recorded with tcpdump ):

13:17:27.376957 ARP, Reply is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28
13:17:27.387128 ARP, Reply is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28
13:17:27.387432 ARP, Reply is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28
13:17:27.388654 ARP, Reply is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28
13:17:27.388995 ARP, Reply is-at c5:cb:df:56:b5:f2 (oui Unknown), length 28

The traceroute method is of course useless if the attacker does not forward the traffic but discards it and all network traffic is prevented. The method of looking up the ARP table is usually more helpful, as it shouldn't actually happen that several IP addresses share one MAC address.

Legitimate application

In the area of Linux and BSD-based high availability clusters, the targeted manipulation of ARP packets is used so that no data packets are lost if the primary server fails and is immediately redirected to the new “contact person” in the cluster. The secondary server must then adopt the cluster's common IP address.

See also

Web links