4

Some ARP spoofing texts say that this man-in-the-middle attack overwrites the intended target MAC with the attacker's MAC in the ARP table (e.g. https://en.wikipedia.org/wiki/ARP_spoofing , Question regarding arp spoofing)

Other says that it creates a duplicate IP entry for the same MAC address (https://www.thesslstore.com/blog/everything-you-need-to-know-about-arp-spoofing/):

However, if an attack were occurring, it would look something like what you see below. The duplicate MAC addresses corresponding to two different IP addresses (circled in red) are the smoking gun:

Why are 2 IP addresses for the same MAC address an evidence of ARP spoofing? I thought that evidence was 2 MAC addresses for the same IP

  1. In case of two hosts sending ARP responses with distinct MAC addresses, the requester creates duplicated entries in the ARP table or keeps only the latest?

  2. Why are 2 IP addresses mapped to a single MAC address an evidence of ARP spoofing? Isn't the ARP spoofing evidence the other way around (2 MAC addresses mapped for same IP)? I'm assuming here that the requester creates duplicated entries in the ARP table when it receives 2 ARP replies with different MAC addresses for the same IP (former option in question 1)

Alan Evangelista
  • 143
  • 6
  • I was working under the assumption that ARP replies were simply added to the ARP table instead of overwriting the latest entry for the IP address at hand. After I read your answer, it's clear that's a false assumption and therefore there can't be 2 MACs for the same IP. Related question: I guess that 2 IPs for the same MAC address will only show up in the ARP table if the attacker *also* sends ARP replies with his true MAC, which he can easily avoid doing it? – Alan Evangelista Jul 31 '21 at 12:55
  • Remember what the purpose of ARP is: I *have* and IP, and I need to look up the MAC. – schroeder Jul 31 '21 at 12:55
  • 1
    If the attacker does not send a real MAC, then the attacker will not get data. At some point, something real needs to be registered else nothing will get to the attacker. The switch will send data to the wrong place or not at all. – schroeder Jul 31 '21 at 12:57
  • @schroeder Why the attacker will not get data if he doesn't send his real MAC? The victim will always want to send data to the true target's IP, not to the attacker's IP, so that ARP table entry with the attacker's IP won't ever be read by the victim. Isn't that right? – Alan Evangelista Jul 31 '21 at 13:00
  • Remember what ARP and MACs are for. IP is one addressing layer. MACs are underneath. – schroeder Jul 31 '21 at 13:02
  • 1
    @schroeder I was asking the wrong question. Assuming the true target is 192.168.43.1 and the attacker is .220 in the screenshot above, why would the victim's ARP table contain an entry with the attacker's IP? Doesn't the attacker only send ARP replies with the true target's IP ? – Alan Evangelista Jul 31 '21 at 13:12

3 Answers3

7

With no attack, an ARP table might look like:

192.168.0.1    11-11-11-11-11-11
192.168.0.20   22-22-22-22-22-22
192.168.0.30   33-33-33-33-33-33  <--about to attack

When the attack launches, an entry in the ARP table is overwritten with the attacker's MAC.

192.168.0.1    11-11-11-11-11-11
192.168.0.20   33-33-33-33-33-33
192.168.0.30   33-33-33-33-33-33  <--attacking

So, yes, there are multiple IP entries for the one MAC. And yes, the table entry is overwritten. So the 2 articles are saying the same thing. They do not contradict.

