LinkedinTryHackme

ARP Scanning & Denial-of-Service

We might discern additional aberrant behaviors within the ARP requests and replies. Poisoning and spoofing are central to ARP-based denial-of-service (DoS) and man-in-the-middle (MITM) attacks, but adversaries could also leverage ARP for information gathering. Thankfully, we possess the skills to detect and evaluate these tactics following similar procedures.

ARP Scanning Signs

Typical red flags indicating ARP scanning include:

  • Broadcast ARP requests sent to sequential IP addresses (.1, .2, .3, ...)

  • Broadcast ARP requests sent to non-existent hosts

  • Unusual volume of ARP traffic from a potentially malicious or compromised host

Finding ARP Scanning

By opening ARP_Scan.pcapng in Wireshark and applying the filter arp.opcode, we might observe:

  • ARP Scanning: ARP requests propagated by a single host to all IPs sequentially, symptomatic of ARP scanning (common in scanners like Nmap).

  • Active Hosts Respond: Detected ARP replies from live hosts indicate successful information gathering by the attacker.

Identifying Denial-of-Service

Attackers may:

  1. Use ARP scanning to identify live hosts.

  2. Transition to a DoS attack, contaminating the subnet by manipulating as many ARP caches as possible, or establishing a MITM position.

ARP DoS Tactics

  • Corrupt Router's ARP Cache: Attack traffic focuses on declaring new physical addresses for all live IPs.

  • Duplicate IP Allocations: The attacker assigns 192.168.10.1 to multiple clients, aiming to disrupt communication by corrupting ARP caches and obstructing traffic.

Responding to ARP Attacks

Upon identifying ARP anomalies, the following steps can be taken:

  • Tracing and Identification: Locating the physical machine behind the attack can halt its activities. In some cases, the attacking machine may itself be compromised.

  • Containment: Disconnect or isolate the affected area at the switch or router level to stop further data exfiltration, effectively terminating DoS or MITM attacks.

Note: Link layer attacks may initially seem minor but detecting them can prevent data exfiltration from higher OSI layers.

PreviousQuestionNextQuestion

Last updated