2.4.2 Poisoning the ARP Cache

A successful man-in-the-middle attack cannot happen unless the attacker has complete and total access to the communication agent. This can be achieved by obtaining physical access to the wire or fiber, (or wireless signals). It can also be achieved by interfering with the mechanism that directs packets and frames to where they have to go over the network. Since the Address Resolution Protocol (ARP) defines this, hijacking the ARP is called an ARP Poisoning attack.

When one network host communicates with another, it first sends out a message called an ARP request. The purpose of the ARP request is to find out who is holding a specific IP address, for example, 172.16.126.10. The device that has the requested address will send a reply, and that reply is the local machine, or MAC, address. The computer that has the message to send, will then send the message, in the form of a datagram, to that MAC address. This is how the computers on the same subnet recognize the target machine.

ARP requests and replies can take up a fair amount of time on the bus. To avoid having to repeat the request for transmission, a file is kept on the sending computer that matches IP 172.16.126.10 with its MAC address. The file updates itself automatically by looking at incoming packets and noting the IP and MAC addresses. Next time it has a packet for IP address 172.16.126.10, it uses the stored value for the MAC address and sends. If an attacker somehow creates a packet with address IP 172.16.126.10 (even though it is not the attackers correct IP address) then the unsuspecting host will write the attackers IP address to its ARP cache file and will direct all traffic to 172.16.126.10 to the attacker, until it gets further information. Of course, the attacker must send out a similar poison address to the intended destination. Thereafter, the attacker is in the loop.

At this point, the attacker can execute malicious and destructive commands which can cause damage to the target network, or at the very least, be in position to spy on the victim computer. Of course, the attacker can also decide not to forward packets, cutting the victim off from the network or other desired target computer.

To reduce the risk of poison ARP attacks, use an IP to MAC address that does not change. This is called a static ARP address. It is created by simply typing the desired IP/MAC pairing into that ARP file on the computer you are trying to protect.