Free Internet Security

Man-in-the-middle attacks are one of the most prevalent types of attack against individuals and organizations alike.

Man-in-the-middle attacks are kind of an active eaves dropping attack.

These attacks work by establishing an active connection with the victim systems and relaying the information between them.

Due to the inline nature of the attack the victims are under the impression that they are communicating with the correct endpoint but the reality is that the victims are communicating with the attacker and relaying of messages is taking place.

The attacker is in a position to not only intercept the data that is flowing across but also will be able to manipulate the data that between them.

Arp cache poisoning is one of the most easy and effective methods to carry out man-in-the-middle attacks.

Arp works at layer 2 i.e. the data link layer and is based on the MAC or the hardware address of the communicating systems.

Because of this ARP allows for communication within systems within the same segment of the network. Because of this ARP cache poisoning can be carried out between systems in the same segment of the network only.

The normal ARP communication works through a ARP requests and reply.

When a system A wants to communicate with system B, system A would send out a request saying that my IP is ZZ.ZZ.ZZ.ZZ and my MAC is YY:YY:YY:YY:YY:YY.

I would require the MAC address of the system with IP AA.AA.AA.AA. The system B which would be having the IP AA.AA.AA.AA would reply back with its MAC address i.e. XX:XX: XX:XX:XX:XX.

Now the communication can occur and the two systems can talk to each other as required.

The way poisoning works is that the victim will be sitting in the middle of the communication that happened in the above case.

The reason that ARP cache poisoning is successful is that the ARP doesn’t have any kind of security. Anyone can solicit an ARP reply (gratuitous ARP) without an ARP request and make the other systems think that the new MAC for a particular IP is now XYZ.

This will result into an update of the MAC address table on the victim systems and now rather than talking directly to each other the victim systems will start talking through the attacker’s system.

The prevention against of ARP cache poisoning is not easy as by default the ARP protocol itself is not secure. There are ways around this method of attack that involve the hard coding of ARP cache, but this is defeating the dynamic nature of IP address allocation.

If the ARP cache is hard coded than the IP need to be static for each LAN system and if that is not the case then static allocation or coding of the ARP cache wouldn’t be fruitful.

There are other security devices also present that may be used to prevent against ARP cache poisoning like internal firewall devices, UTM systems, etc.