ARP and DNS spoofing

What is ARP Address Resolution Protocol?

ARP, or Address Resolution Protocol, is a communication
protocol used for mapping a network address to a physical
address.

It is used to translate a network IP address into a physical

address, such as a MAC address, so that two devices can
communicate on a local network.

ARP is a layer two protocol and operates at the data link layer
of the OSI model. It is used by devices to discover other
devices on the same local network and is a critical component
of IP networking.
ARP Table

An ARP table is a list of IP addresses and their corresponding physical

addresses that a device maintains. The table is populated with information
from ARP requests and replies.

The table is used to quickly look up the physical address of a device when it
needs to communicate with another device on the local network.

Each device that’s connected to a network has its own ARP table, and it
stores address pairs that the specific device has communicated with.
ARP Table Example
How Does ARP Work?
● When a device sends an ARP
request, it broadcasts to all devices
on the local network. The request
contains the IP address of the device
that needs to be resolved.
● All devices on the local network
receive the request and check their
ARP tables to see if they have the
matching IP address.
● If a device has the matching IP
address, it will respond with an ARP
reply containing its physical address.
ARP Spoofing
● ARP spoofing is an attack in which an attacker sends (spoofed) Address
Resolution Protocol (ARP) messages onto a local area network.
● Generally, the aim is to associate the attacker’s MAC address with the IP
address of another host, such as the default gateway.
● The attacker can then choose to forward (or not forward) packets to their actual
destination.
● ARP spoofing aims to intercept data frames on a network, modify them for
malicious purposes or stop forwarding them to the appropriate computer and,
therefore, stop all communication between two hosts.
● Often the attack is used as an opening for other attacks, such as denial-of-
service, man-in-the-middle, or session hijacking attacks.
Top 7 ARP Spoofing Tools
● arpspoof
● Netcommander
● Larp
● Aranea
● KickThemOut
● Cain & Abel
● Arpoison
How to Detect an ARP spoofing Attack

If the table contains two different IP addresses that have the same MAC
address, this indicates an ARP attack is taking place. Because the IP
address 192.168.5.1 can be recognized as the router, the attacker’s IP is
probably 192.168.5.202.
ARP Spoofing Prevention
Here are a few best practices that can help you prevent ARP Spoofing on your
network:

● Use a Virtual Private Network (VPN)—a VPN allows devices to connect to the
Internet through an encrypted tunnel. This makes all communication encrypted,
and worthless for an ARP spoofing attacker.

● Use static ARP—the ARP protocol lets you define a static ARP entry for an IP
address, and prevent devices from listening on ARP responses for that address.
For example, if a workstation always connects to the same router, you can define
a static ARP entry for that router, preventing an attack.
Domain Name System
(DNS)
What is DNS?
DNS stands for Domain Name System, which is a protocol used to translate human-
readable domain names into IP addresses.

It is the foundation of the internet, as it is responsible for finding and connecting

websites to their respective IP addresses.

DNS is a distributed system, meaning that it is composed of multiple servers in

different locations around the world.

DNS works by mapping domain names to IP addresses. When a user types a domain
name into their browser, the DNS will look up the corresponding IP address and send
the request to the right server. This process is called DNS resolution and it is what
allows users to access websites without having to remember their IP addresses.
There are various kinds of DOMAINs

1. Generic domain: .com(commercial) .edu(educational) .mil(military)

.org(non profit organization) .net(similar to commercial) all these are
generic domain.
2. Country domain .in (india) .us .uk
3. Inverse domain if we want to know what is the domain name of the
website. Ip to domain name mapping. So, DNS can provide both the
mapping for example to find the ip addresses of geeksforgeeks.org then we
have to type nslookup www.geeksforgeeks.org.
How Does DNS Work?

• When you type google.com on your

web browser DNS server will search
through its cache to find a matching IP
address for that domain name.
• When it finds it it will resolve that
domain name to IP address of Google
web site.
• Once it is done then your computer is
able to communicate with a Google
web server and retrieve the webpage.
DNS Record Types
What is domain name system (DNS) spoofing
Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is
an attack in which altered DNS records are used to redirect online
traffic to a fraudulent website that resembles its intended destination
How DNS Spoofing Works