Tag: Snooping attack

ARP Poisoning/Snooping Attack


First of all a quick review of ARP and what it is used for in networking is a good place to start. ARP stands for Address Resolution Protocol and it is used to map IP addresses to MAC addresses so data can be delivered to the correct host. An IP address on its own can’t do the job. MAC addresses are used to deliver the IP packets on the network. But what happens if a host, for example host A wants to send a packet to host B, host A knows the IP address of host B but does not know what his MAC address is, without this the packet will never get delivered. ARP steps in. To find out the MAC address of host B, host A will send an ARP request with the IP Address of host B asking who has IP Address, this is broadcast out onto the network, all hosts will see this messages as it is a broadcast message. However host B will be the only one to respond to the message by sending a unicast message back to host A saying basically I’m host B, in the reply will be host B’s MAC address now host A has all the information it needs to send the packet on its way. The next time that host A or host B needs to send packets to each other they wont have to use ARP they will use their arp cache that is stored locally. The cache stores the IP address to MAC address mappings.

ARP Poisoning


In the diagram above we have a simply network topology. Local LAN with some PCs and a Router to get off the local network out towards the Internet.

In normal operation the ARP table on the hosts would look like this.

IP ADD                   MAC ADD              PORT            AA:AA                    Fa0/0           BB:BB                     Fa0/1       CC:CC                    Fa0/2

So if PCB wanted to get out onto the internet to the web server it would have Destination IP address of the web server and the MAC address of the default gateway CC:CC it would get this information from its ARP address table shown above.

But if an attacker wanted to launch a Man In The Middle attack to look at the information flowing between the web server and PCB it could use a technique called ARP poisoning. So how does this work. The attacker would spoof the MAC address for PCB and the Default Gateway using Gratuitous ARP by sending out a message saying if you need to get to use AA:AA he would do the same with

IP ADD                   MAC ADD              PORT            AA:AA                    Fa0/0           AA:AA                     Fa0/1       AA:AA                    Fa0/2

Now when PCB wants to communicate with the web server it will look at its ARP cache table and put in the MAC address of PCA in its packet due to the attacker poisoning the ARP tables on the network. PCB wouldn’t be aware that its ARP table was poisoned.


Now the Attacker can sniff all the traffic going to and from the web server. To make sure that PCB does not suspect anything is up the attacker will send on the traffic to the web server after he sniffs it and he will also do the same for the return traffic. This way PCB will never know there is a Man In The Middle attack going on. In my next post I will show you how to mitigate this attack.