# ARP Spoofing & Abnormality Detection #### **Overview** * The Address Resolution Protocol (ARP) is frequently targeted for attacks like MITM and DoS. * ARP attacks often use broadcast communication, aiding in detectability via packet sniffing. #### How Address Resolution Protocol Works 1. **ARP Basics:** Hosts need the MAC address to send data, obtained through ARP requests. 2. **Process Steps:** * Host A checks ARP cache or broadcasts an ARP request if the IP isn’t found. * Host B replies with its IP-MAC mapping, updating Host A’s ARP cache. #### ARP Poisoning & Spoofing * **ARP Cache Poisoning:** Attackers send false ARP messages to corrupt caches, redirecting traffic. * **Attack Steps:** * Attacker sends forged ARP messages to the victim and router, altering their ARP tables. * If the attacker forwards traffic, they intercept and modify data, enabling MITM attacks. #### **Detection & Prevention** * **Detection Techniques:** * Monitor for unusual ARP traffic patterns (e.g., repetitive ARP requests). * Track IP-MAC inconsistencies to spot potential spoofing. * **Prevention Controls:** * **Static ARP Entries**: Prevents ARP cache poisoning, though it increases maintenance. * **Port Security on Switches/Routers**: Blocks unauthorized devices attempting spoofing. #### Practical Detection Steps Using tcpdump and Wireshark 1. **Install tcpdump** (if not present): ``` sudo apt install tcpdump -y ``` 2. **Capture ARP Traffic**: ``` sudo tcpdump -i eth0 -w filename.pcapng ``` 3. **Analyze with Wireshark**: ``` wireshark ARP_Spoof.pcapng ``` * **Wireshark Filters**: * Filter ARP Requests: `arp.opcode == 1` * Filter ARP Replies: `arp.opcode == 2` * Detect Duplicates: `arp.duplicate-address-detected && arp.opcode == 2` 4. **Examine IP-MAC Anomalies**: * Use `arp -a` on Linux to check IP-MAC mappings: ``` arp -a | grep 50:eb:f6:ec:0e:7f arp -a | grep 08:00:27:53:0c:ba ``` 5. **Filter in Wireshark**: * Track suspicious MAC interactions: ``` eth.addr == 50:eb:f6:ec:0e:7f or eth.addr == 08:00:27:53:0c:ba ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://savitar.gitbook.io/mynotes/certifications-and-notes/blue-team/cdsa/intermediate-network-traffic-analysis/arp-spoofing-and-abnormality-detection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.