ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.

Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address. ARP spoofing can enable malicious parties to intercept, modify or even stop data-in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.

Malware/Threat actors

Name	Type	Years	Source
SIDEWINDER	malware	2014	fireeye-sidewinder-targeted-attack.pdf
Operation Cleaver	threat actor	2012-2013	Cylance_Operation_Cleaver_Report.pdf stamp.jsp?tp=&arnumber=7460498&tag=1

Preventions

• Packet filtering: Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in ARP spoofing prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa).

Detections

• Use ARP spoofing detection software: There are many programs available that help organizations detect ARP spoofing attacks. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed.

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

• VPN tunneling
• Trusted third party
• Reverse RDP tunnel
• Certificate impersonation
• Domain spoofing

References

• ARP SPOOFING