T 5.112 Manipulation of ARP tables

Unlike on a hub, on a switch it is not possible to intercept the communication between two stations from any of the other stations. To this purpose the switch maintains a table that allocates the MAC addresses of the stations on the various ports. Data packets or Ethernet frames that are addressed to a specific MAC address are only forwarded to the port to which the related computer is connected.

However, it is not only the switch that maintains a table with MAC addresses, but also the computers involved. ARP requests can be used to fill these ARP tables at the computer involved. The objective of ARP spoofing is to tamper with these tables (ARP cache poisoning). For this purpose an attacker sends an ARP reply to the victim in which the attacker uses the address of the router that acts as the standard gateway for the related subnet as his/her own MAC address. If the victim then sends a packet to the standard gateway entered, this packet ends up in reality with the attacker. In the same way the ARP cache on the router is also tampered with such that Ethernet frames, which were actually addressed to the victim, in reality end up with the attacker. A series of tools is available on related web sites that makes these methods of attack possible.

MAC flooding is a method of attack that affects the function of a switch. Switches learn connected MAC addresses dynamically. The MAC addresses are saved in the switching table. In this way, the switch knows which ports the related MAC addresses are connected to.

If a large number of packets with different source MAC addresses are sent with the aid of a suitable tool by one of the stations connected, the switch saves these MAC addresses in its switching table. As soon as the storage space for the switching table is full, a switch sends all packets to all switch ports. Due to this "flooding" of the switching table with meaningless MAC addresses, a switch can no longer determine which ports actual destination MAC addresses are connected to. This method of attack is used to make it possible to read packets in switched networks. On related sites in the Internet there are freely available tools that can generate 155,000 MAC address entries on a switch in one minute.

© Federal Office for Information Security. All rights reserved.