It's fun that it abuses ARP's ability to include an arbitrary payload, but just to remind everyone of networking 101, thing that the author is relying on is just the simple fact that switches flood packets addressed to ff:ff:ff:ff:ff to the entire broadcast domain. You can achieve similar message flooding without having to have superuser/raw packet permissions by directing packets to the L3 broadcast address whereupon they will (usually) be L2 flooded (Aka it's fun to ping the broadcast address.)
Using ARP doesn't offer any particular advantage, and I would note since many modern switches do thinks like snooping arp packets, putting a high amount of bogus ARP traffic on the network could actually have some negative impact. It's still fun at any rate and reminds me of the type of crap that I used to make when I was learning. As alluded to before, I personally would have chosen to abuse ICMP for this purpose; maybe it's a future avenue for development. Kudos to the fun project!
It uses another important Networking 101 principle: It's All Just Numbers.
ARP, DNS, HTTP, TLS, on the one hand they really are the things that may pop into your head when you think about those things, but they are also simultaneously Just Numbers. ARP has access to the same numbers as HTTP. UDP doesn't get access to 11-bit bytes. DNS does not have special CPU instructions only it gets access to. It's All Just Numbers. And in the end you can stuff whatever numbers you like onto the line and the rest of the world is just going to take those numbers and do... whatever they do with them.
One of the first amplification DDoS attacks I ever saw - talking 1990s era - was to ping the broadcast addresses of unwitting campus networks with the victim’s host address spoofed as the source.
This shouldn’t work today, but back then, a naive TCP/IP implementation (which is to say, many of them) would happily participate.
Ah that’s right. It’s been so long I’d forgotten the name. Although I have a feeling it was already a recognised potential vulnerability some years before being packaged as a convenient utility.
Using ARP doesn't offer any particular advantage, and I would note since many modern switches do thinks like snooping arp packets, putting a high amount of bogus ARP traffic on the network could actually have some negative impact. It's still fun at any rate and reminds me of the type of crap that I used to make when I was learning. As alluded to before, I personally would have chosen to abuse ICMP for this purpose; maybe it's a future avenue for development. Kudos to the fun project!