ARP is very simple, so the table is updated with the latest broadcast, which is why arpspoofing tools send out broadcasts frequently.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Well, technically, arp message is not a broadcast as such. The reason the message gets broadcasted is that layer 2 switch functions as a broadcast domain. Also, I may have understood the question differently cause the OP was asking about two MAC addresses to one IP, which is not possible as this is a one-to-one mapping. You may have two IPs having the same MAC as in your example but not two MACs to one IP. However, the question was edited while I was writing my response. – nethero Jul 31 '21 at 13:05
  • 2
    @nethero gratuitous ARPs are a broadcast.... – schroeder Jul 31 '21 at 13:06
  • You are right, only the response is unicast. – nethero Jul 31 '21 at 13:10
  • "*there are multiple IP entries for the one MAC*" - you mean the attacker sits at 192.168.0.20? They might not use a separate IP address at all though. – Bergi Aug 01 '21 at 19:15
  • @Bergi of course, but the context is the articles linked – schroeder Aug 01 '21 at 19:33
  • As the context is the two linked articles, I think that "there *can be* multiple IP entries for one MAC if the attacker sends (requested or gratuitous) ARP replies with his true IP too" would be clearer and more accurate than "there are multiple IP entries for one MAC". It took me a while to figure that out. – Alan Evangelista Aug 02 '21 at 08:54
  • @AlanEvangelista it doesn't need to be for a single IP, though. As the articles mention, one can ARP spoof a few IPs. – schroeder Aug 02 '21 at 09:07
  • My point is that not necessarily there are multiple IP entries for one MAC in the victim's ARP table when there is an ARP spoofing attack, there can be a single fake one. Your answer made me think there would always be multiple. – Alan Evangelista Aug 02 '21 at 09:10
4

You're assuming that the network interface (or MAC address) used for the attack already has a legitimate IP address.

This is not a requirement to deploy an ARP spoofing attack.

So, it's entirely possible to spoof ARP without producing repeated entries in the ARP table.

And the double entries are not a smoking gun. One entry could be a host and the second a virtual machine on that host bridged to the LAN.

If you want to detect ARP spoofing, you need to look for unusual ARP traffic.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jasen
  • 834
  • 5
  • 8
  • It's not an assumption, it's the specific scenarios presented by both links. But, yes, having an IP is not a requirement. – schroeder Aug 01 '21 at 08:27
  • 1
    I wouldn't say it's the author of the question making the assumption, but the author of that article where the screenshot is from. – ilkkachu Aug 01 '21 at 10:46
3
  1. In case of two hosts sending ARP responses with distinct MAC addresses, the requester creates duplicated entries in the ARP table or keeps only the latest?

ARP maps IP addresses to MAC addresses; it's used when a host has the IP address and needs the underlying hardware address to be able to send the packet. It doesn't make much sense to expect to find the same IP address in two places at the same time, so the hosts only keep one entry in the table.

(Sending the same packet to two independent receivers either in a round-robin manner or by duplicating everything could be useful in some cases, but stateful protocols like TCP would get confused. E.g. one receiver would immediately send a TCP reset when it saw a segment to a connection it didn't know anything about. So it's not really useful on that level, but you could do something like this higher on the stack, like on top of UDP.)

  1. Why are 2 IP addresses mapped to a single MAC address an evidence of ARP spoofing?

It isn't. Not as such. The article assumes that the host doing the spoofing would be available via two different IP addresses. Perhaps so that the .43.220 address would be its legitimate address, and .43.1 a router it was spoofing. But a host trying to spoof the router would not need to be available under another IP address to the victim client. It might want to do similar spoofing in the other direction, to present itself as the victim client to the network router, but again, it only needs to present one IP address there.

(Unless of course it spoofs every client on the network to the router. But even then, I can't see a reason why it would be impossible to spoof each with a different MAC address.)

Two IP addresses mapping to just one MAC address could also be evidence of a host that just has two IP addresses configured for the same interface (for whatever legitimate reason). Or perhaps of something like proxy ARP where one host answers ARP queries for all addresses on a network block with its own MAC address.

Isn't the ARP spoofing evidence the other way around (2 MAC addresses mapped for same IP)?

Yes. Except that you won't have the two MAC addresses mapped for the same IP at the same time.

Your usual OS won't keep track of the ARP packets/mappings seen, other than the last one, and won't think twice of updating its cache based on any new ARP replies it gets, so without special tools, you might well miss anything being wrong. There's software like arpwatch specifically made to monitor ARP messages seen on the network and to keep history of them. With that, it's possible to send warnings if an IP address is seen to frequently "move" from one MAC to another.

ilkkachu
  • 2,086
  • 1
  • 11
  • 15