How to prevent & detect ARP poisoning

Address Resolution Protocol (ARP) poisoning is an attack that involves sending spoofed ARP messages over a local area network. It’s also known as ARP spoofing, ARP poison routing & man in the middle.

These attacks attempt to divert traffic from its originally intended host to an attacker instead. ARP poisoning does this by associating the attacker’s MAC address with the IP address of the target. It only works against networks that use ARP. ARP poisoning is a type of man-in-the-middle attack that can be used to stop network traffic, change it, or intercept it.

What is the ARP?

The ARP is a protocol that associates a given IP address with the link layer address of the relevant physical machine. ARP generally bridges the gap between 32-bit IPv4 addresses and 48-bit MAC addresses. It works in both directions. The relationship between a given MAC address and its IP address is kept in a table known as the ARP cache. When a packet heading towards a host on a LAN gets to the gateway, the gateway uses ARP to associate the MAC or physical host address with its correlating IP address. The host then searches through its ARP cache. If it locates the corresponding address, the address is used to convert the format and packet length. If the right address isn’t found, ARP will send out a request packet that asks other machines on the local network if they know the correct address. If a machine replies with the address, the ARP cache is updated with it in case there are any future requests from the same source

What is ARP poisoning?

Now that you understand more about the underlying protocol, we can cover ARP poisoning in more depth. The ARP protocol was developed to be efficient, which led to a serious lack of security in its design. This makes it relatively easy for someone to mount these attacks, as long as they can access the local network of their target.

ARP poisoning involves sending forged ARP reply packets to a gateway over the local network. Attackers typically use spoofing tools like Arpspoof or Arppoison to make the job easy. They set the IP address of the tool to match the address of their target. The tool then scans the target LAN for the IP and MAC addresses of its hosts.

Once the attacker has the addresses of the hosts, they start sending forged ARP packets over the local network to the hosts. The fraudulent messages tell the recipients that the attacker’s MAC address should be connected to the IP address of the machine they are targeting.

This results in the recipients updating their ARP cache with the attacker’s address. When the recipients communicate with the target in the future, their messages will actually be sent to the attacker instead.

At this point, the attacker is secretly in the middle of the communications and can leverage this position to read the traffic and steal data. The attacker can also alter messages before they get to the target, or even stop the communications completely.That’s so scary isn’t it?

How to detect ARP poisoning?

ARP poisoning can be detected in several different ways. You can use Windows’ Command Prompt, an open-source packet analyzer such as Wireshark, or proprietary options such as XArp.

Command prompt

The table shows the IP addresses in the left column, and MAC addresses in the middle. If the table contains two different IP addresses that share the same MAC address, then you are probably undergoing an ARP poisoning attack.

As an example, let’s say that your ARP table contains a number of different addresses. When you scan through it, you may notice that two of the IP addresses have the same physical address. You might see something like this in your ARP table if you are actually being poisoned:

Internet Address Physical Address

192.168.0.1 00–17–31-dc-39-ab

192.168.0.105 40-d4–48-cr-29-b2

192.168.0.106 00–17–31-dc-39-ab

As you can see, both the first and the third MAC addresses match. This indicates that that the owner of the 192.168.0.106 IP address is most likely the attacker.

Wireshark

Wireshark can be used to detect ARP poisoning by analyzing the packets, although the steps are outside of the scope of this tutorial and probably best left to those who have experience with the program.

Commercial ARP-poisoning detectors such as XArp make the process easier. They can give you alerts when ARP poisoning begins, which means that attacks are detected earlier and damage can be minimized.

Encryption

Protocols such as HTTPS and SSH can also help to reduce the chances of a successful ARP poisoning attack. When traffic is encrypted, the attacker would have to go to the additional step of tricking the target’s browser into accepting an illegitimate certificate. However, any data transmitted outside of these protocols will still be vulnerable.

Using Static ARP

This is an old school way, but it works well. You manually set up a static ARP for your computers on the subnetwork so that there are no chances of any alterations. However, it is not recommended for a large network because there will a lot of static ARPs, and any small changes will be too much work for the network administrator.

Using VPNs

Using VPNs is one of the best ways to get protection against ARP spoofing attack A Virtual Private Network uses an encrypted tunnel for not only data transmission but also the data that goes through it is encrypted.