4 Replies Latest reply: Jan 22, 2012 2:09 PM by Elvin Arias RSS

    ARP Spoofing and MAC address Spoofing.

    Elvin Arias

      ARP Spoofing attacks are meant to send, e.g. GARPs, messages to the LAN segment to spoof the identity of a specific device, but in the case of the MAC address spoofing attack is to spoof the identity of a host by supplanting the identity of a MAC address. The fact is that these seems to be different from a general perspective, but the final goal of both is to supplant the identity of a device, no?

       

      Another thing is, what does the authors from the SECURE book want to mean when they say:

       

      "This method (the ARP Spoofing attack) can be considered more threatening than MAC address spoofing because, while the CAM table stores these addresses for only 5 minutes (by default), most Cisco devices default to holding their ARP table associations for 4 hours".

       

      If the ARP table holds the MAC-to-IP associations for 4 hours (as they say), why the CAM table flushed them in a 5 minute inactivity interval? That doesn't make sense to me, since those two are dependet, right? Please clarify.

       

      Elvin

        • 1. Re: ARP Spoofing and MAC address Spoofing.
          Paul Stewart  -  CCIE Security

          The arp table being a layer 2 to layer 3 mapping is stored in the layer 3 devices.  The mac-address table (or CAM) is stored in a switch.  The two are related but different.  Those defaults are correct per my recollection.  I'm not sure of the context of the statement, but I don't think I completely in agreement with it.  MAC address spoofing can easily make a switch act like a hub. That makes frames go out to locations that are not appropriate.  ARP Spoofing can cause an outright MiTM and from that respect it is a greater risk.  While the statement seems to indicate that the reason it is a greater risk is due to the timeout, the timeout is rarely reached.  The next arp request that the router makes will update all of the arp tables in the broadcast domain anyway.

           

          At the end of the day, MAC spoofing is easy to protect against with switchport port-security.  Arp spoofing is a weakness in the protocol.  Cisco can use the DHCP snooping table in conjunction with DAI (dynamic arp inspection) to help with this problem.  I think that statement is one of those that it really depends on your perspective, situation and exploit being attempted.  Based on those factors I think some would disagree on which one (and why) it is worse.

          • 2. Re: ARP Spoofing and MAC address Spoofing.
            Netwrk1

            Arp Spoofing being a Layer3 Attack and Mac spoofing being a layer2 attack gives the main difference between the attacks, which also answer the last part of the question.

             

            A) ARP table is only on a Router that holds the MAC-to-IP associations.

                 - On a layer3 switch. if you configured a port as routed. you would not get any macs by command

                    sh mac address-table dyna int g0/1.

                 -However you will get arp for the configured IP.

             

              B) Switch has the CAM table which holds the Mac.

                  Switch doesnt know about layer3 and hence there is no arp.

             

             

            Hence it would be wrong to think that if Switches flush out the cam entry even routers do.

            There is no connection as such between the two tables.

             

             

             

            This method (the ARP Spoofing attack) can be considered more threatening than MAC address spoofing because, while the CAM table stores these addresses for only 5 minutes (by default), most Cisco devices default to holding their ARP table associations for 4 hours".

             

              On mac address spoofing you are just faking your mac to hide your machine identify and/or to bypass some access-list

              Mac spoofing is mostly limited to a broadcast domain

             

             

              With arp spoofing a step further is taken where-in you can make your self default-gateway and intercept all the traffic (MITM)

             

            As the arp is kept for a longer time it would create more chaos.

            • 3. Re: ARP Spoofing and MAC address Spoofing.
              Elvin Arias

              Specifically about the ARP table and the CAM i totally agree with you because ARP tables are a L3 thing, and not L2 because switches use and build the CAM table looking at the source MAC address of the ethernet frame, but this distintion on the book is not very consistent, for that i wanted another perspective, from a CCIE maybe.

               

              MAC address spoofing can easily make a switch act like a hub.

               

              You meant MAC address flooding attacks, right?

               

              Thanks for your answer.

               

              Elvin

              • 4. Re: ARP Spoofing and MAC address Spoofing.
                Elvin Arias

                Thanks for your answer, it really helped me to see things differently, i guess the book confused me, too much reading today.

                 

                Elvin