In cyber security, address spoofing is the act of disguising a MAC and or LAN IP address to appear to belong to another device. For example, hackers will often spoof their MAC address to disguise their device on a targeted network. By spoofing their MAC address to match a device found on the network, a hacker can blend in as that device. Hackers will also spoof their devices to make it harder for cyber security professionals to determine the origin of attack and what devices were involved. By sending spoofed ARP messages, hackers can manipulate the ARP table. Spoofed ARP messages will allow the attacker's MAC address to be associated with a MAC address of a victim host. Spoofing ARP messages is also known as ARP poisoning. Sometimes, hackers will use ARP poisoning to cause the network to stop communicating. When the ARP table becomes too corrupted, the network no longer knows where to send packets. Packets are dropped from the network until communication has stopped. This is known as a DOS attack using ARP poisoning. It is important to remember that ARP requests are sent out as continuous beacons, attempting to resolve the MAC address to the correct host IP. When the ARP request receives a response, it is added to the ARP table. Any new ARP responses automatically overwrite the previous response. This is one of the major vulnerabilities found within ARP. There is no authentication with ARP, it is a stateless protocol. Remember that ARP is used to resolve internet layer addresses (LAN IP) into link layer addresses(MAC). ARP spoofing continues to be a major problem for networks.

There are a few ways to protect against this type of attack. The first defense method is, to use static read-only ARP entries in the APR cache of a host. This allows hosts to ignore all new ARP replies. Any new host that joins the network must be added manually to the ARP table using a static entry. Although time communing and inconvenient, this defense method is effective in stopping most small scale ARP spoofing attempts. The second defense method is to use software that detects ARP spoofing. The purpose of the software is to certify that the ARP response is legitimate. If the response is uncertified, the ARP response is blocked from the network. This type of software is often used in combination with the DHCP server, to allow for both static and dynamic addresses to be quickly certified. The third defense method against ARP spoofing is using intrusion detection systems like Snort. Snort has a preprocessor called arpspoof, that can perform basic analysis of addresses for any malicious behavior. Another great tool to use to detect ARP spoofing is called XArp. This tool preforms passive checks and actively sends out probes to monitor for malicious behavior. XArp has two main GUI based interfaces. The first interface is called the normal view. This interface comes with pre-configured security settings and levels. The second interface is called the pro view. This interface comes with pre-configured detection tools and active validation. It is important to remember that when multiple IPs are associated with a single MAC address it could be a sign of ARP spoofing.