ARP spoofing is also known as ARP Poisoning. It is a technique by which attackers attack a network. The attack permits the man in the middle to perform sniffing techniques on data frames in a well bounded network. The ARP spoofing is to send the forged or fake ARP packets to a network. It allows attacker to sniff data frames and modify the traffic. The main aim is to have devices on the network associate the attackers MAC address with IP address of another host on the network. Since ARP does not authenticate requests or replies, ARP requests and replies can be forged.
ARP is stateless: ARP Replies can be sent without a corresponding ARP Request.
According to the ARP protocol specification, a node receiving an ARP packet (Request or Reply) must update its local ARP cache with the information in the source fields, if the receiving node already has an entry for the IP address of the source in its ARP cache. (This applies for ARP Request packets and for ARP Reply packets).
In ARP flooding, the affected system sends ARP replies to all systems connected in a network, causing incorrect entries in the ARP cache. The result is that the affected system is unable to resolve IP and MAC addresses because of the wrong entries in the ARP cache. The affected system is unable to connect to any other system in the network.
LAN switches use forwarding tables (Layer 2 (L2) tables, Content Addressable Memory (CAM) tables) to direct traffic to specific ports based on the VLAN number and the destination MAC address of the frame. When there is no entry corresponding to the frame's destination MAC address in the incoming VLAN, the (unicast) frame will be sent to all forwarding ports within the respective VLAN, which causes flooding.
Limited flooding is part of the normal switching process. There are situations, however, when continuous flooding can cause adverse performance effects on the network. This document explains what issues can arise due to flooding, and the most common reasons why certain traffic might constantly be flooded.
Note that most modern switches including the Catalyst 2900 XL, 3500 XL, 2940, 2950, 2970, 3550, 3750, 4500/4000, 5000, and 6500/6000 series switches maintain L2 forwarding tables per VLAN.
Causes of Flooding
The very cause of flooding is that destination MAC address of the packet is not in the L2 forwarding table of the switch. In this case the packet will be flooded out of all forwarding ports in its VLAN (except the port it was received on). Below case studies display most common reasons for destination MAC address not being known to the switch
1) Asymmetric Routing 2) Spanning-Tree Protocol Topology Changes 3) Forwarding Table overflow
- Dynamic ARP Inspection
- SSH Communication
- SFTP communication
- Static entry of ARP