What is ARP Spoofing/Poisoning & tips for security

How ARP Spoofing works

ARP Spoofing consists of a hacking technique created to impersonate entities or people on the network to obtain private information or gain access to websites and applications with a stolen session-id or credentials or launch a DoS attack.

To understand what ARP spoofing is and how it works, we need to understand more about Address Resolution Protocol and its functioning.

What is Address Resolution Protocol (ARP)?

Address resolution protocol is a protocol used by devices to convert an Internet Protocol (IP) address to the media access control (MAC) address in a directly connected network (Subnet). ARP works in the Data Link layer and Network layer of the OSI model.

ARP is a stateless protocol. Every system and device using IPV4 maintains an ARP cache (table) consisting of the 1:1 mapping of an IP address with the MAC address. You can access the ARP table of your local system by using the arp command:

arp cache in local system

The MAC address is a 48-bit address compared to an IP address which is made of 32 bits. It works at the data link layer and is required to establish and terminate a connection between two directly connected devices for any data transfer. The IP address works at the network layer and is responsible for forwarding data packets across different networks that are not connected directly. 

The Neighbour Discovery Protocol (NDP) in IPV6 has replaced ARP and is considerably more efficient and secure.

How does ARP work?

Let’s take a scenario that your local system (Say System A) with the IP address 192.168.1.3 (192.168.1.0/24 subnet) needs to reach google.com at 142.250.192.142. Since this IP is not in a directly connected network, the system will send the packets to the gateway for further routing. Following will be the sequence of events:

  • System A will broadcast an ARP request to all devices in the subnet (192.168.1.0/24), with a query including the IP address of my gateway (Say 192.168.1.1)
  • All devices in the subnet will compare their IP address with the enclosed IP address sent by System A in the ARP request.
  • Since the router (say R) has the matching IP address, the router will send an ARP response, including its MAC address, to system A.
  • System A will update the ARP cache and send the packet to the router.
  • The step will be repeated by the router and subsequently all the hops till the packet reaches the destination address of google.com.

What is ARP Spoofing?

ARP spoofing is a Man in the Middle (MITM) attack where the attacker sends falsified ARP response messages to systems within a local subnet. Using ARP spoofing, the attacker corrupts the ARP cache and misleads the system to send the packets to a compromised system initially destined to a different system.

ARP spoofing is also called ARP cache poisoning attack. The Address Resolution Protocol was not designed keeping security in mind. So the system will accept any ARP response without validating if it’s really from an authorized party. A system will also accept ARP responses, even if it never sent out a request. ARP spoofing attacks exploit this weakness.

ARP spoofing is then leveraged to initiate further attacks like session hijacking or DoS attacks.

How does ARP Spoofing work?

Following is the step by step description of how ARP spoofing works:

  • The attacker gets access to a system within the internal subnetwork (subnet). An attacker can do this by employing a compromised system or by gaining physical access to the network.
  • The attacker uses an ARP spoofing tool (like Cain and Abel) and configures any available IP address of the target subnet.
  • The attacker scans for the IP and MAC addresses of the hosts in the target subnet and identifies the target system.
  • The attacker can then start sending spoofed ARP packets across the subnet that contains his MAC address and the gateway IP address to poison the ARP cache of the target system.
  • Once the target host updates the ARP table with the spoofed MAC address, the attacker starts acting as Man-in-the-Middle, and the attack is successful.

What attacks are launched using ARP Spoofing?

Since ARP Poisoning attacks happen at such a low level, victims of ARP Poisoning rarely realize that their traffic is being inspected or modified. Further, what makes ARP spoofing so dangerous is its frequent use as a springboard to launch more advanced attacks. Once an attacker has successfully carried out an ARP spoofing attack, they can go on to launch more advanced attacks like the following:

1. Denial of Services (DoS) Attack

Attackers often leverage ARP spoofing to link multiple IP addresses with a single target’s MAC to carry out a DoS attack. Eventually, the traffic intended for many different IP addresses gets redirected to the victim’s MAC address, overloading the target with traffic.

2. Session Hijacking

Session hijacking is also known as cookie hijacking. It is the exploitation of a valid tcp session. The hacker can get the user session id by using ARP spoofing. Then, the attacker can use the session id(s) to access the accounts and services the victim is accessing.

3. Stealing Information and Credentials

The attacker is not required to take any more action. Instead, they can continue sniffing the packets and stealing Victim’s data and credentials.

4. Man-in-the-Middle Attack

The hacker can intercept and modify traffic and send malicious files to the victim’s computer or a destination website.

Tools used for ARP spoofing

Following are some of the tools used for ARP Spoofing:

Arpspoof

Arpspoof is a Kali Linux utility that lets you confiscate all the traffic to a machine from a switched LAN. Arpspoof is the most accurate tool to redirect traffic, allowing you to conveniently sniff traffic on the local network.

ARP0c/WCI

ARP0c uses ARP spoofing to intercept connections within a private network. The software sends false ARP responses, redirecting traffic from the target system to the system running ARP0c. The tool has an integrated bridging engine that can forward information to the target system.

ARP0c forwards packets that aren’t delivered locally to the appropriate router. With this tool, a Man-in-the-Middle attack typically remains undetected. This software supports Linux and Windows operating systems and can be downloaded free from the provider’s website.

