4.2 Summarize various types of attacks and their impact
Network Attacks
📘CompTIA Network+ (N10-009)
1. What is ARP?
Before understanding ARP poisoning, you need to know what ARP (Address Resolution Protocol) is:
- ARP is a protocol used in IPv4 networks.
- Its job is to map IP addresses to MAC addresses.
- Example: Your computer knows the IP of a server, but to send data over Ethernet, it needs the server’s MAC address. ARP finds it.
- ARP uses ARP tables (or caches) in each device to remember the MAC address for each IP.
2. What is ARP Poisoning / Spoofing?
ARP poisoning (also called ARP spoofing) is a network attack where an attacker sends fake ARP messages to a local network.
- The goal is to associate the attacker’s MAC address with the IP address of another device, like the default gateway or a server.
- Once successful, the attacker can intercept, modify, or stop traffic between devices without them knowing.
3. How ARP Poisoning Works (Step by Step)
- Identify targets
The attacker scans the local network to find devices and their IP addresses. - Send fake ARP messages
The attacker tells the victim:- “Hey, I am the gateway (or another device)!”
- This is done by sending ARP replies with the attacker’s MAC address, even if the victim didn’t request it.
- Redirect traffic
- The victim updates its ARP table, now associating the attacker’s MAC with the gateway’s IP.
- All network traffic meant for the gateway goes through the attacker first.
- Perform attacks
The attacker can now:- Sniff traffic (capture usernames, passwords, and sensitive data) → this is a Man-in-the-Middle (MitM) attack.
- Modify traffic (change the contents of communications).
- Block traffic entirely, causing a denial-of-service.
4. Common Scenarios in IT Environments
- Capturing login credentials: An attacker on a network could steal admin or user credentials from web traffic if it is unencrypted.
- Data tampering: Changing commands sent to servers or modifying configuration files in transit.
- Session hijacking: Taking over active sessions by intercepting cookies or tokens.
- Network disruption: By sending incorrect ARP responses, attackers can make servers or printers unreachable.
5. How to Detect ARP Poisoning
- ARP table inspection: Check if a single IP has multiple MAC addresses.
- Unusual network behavior: Slowdowns, intermittent connectivity, or unexpected logouts.
- Network monitoring tools: Tools like Wireshark can detect duplicate ARP replies or unusual ARP traffic.
- Intrusion detection systems (IDS): Some IDSs can detect ARP spoofing patterns.
6. How to Prevent and Mitigate ARP Poisoning
- Static ARP entries
- Manually set ARP entries for critical devices like servers or gateways.
- Limits flexibility but prevents spoofing.
- ARP inspection features on switches
- Many managed switches have Dynamic ARP Inspection (DAI) that checks ARP messages against a trusted database.
- Use encryption
- Even if traffic is intercepted, encrypted traffic like HTTPS or SSH prevents attackers from reading it.
- Network segmentation
- Separating sensitive devices on different VLANs reduces exposure.
- Regular monitoring
- Continuously watch ARP tables and network behavior for anomalies.
7. Exam Tips
- ARP poisoning is a layer 2 attack.
- It’s often used in Man-in-the-Middle (MitM) attacks.
- Know the difference between ARP spoofing (fake ARP messages) and ARP flooding (overloading switch tables).
- Mitigation often includes static ARP, DAI, encryption, and segmentation.
✅ Key Points to Remember
| Concept | Explanation |
|---|---|
| Protocol Involved | ARP (IPv4 address to MAC mapping) |
| Attack Type | Network layer 2 attack, Man-in-the-Middle |
| Goal | Redirect traffic, intercept or modify data |
| Detection | Monitor ARP tables, IDS, network anomalies |
| Mitigation | Static ARP entries, DAI, encryption, VLAN segmentation |
