# ARP Spoofing & Abnormality Detection #### **Overview** * The Address Resolution Protocol (ARP) is frequently targeted for attacks like MITM and DoS. * ARP attacks often use broadcast communication, aiding in detectability via packet sniffing. #### How Address Resolution Protocol Works 1. **ARP Basics:** Hosts need the MAC address to send data, obtained through ARP requests. 2. **Process Steps:** * Host A checks ARP cache or broadcasts an ARP request if the IP isn’t found. * Host B replies with its IP-MAC mapping, updating Host A’s ARP cache. #### ARP Poisoning & Spoofing * **ARP Cache Poisoning:** Attackers send false ARP messages to corrupt caches, redirecting traffic. * **Attack Steps:** * Attacker sends forged ARP messages to the victim and router, altering their ARP tables. * If the attacker forwards traffic, they intercept and modify data, enabling MITM attacks. #### **Detection & Prevention** * **Detection Techniques:** * Monitor for unusual ARP traffic patterns (e.g., repetitive ARP requests). * Track IP-MAC inconsistencies to spot potential spoofing. * **Prevention Controls:** * **Static ARP Entries**: Prevents ARP cache poisoning, though it increases maintenance. * **Port Security on Switches/Routers**: Blocks unauthorized devices attempting spoofing. #### Practical Detection Steps Using tcpdump and Wireshark 1. **Install tcpdump** (if not present): ``` sudo apt install tcpdump -y ``` 2. **Capture ARP Traffic**: ``` sudo tcpdump -i eth0 -w filename.pcapng ``` 3. **Analyze with Wireshark**: ``` wireshark ARP_Spoof.pcapng ``` * **Wireshark Filters**: * Filter ARP Requests: `arp.opcode == 1` * Filter ARP Replies: `arp.opcode == 2` * Detect Duplicates: `arp.duplicate-address-detected && arp.opcode == 2` 4. **Examine IP-MAC Anomalies**: * Use `arp -a` on Linux to check IP-MAC mappings: ``` arp -a | grep 50:eb:f6:ec:0e:7f arp -a | grep 08:00:27:53:0c:ba ``` 5. **Filter in Wireshark**: * Track suspicious MAC interactions: ``` eth.addr == 50:eb:f6:ec:0e:7f or eth.addr == 08:00:27:53:0c:ba ```