TCP/IP Attacks – ARP Cache Poisoning Fundamentals Explained

by Himanshu Arora on January 13, 2012

Suppose ‘A’ and ‘B’ are very good friends and ‘A’ shares all his secrets with ‘B’.

Now if a guy ‘C’ comes in and fakes as if he is ‘B’. Can you imagine what could happen? Yes, ‘A’ could tell all his secrets to ‘C’ and ‘C’ could misuse it.

In a layman’s language, this is what we mean by ARP cache poisoning.

ARP poisoning may cause many serious networking problems and network administrators should know how this attack works.

ARP Protocol

Before Jumping on to the description of ARP cache poising, lets first refresh how ARP protocol works. ARP protocol consists of the following 4 basic messages:

  1. ARP request : Computer ‘A’ asks on the network, “who has this IP?”
  2. ARP reply : All the other computers ignore the request except the computer which has the requested IP. This computer, lets say ‘B’ says, I have the requested IP address and here is my MAC address.
  3. RARP request: This is more or less same as ARP request, the difference being that in this message a MAC address is broad-casted on network.
  4. RARP reply : Same concept. Computer ‘B’ tells that the requested MAC is mine and here is my IP address.

All the devices that are connected to network have an ARP cache. This cache contains the mapping of all the MAC and IP address for the network devices this host has already communicated with.

ARP Cache Poisoning Concept

ARP protocol was designed to be simple and efficient but a major flaw in the protocol is lack of authentication. No authentication was added to its implementation and as a result, there is no way to authenticate the IP to MAC address mapping in the ARP reply. Further, the host does not even check whether it sent an ARP request for which it is receiving ARP reply message.

In a layman’s language, if computer ‘A’ has sent and ARP request and it gets an ARP reply, then ARP protocol by no means can check whether the information or the IP to MAC mapping in the ARP reply is correct or not. Also, even if a host did not send an ARP request and gets an ARP reply, then also it trusts the information in reply and updates its ARP cache. This is known as ARP cache poisoning.

So you can see that its easy to exploit this weakness of ARP protocol. An evil hacker can craft a valid ARP reply in which any IP is mapped to any MAC address of the hackers choice and can send this message to the complete network. All the devices on network will accept this message and will update their ARP table with new Information and this way the hacker can gain control of the to and fro communication from any host in network.

ARP Cache Poisoning Consequences

After a hacker sees a possibility of ARP cache poisoning, the attacker can use various attack techniques to harm or to gain control of the victims machine. Lets discuss some of them here :

1) Denial of service

A hacker can send an ARP reply mapping an IP address on network with a wrong or non-existent MAC address. For example, a fake ARP reply mapping the network’s router IP with a non-existent MAC will bring down the connectivity of the whole network with the outer world as now any packet sent to IP of router will be sent to a machine with a MAC address that does not exist.

2) Man in Middle

As the name suggest, the hacker can make his machine sit right in between of the communication between your system and any other system on network. This way the hacker can sniff all the traffic to and from from both the machines.

To achieve this suppose your machine is host ‘A’ and your network router is host ‘B’. ‘A’ has IP-A and MAC-A, while ‘B’ has IP-B and MAC-B as IP address and MAC address respectively. Now, the hacker sends an ARP reply to the router mapping your IP (IP-A) with his machine’s MAC address and another ARP reply to your machine mapping routers IP with his machine’s MAC address. Now any message sent by your machine to router or from router to your machine will reach the hacker’s machine. The hacker can now switch on the ‘IP forwarding’ feature on his machine which lets the hacker’s machine to forward all the traffic to and fro to your machine and router. This way the hacker’s machine sits right in the middle and can sniff or block the traffic.

3) MAC Flooding

For switches on network, MAC flooding is an ARP cache poising technique that is used. Many network switches when overloaded can start acting like a hub and start broadcasting all the network traffic to all the hosts connected to network. So a hacker can flood a switch with fake ARP replies and can make the switch to start behaving like a hub. In this role, the switch does not enable its ‘port security’ feature due to which it broadcast all the network traffic and taking advantage of this, the hacker can packet sniff the network.

ARP Cache Poisoning Mitigation Techniques

Poisoning ARP cache remotely is bit difficult as it requires either physical access to the network or control of one of the machines in the network. Since its not always easy so ARP attacks are not frequently heard. Anyways, taking precautions is better than taking medicines. Network administrators should take care that these type of attacks do not take place. Here are a few mitigation points :

  • For small networks, static ARP entries can be maintained. Static means unchanging, so as the name suggests these entries cannot be changed and thus any tries by hackers to change the mapping fails. This is good for small networks but not for big networks as mapping for every new device added to network needs to be done manually.
  • For a large network, the port security features of network switches can be explored. Some features when turned on force the switch to allow only one MAC address for each physical port on switch. This feature makes sure that machines cannot change their MAC address and cannot map more than one MAC to their machine hence preventing attacks like ‘man in middle’.
  • In general, Some monitoring tool like ARPwatch can be deployed to get alerts when some malicious ARP activity takes place on your network.

To conclude, in this article, we studied the basics of ARP protocol, its loopholes, how these loopholes can be exploited and how they can be mitigated.

The next article in this series is: TCP Sequence Number Prediction and TCP Reset Attacks.


Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 10 comments… read them below or add one }

1 Lakshmanan January 13, 2012 at 1:23 am

If some one want’s to really try this ARP, then try using “EtterCap”. By using this and wireshark, you can really understand how ARP works.

ARPAlert is a tool which sends an alert to a E-Mail ID, when statically configured IP & MAC is mismatched.

2 Himanshu January 13, 2012 at 5:52 am

@Lakshmanan

Thanks for adding information to the article

3 jalal hajigholamali January 13, 2012 at 10:13 am

Thanks a lot

4 MANOJKUMAR January 13, 2012 at 10:13 am

Thanks a lot for valuable information ……. Keep rocking ….

5 Abhilash S V January 15, 2012 at 11:03 am

Thank you very much for the simple explanation!

6 Anonymous Coward January 21, 2012 at 11:16 am

Dude,
This article is cool and brings it down to laymen like me . Keep up the good work.

7 Vasudev May 24, 2012 at 10:39 pm

gr8 article… keep up.
Thank you very much for sharing.

8 Sagar shah November 4, 2012 at 5:50 am

Excellent Article!!!!
Now I want to know What is the prevention of ARP Cache Poisoning?
How can we implement it? plz rpl.. it will be very useful for me..

9 Tina January 21, 2013 at 6:33 am

So beautifully explained for someone who is clueless (ie me)

10 Ajay Agrawal December 19, 2013 at 7:15 am

Thanks its good to understand the ARP

Leave a Comment

Previous post:

Next post: