Unlike devices on the internet, devices in the LAN don’t communicate directly via IP addresses. Instead, they use physical hardware addresses for addressing in local IPv4 networks. These MAC addresses (Media Access Control) are unique 48-bit numbers, and make it possible to identify each device in the LAN via its network card.
Example of a MAC address: 00-80-41-ae-fd-7e
MAC addresses are assigned by their respective hardware manufacturers and are unique worldwide. Theoretically, these hardware addresses would be suitable for global addressing. But in practice, this doesn’t work because IPv4 addresses are too short to completely map the MAC address. In networks based on IPv4 the address resolution via ARP is unavoidable.
If Computer A wants to contact Computer B within the same network, it must first determine the appropriate MAC address for its IP address. This uses the Address Resolution Protocol (ARP), a network protocol that operates according to the request response scheme.
After searching for the appropriate MAC address, Computer A sends a broadcast request (or ARP request) to all devices on the network. This request contains the following information:
A computer with the MAC address xx-xx-xx-xx-xx-xx and the IP address yyy.yyy.yyy.yyy would like to get in contact with a computer with the IP address zzz.zzz.zzz.zzz and requires the appropriate MAC address.
The ARP request is received by all computers in the LAN. In order to prevent an ARP request from being submitted prior to the sending of each data packet, every computer in the network performs a local table, called the ARP cache. In these tables, all known MAC addresses are temporarily stored along with their matching IP addresses.
In this way, all computers in the network record the broadcast request along with the accompanying sender address. An answer to the broadcast request is only expected from Computer B. Its ARP reply contains the following information:
This is the system with the IP address zzz.zzz.zzz.zzz. The requested MAC address is aa-aa-aa-aa-aa-aa.
If this ARP reply is delivered to Computer A, then it has all of the information required to send data packets to Computer B. Communication over the local network is now not prevented by anything.
What then, if the intended computer doesn’t reply, but instead the reply comes from another device controlled by an internal attacker with criminal intentions? This is where ARP spoofing comes into play.