Address Resolution Protocol (ARP) poisoning is an attack that involves sending spoofed ARP messages over a local area network. It’s also known as ARP spoofing, ARP poison routing and ARP cache poisoning.
These attacks attempt to divert traffic from its originally intended host to an attacker instead. ARP poisoning does this by associating the attacker’s Media Access Control (MAC) address with the IP address of the target. It only works against networks that use ARP.
ARP poisoning is a type of man-in-the-middle attack that can be used to stop network traffic, change it, or intercept it. The technique is often used to initiate further offensives, such as session hijacking or denial-of-service.
What is the Address Resolution Protocol (ARP)?
The ARP is a protocol that associates a given IP address with the link layer address of the relevant physical machine. Since IPv4 is still the most commonly used internet protocol, ARP generally bridges the gap between 32-bit IPv4 addresses and 48-bit MAC addresses. It works in both directions.
The relationship between a given MAC address and its IP address is kept in a table known as the ARP cache. When a packet heading towards a host on a LAN gets to the gateway, the gateway uses ARP to associate the MAC or physical host address with its correlating IP address.
The host then searches through its ARP cache. If it locates the corresponding address, the address is used to convert the format and packet length. If the right address isn’t found, ARP will send out a request packet that asks other machines on the local network if they know the correct address. If a machine replies with the address, the ARP cache is updated with it in case there are any future requests from the same source.
What is ARP poisoning?
Now that you understand more about the underlying protocol, we can cover ARP poisoning in more depth. The ARP protocol was developed to be efficient, which led to a serious lack of security in its design. This makes it relatively easy for someone to mount these attacks, as long as they can access the local network of their target.
ARP poisoning involves sending forged ARP reply packets to a gateway over the local network. Attackers typically use spoofing tools like Arpspoof or Arppoison to make the job easy. They set the IP address of the tool to match the address of their target. The tool then scans the target LAN for the IP and MAC addresses of its hosts.
Once the attacker has the addresses of the hosts, they start sending forged ARP packets over the local network to the hosts. The fraudulent messages tell the recipients that the attacker’s MAC address should be connected to the IP address of the machine they are targeting.
This results in the recipients updating their ARP cache with the attacker’s address. When the recipients communicate with the target in the future, their messages will actually be sent to the attacker instead.
At this point, the attacker is secretly in the middle of the communications and can leverage this position to read the traffic and steal data. The attacker can also alter messages before they get to the target, or even stop the communications completely.
Attackers can use this information to mount further attacks, like denial-of-service or session hijacking:
- Denial-of-service – These attacks can link a number of separate IP addresses to the MAC address of a target. If enough addresses are sending requests to the target, it can become overloaded by traffic, which disrupts its service and makes it unusable.
- Session Hijacking – ARP spoofing can be leveraged to steal session IDs, which hackers use to gain entry into systems and accounts. Once they have access, they can launch all kinds of havoc against their targets.
How to detect ARP poisoning
If you suspect you may be suffering from an ARP poisoning attack, you can check in Command Prompt. First, open Command Prompt as an administrator. The easiest way is to press the Windows key to open the start menu. Type in “cmd”, then press Crtl, Shift and Enter at the same time.
This will bring up Command Prompt, although you may have to click Yes to give the app permission to make changes. In the command line, enter:
This will give you the ARP table:
*The addresses in the above image have been partially blacked out for privacy reasons.*
The table shows the IP addresses in the left column, and MAC addresses in the middle. If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack.
As an example, let’s say that your ARP table contains a number of different addresses. When you scan through it, you may notice that two of the IP addresses have the same physical address. You might see something like this in your ARP table if you are actually being poisoned:
Internet Address Physical Address
As you can see, both the first and the third MAC addresses match. This indicates that that the owner of the 192.168.0.106 IP address is most likely the attacker.
Wireshark can be used to detect ARP poisoning by analyzing the packets, although the steps are outside of the scope of this tutorial and probably best left to those who have experience with the program.
Commercial ARP-poisoning detectors such as XArp make the process easier. They can give you alerts when ARP poisoning begins, which means that attacks are detected earlier and damage can be minimized.
How to prevent ARP poisoning
You can use several methods to prevent ARP poisoning, each with its own positives and negatives. These include static ARP entries, encryption, VPNs and packet sniffing.
Static ARP entries
This solution involves a lot of administrative overhead and is only recommended for smaller networks. It involves adding an ARP entry for every machine on a network into each individual computer.
Mapping the machines with sets of static IP and MAC addresses helps to prevent spoofing attacks, because the machines can ignore ARP replies. Unfortunately, this solution can only protect you from simpler attacks.
Protocols such as HTTPS and SSH can also help to reduce the chances of a successful ARP poisoning attack. When traffic is encrypted, the attacker would have to go to the additional step of tricking the target’s browser into accepting an illegitimate certificate. However, any data transmitted outside of these protocols will still be vulnerable.
A VPN can be a reasonable defense for individuals, but they are generally not suitable for larger organizations. If it is just a single person making a potentially dangerous connection, such as using public wifi at an airport, then a VPN will encrypt all of the data that travels between the client and the exit server. This helps to keep them safe, because an attacker will only be able to see the ciphertext.
It’s a less-feasible solution at the organizational level, because VPN connections would need to be in place between each computer and each server. Not only would this be complex to set up and maintain, but encrypting and decrypting on that scale would also hinder the network’s performance.
These filters analyze each packet that gets sent across a network. They can filter out and block malicious packets, as well as those whose IP addresses are suspicious. Packet filters can also tell if a packet claims to come from an internal network when it actually originates externally, helping to reduce the chances of an attack being successful.
Protecting your network from ARP poisoning
If you want your network to be secure from the threat of ARP poisoning, the best plan is a combination of the above-mentioned prevention and detection tools. The prevention methods tend to have flaws in certain situations, so even the most secure environment may find itself under attack.
If active detection tools are in place as well, then you will know about ARP poisoning as soon as it begins. As long as your network administrator is quick to act once alerted, you can generally shut down these attacks before much damage is done.