ARP attacks and ARP flooding are common problems small and large networks are faced with. ARP attackstarget specific hosts by using their MAC address and responding on their behalf, while at the same time flooding the network with ARP requests. ARP attacks are frequently used for 'Man-in-the-middle' attacks, causing serious security threats, loss of confidential information and should be therefore quickly identified and mitigated.
During ARP attacks, users usually experience slow communication on the network and especially when communicating with the host that is being targeted by the attack.
In this article, we will show you how to detect ARP attacks and ARP flooding using a network analyzer such as Colasoft Capsa.
Colasoft Capsa has one great advantage – the ability to identify and present suspicious ARP attacks without any additional processing, which makes identifying, mitigating and troubleshooting much easier.
Download your copy of Colasoft Capsa and discover how easy it is to identify network & security related problems.
The Diagnosis tab provides real-time information and is extremely handy in identifying potential threats, as shown in the screenshot below:
Figure 1. ARP Scan and ARP Storm detected by Capsa's Diagnosis section.
Under the Diagnosis tab, users can click on the Events area and select any suspicious events. When these events are selected, analysis of them (MAC address information in our case) will be displayed on the right as shown above.
In addition to the above analysis, Capsa also provides a dedicated ARP Attack tab, which is used to verify the offending hosts and type of attack as shown below: