How Many Computers Can One Arpspoof At One Time?

[billyblaxsta]

Is there a rough number of computers one can arpspoof by broadcasting your MAC as the router before the whole network collapses?

I realise this depends on the attackers computer so let's just say an average laptop - nothing special.

Any personal experiences of arpspoofing multiple computers would be appreciated.

[digip]

I've had up to 3 wireless devices running through me at one time, but this was my own network for testing and not a fat pipe of data going in or out. If you are on wireless and not close to the proximity of the router, I would think things will start to get funky with lost packets, or even time outs because of the location of devices, you aren't going to drown out the router if you have a weak signal and are a block from the AP. That said, there really isn't a limit so far as the bandwidth limitation and signal of your network interface and the traffic they are trying to run.

I would imagine if someone you arp spoof was doing bit torrent downloads it would eat up considerable resources to try and pull that data and throw it back via MITM. I've not tried spoofing a fat network pipe with wireless though, so you would have to run some tests to see at what point it just dies or if it all works fine, but my guess is it would fall over at some point if too many workstations tried routing through you and the bandwidth exceeded the time to live. Generally, MITM is kind of a 1 on 1 deal, to pull specifics from a target you have done reconnaissance on. Especially if you are tring to capture all of this simultaneously with wireshark or tcpdump, why add multiple threads of traffic which could expose you in the process. If you have a wired gigibit interface, then not so much as issue to run multiples of arp spoofs I would think, but again, not tried routing the backbone of a network through my wireless.

[UnDeFiNeD]

Not alot, I have actually used it as a DoS tool before ;) I have done 5 successfully using Cain and Able. Of course digip's answer is much better than mine, just throwing in my experiences...

[Infiltrator]

It all comes down to how much bandwidth the network (as stated by Digip) has and how fast you machine is. If you have a slow machine, that will also be another limiting factor, since all the traffic is going through your machine, and its just not being able to handle all that traffic, so therefore it will become a bottleneck in the network, compromising performance and slowing everyone you are arpspoofing down.

Edited August 15, 2011 by Infiltrator

[int0x80]

My network-fu is not very strong, but I believe the max is the number of nodes on your network segment that you can reach via ARP. In school, I used to MitM the four other guys in the house with ettercap. When looking at the packets, you're basically telling the victims that the gateway's MAC address is your MAC address. It's been years since I've done any real network stuff, so someone speak up if I'm wrong.

[digip]

My network-fu is not very strong, but I believe the max is the number of nodes on your network segment that you can reach via ARP. In school, I used to MitM the four other guys in the house with ettercap. When looking at the packets, you're basically telling the victims that the gateway's MAC address is your MAC address. It's been years since I've done any real network stuff, so someone speak up if I'm wrong.

Well, I've not done any heavy lifting with say 100 workstations trying to route through me, but as you said, you're telling the router you are the victim and the victim you are the router, so ALL traffic send or received by the victim would route through you. Add to that, every node on the segment as you put it, and you could be bombarded with so much traffic, you would become the bottleneck and things would start failing. That is my theory, but not tested. Interestingly enough, Darren just did a HakTip episode/interview from Defcon, where a gentleman gave a demo of a tool that does MITM for basically all things wifi. Not sure what the limit is on throughput, but I imagine you would be slowing everyone else down severely if trying to sustain long term, multiple spoofs at the same time. Again, just my theory, but not actually tested, so can't say definitively.

[int0x80]

Well, I've not done any heavy lifting with say 100 workstations trying to route through me, but as you said, you're telling the router you are the victim and the victim you are the router, so ALL traffic send or received by the victim would route through you. Add to that, every node on the segment as you put it, and you could be bombarded with so much traffic, you would become the bottleneck and things would start failing. That is my theory, but not tested. Interestingly enough, Darren just did a HakTip episode/interview from Defcon, where a gentleman gave a demo of a tool that does MITM for basically all things wifi. Not sure what the limit is on throughput, but I imagine you would be slowing everyone else down severely if trying to sustain long term, multiple spoofs at the same time. Again, just my theory, but not actually tested, so can't say definitively.

You're right, there are limitations. My reply was just the pure numbers, like the friction-less lab in physics. IRL, tubes get full ;]