Arpoison

This is a command-line tool that generates user-defined ARP packets. The attacker can configure the sender and target addresses. This tool can be used for network analysis but is also frequently used by attackers. The software is available free of cost under the GNU license.

Cain and Abel

The Cain and Abel is windows freeware. It was initially developed as a password recovery tool, but it also can intercept different networks and decrypt their encrypted passwords. Version 2.5 onwards, the software also contains ARP spoofing capability to intercept IP traffic in the switched LANs.

How to prevent ARP Spoofing attacks?

Since ARP spoofing exploits the very basics of IP transport, it isn’t easy to detect it. Following are some of the ways to prevent ARP spoofing attack in a network:

1. Use Dynamic ARP Inspection (DAI)

To prevent ARP poisoning attacks, the switch should relay only valid ARP requests and responses. Dynamic ARP Inspection effectively prevents these attacks from happening by intercepting all ARP requests and responses. Each intercepted packet is verified for valid bindings of MAC address to IP address before updating the local ARP cache or forwarding the packet to the appropriate destination. 

DAI drops any invalid ARP packets by validating the ARP MAC address to IP address bindings against a trusted database. This database is built at runtime using DHCP snooping. However, the DHCP snooping feature should be enabled on the VLANs and the switch. DAI can also validate ARP packets against user-configured ARP Access Control Lists to handle hosts using statically configured IP addresses. Please refer to this link for more details.

2. Use Static ARP

You can configure static ARP entries for any particular IP address. By using a static ARP entry, you can effectively prevent others from poisoning your ARP cache. If the system always connects to a specific gateway/router, you can configure a static ARP entry and prevent ARP spoofing attacks.

You can use the “arp -s” command to add a static ARP entry for any IP address.

3. Use Cryptographic Network Protocols

Use protocols like Transport Layer Security (TLS), Secure Socket Layer (SSL), or Secure Shell (SSH) to encrypt data-in-transit. An attacker will not be able to act MITM for such protocols.

4. Use IDS/IPS

The use of intrusion detection/prevention software like Snort will help you stop ARP spoofing attacks by monitoring ARP requests.

5. Focus on Physical and Wi-fi Security

Since ARP Poisoning requires an attacker to have direct access to the particular subnet, controlling physical access can help mitigate ARP Spoofing attacks. If you use a wireless network, it means the attacker may not even require direct physical access.

If the Wi-fi signal extends to a street or event to a parking lot, it may be sufficient. The use of port-based Network Access Control (PNAC) can add another layer of security.

6. Avoid IP based Trust Relationship

You should avoid IP-based trust relationships, reduce them to a bare minimum, and configure validation and authentication for all critical applications. Trust relationships weaken your defense since they rely only on IP addresses for authentication. This makes it easier for an attacker to run ARP spoofing attacks and act as a Man-in-the-Middle.

7. Simulate Spoofing attacks to test your defenses

It will be a good idea to test your defenses by simulating an actual spoofing attack by using tools described earlier in this post. The simulation will help you get a good idea of how effective your defenses are. Then, if the attack is successful, find the weak points and work to fix them.

8. Use ARP Spoofing Detection Tools

There are several ARP spoofing detection software available that can help you fortify your defenses. These tools inspect and verify data before transmission and can block data from spoofed sources. Some of the popular tools are mentioned in the next section.

Tools to Detect ARP Spoofing Attack

There are some excellent tools available in the market that can help you effectively detect ARP spoofing. Following are some tools worth mentioning:

1. XArp

XArp uses two groups of techniques to detect ARP Spoofing attacks. On the one hand, XArp employs a set of filter modules to inspect each ARP packet in or out of a system. These filters have different sensitivity levels and are grouped to make different security levels.

The other technique is active network discoverers. Active network discoverers are used to quickly collect information around your network and support the filter module. Please refer to their website for more details.

2. Arpwatch

Arpwatch generates a log of the pairing of IP addresses with MAC addresses with a timestamp when the pairing appears on the network. It can also send an email alert to the administrator when a pairing is added or changed. Arpwatch is open-source software and was developed by Lawrence Berkeley National Laboratory, Network Research Group. It is released under the BSD license.

You can download the latest version of this tool from this link.

3. ARP Guard

ARP Guard provides a graphic overview of your existing network, including the illustrations of switches and routers. The software is self-learning and will develop an understanding of the devices on your network. You can then create rules to control future connections.

You can access the solution datasheet using this link.

4. Wireshark

This is a good old friend of all network and security professionals. This tool is free, open-source, and extremely powerful. The only downside one can say is that it requires advanced skills to implement and get the maximum out of this software. You can download Wireshark from its official website.

Cybercriminals use ARP spoofing to launch more sophisticated attacks like DDoS or Man-In-The-Middle attacks or steal sensitive data. While it may look similar to IP Spoofing, it’s different primarily because it works at a very basic level. By arming yourself with better knowledge and using the right tools, you can fortify your defense against these attacks.

If you would like to know more about IP Spoofing, please refer to this blog post.

About Kumar AS.

Kumar AS.
Senior Cybersecurity Practitioner with more than a decade of experience under his belt in different roles. Specializing in Fortifying Defenses, Data Loss Protection, Email and Web protection and other security technologies.

Check Also

secure rest api

How to secure REST API: Best practices and tips

APIs are the backbone of today’s web and mobile development, and REST API accounts for …