ARP Spoofing

ARP Spoofing

As we already know, the ARP protocol is responsible for resolving an IP address to a Mac address within a local network in order for devices to communicate with each other. ARP spoofing is a hacking technique where an attacker can poison the ARP cache (also known as temporary memory) on other devices, for example, on the switches.


In simple terms this is how it works:


An attacker device scans the network, then finds one device that he want to compromise, and sends fake packets (ARP packets) to that specific device (using that IP that is already known). Using the switch example, the switch is then updated using the ARP cache. After this has been completed, he can redirect any traffic coming from that switch and can then access that device to pass data from the compromised device to his own. When information is stolen in this way, the victim does not realise his data was captured.


This is what’s known as a MITM (Man in the middle) attack.


By sending frames to the compromised device, the hacker than make the compromised user believe that they have the correct Mac addresses however the frame is being sent straight to the attacker for analysis. The hacker can receive; forward or even manipulate that data. It is usually switches that are most vulnerable, especially those with default configuration.


ARP cache poisoning takes advantage of the nature of the ARP protocol, devices using ARP accept updates anytime, which means any device in the network can send the ARP reply packet to another device, updating its ARP cache to a new value.




Defending Against ARP Cache Poisoning:


With Securing your LAN – ARP Cache poisoning is only possible for wired networks if the attacker is able to plug a device in on your local network. So if you managed to avoid this untrusted device being plug in locally on your network you will not have a problem. Now for a wireless LAN you need to change your passwords often and create strong passwords, as this in a similar way to wired connections does not allow a user to connect to your network in the first place. If regularly changing your passwords sounds unfeasible then consider putting static mac address in your ARP tables, so that dynamic updates are not allowed meaning the attack will not work.


Monitoring all ARP traffic is a good option to securing your network and there are many monitoring tools such as Snort and xARP which can help, here is a short list of more tools:


  • ArpON – ARP handler inspection.
  • ARPDefender appliance.
  • Arpwatch.
  • anti-arpspoof.
  • AntiARP.


Certain switch vendors have integrated mechanisms to defend against attacks by checking which ARP packets are allowed and which are not.


On your switches (enterprise switches especially), you will see these features being called ARP Security or Dynamic ARP inspection.


Also, by using a VPN connection or data encryption, you can prevent people trying to read and decrypt your data even if they able to locate it.


Usually, the simplest way to secure a switch is by statically (manually) adding the Mac addresses on the ARP table and assigning them to each port.


With some devices you can also assign the Mac address on each port, and if the port has a plug-in device with a different Mac address, it can be setup to shut down that port from the first violation, or it can allow as many violations as per your setup.


For a better explanation of how ARP Attacks can take place on your network, please see the diagram below:



Leave a Reply