How To Detect ARP Attack?


1 Answers

Anonymous Profile
Anonymous answered
Address Resolution Protocol is the method for finding a host's link layer (hardware) address when only its Internet Layer (IP) or some other Network Layer address is known. Its main use is primarily to translate IP addresses to Ethernet MAC addresses. The principle of ARP spoofing is to send falsified ARP messages to a target Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node.Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway or modify the data before forwarding it. Basically what you are looking for is existence of MAC address cloning, though there are legitimate uses of MAC address cloning. A defense that only works for simple ARP spoofing attacks is the use of static IP-MAC mappings, however, this only prevents some attacks and does not work on a large networks. The key thing to keep in mind is where this attacks originate, which will be from a compromised host, a jack box, or a hacker's machine that is connected directly onto the target Ethernet segment.

thanked the writer.
Anonymous commented
Address Resolution Protocol (ARP), because of its simpleness, fastness, and effectiveness, is becoming increasingly popular among internet raggers, thus causing severe influence to the internet environment.
ARP spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The attack can obviously only happen on networks that indeed make use of ARP and not another method.

First, let me introduce you the tools I use are Ax3soft Sax2, there are many such tools, such as Sniffer, Snort, Ethereal, etc, I do not think that the Sax2 is the best tool, I just think that Sax2 is easy-to-use, it can quickly and accurately locate ARP source when ARP attack happens to the network, so as to ensure normal and reliable network operation.

First, launch sax2 and switch to the Diagnosis View.
Diagnosis View is the most direct and effective place to locate ARP attack and should be our first choice. Its interface is displayed as picture1.

[img][/img] (picture1)

Picture 1 definitely points out that there are two kinds of ARP attack event, ARP Scan and ARP MAC address changed, in the network, and the attack source is clearly given at the bottom. Meanwhile, Sax2 NIDS will provide reasons of such ARP attacks and corresponding solutions.

Answer Question