You wonder how hackers got to your packets? Might it have been arp spoofing?
ARP is a layer 2 protocol, its full name is actually “Address Resolution Protocol”.
Like the name indicates, ARP is used to resolve the layer 3 IP addresses to layer 2 MAC addresses.
It works pretty easy, if a host on the segment wants to talk to another host, but does not know its MAC address it will send a frame to broadcast (FF:FF:FF:FF:FF:FF) where it will say “who has 10.0.0.1”, then the host on 10.0.0.1 will see this request and reply with “10.0.0.1 is at ab:cd:ef:ab:cd:ef” then the ARP table will be updated with the corresponding information, and the two hosts will talk directly from now on.
Security problems in ARP
Usually most hosts will update their ARP table when they see a ‘10.0.0.1 is at’ ARP reply, even if it hasn’t requested it.
This keeps network traffic to the low, because the MAC address may be in the ARP table because some other host spoke to the server your computer wanted to talk to and your computer saw the ‘is at’ reply, hence making no need for an ARP request.
What if someone flooded your network with fake ARP replies ‘10.0.0.1 is at fa:ke:ad:dr:es’?
Exactly, the hosts will update their ARP table and start sending packets to the wrong host.
The machine at ‘fa:ke:ad:dr:es’ can then accept all packets and forward the correct ones to the actual 10.0.0.1 gateway (because the attacker does not poison its own arp table, the attacker will still be sending packets to the real IP address).
Imagine on a Wireless network how easy it is to become ‘attached’ to the network, they can also send spoofed ARP replies.
To enable forwarding of packets in linux:
linux:~# echo 1 > /proc/sys/net/ipv4/conf/all/forwarding