Several malware programs have been reported to cause Address Resolution Protocol (ARP) attacks by flooding the network with erroneous replies.
The ARP is part of the Internet Protocol (IP) that is responsible for mapping a computer's IP address with its MAC address.
A normal ARP communication begins when a computer sends a packet to a specific IP address. It broadcasts an ARP request, known as Who is, packet that requests the MAC address of the computer with the specific IP address. The said computer then sends a reply containing its MAC address. The original request coming from a computer then keeps a record of the MAC address in its ARP cache.
In ARP flooding, the affected system sends ARP replies to all systems connected in a network, causing incorrect entries in the ARP cache. The result is that the affected system is unable to resolve IP and MAC addresses because of the wrong entries in the ARP cache. The affected system is unable to connect to any other system in the network.
The following malware programs are found to be capable of ARP flooding:
Another possibility is sniffing network traffic, which includes switch-based networks. Even though the switched network is designed to redirect traffic to a particular host, sending a heavy amount of ARP packets to the switch forces it to operate in a fail-safe mode, which operates like a hub. As we know, hubs send out packets to all hosts in the network, making network traffic sniffing easy.
This technique of ARP poisoning, which was also used by PE_SNOW.A (January 2006) to perform distributed denial of service (DDoS) attacks, is being used by malware authors to further their motives. Malware continue to evolve to circumvent security measures applied on the network and its hosts. Lastly, users are recommended to always update their antivirus pattern files to remain secured from new malware emerging from the Internet.