Thursday, February 12, 2009

ARP Spoofing or IP Masquerade

What is IP Masquerade or ARP Spoofing?

In order to understand, What IP Masquerading or ARP Spoofing is we need to look into the working of the Ethernet. Ethernet is a Data Link Layer protocol, which uses MAC addresses embedded in the network interface cards (NICs) to communicate between devices. But the network layer and the above layer communicates using IP addresses. So in order to communicate, there must be some mechanism to map the IP addresses in network layer to the MAC addresses in the data link layer. This is accomplished using the ARP (Address Resolution Protocol). In this method when a packet needs to be sent to a destination machine, given its IP, the ARP protocol is used to send an ARP Request. This request is broadcast among the machines on the ethernet. If the machine is within the same ethernet, the MAC address of the corresponding machine is obtained from the machine as an ARP reply. This MAC address is cached by the machine, in an ARP Table and further packets to that IP is send to the machine with the MAC address.

Now the inherent flaw in the protocol is that, there is no mechanism to verify that the IP address corresponds to the MAC address and a forged ARP reply updates the ARP cache. So if a forged reply comes for an IP address and MAC pair, the ARP table gets updated. No questions asked.

Thus any machine in the network can act as if its another machine and hijack all the information flowing. This is called ARP spoofing or IP Masquerading.