Data link layer

Portocol used: Ethernet, ARP

1. ARP Spoofing:

• data link layer uses the ARP(Adderess Resolution Protocol) to translate the IP adderess to the MAC adderess.

• The client begins by first sending a broadcast ARP message for a given IP address.

• The switch broadcast the ARP message to all ports except for the source port.

• When the intended destination IP address gets the ARP, it replies with it MAC address & all others hosts on the switch will drop.

• Gratitutions ARP is another flavour of the traditional ARP. It is used by hosts "announnie" their IP address to the local Network.

• There is no authentication in the ownership of IP & MAC address so an attacker can spoof an ARP packet to announce an IP & the legit user can be kicked out of the network causing a denial of source.

• Further this attack can allow switched environment to start delivering traffic to the hosts because the CAM(Content addressable memory) table has been altered with IP & MAC bindings.

2. ARP Cache poisioning:

• ARP keeps its physical to logical bindings in an ARP cachs.

• An Attacker can modify this table & give incorrect mapings this attack is called ARP cache poisioning.

• when a client machine wants to send data , it looks up at the poisioned data & sends the data to the attacker.

• ARP cache poisoning requires that the attacker is in the same subnet as the target machine because ARP does not cross the router boundaries.