-2

We know that when an ARP spoofing process is running on a network, all of the network traffic will be routed through it before it travels to its true destination.

But what happens if I have 2 ARP spoofing processes running on a network? My gut says that this is reasonable and the network should continue to work. I'm also guessing that the second process to start gets first crack at the data on the network.

So what do you think? Is this correct or does something else happen?

Sander Smith
  • 111
  • 4
  • 2
    "_We know that when an ARP spoofing process is running on a network, all of the network traffic will be routed through it before it travels to its true destination._" That is not necessarily true. When Host A sends an ARP request to resolve the layer-2 address of Host B in order to send something to Host B, it always uses the layer-2 address of the last ARP reply it sees, which could actually be the real host. – Ron Maupin Oct 11 '17 at 01:22
  • The more of this attacks are done on the same network, the more it will result in a DoS rather than an ARP poisoning attack. – Marco Oct 11 '17 at 05:24

1 Answers1

0

If the network doesn't protect ARP resolution, any spoofed/gratuitous ARP successfully poisoning the nodes' ARP caches wins over the real one, directing IP traffic to the spoofed layer 2 destination.

When there are several attackers they essentially grab the traffic from each other and the outcome is rather random. Note that ARP cache poisoning is a continuous attack.

Whether or not the network still works depends on the spoofer retransmitting intercepted traffic to the real destination. As @Marco has pointed out, the broader and more frequent your attack is the more you clog up the network.

Zac67
  • 8,639
  • 2
  • 10
  • 28