ARP poisoning: what it is and how to prevent ARP spoofing?

ARP Poisoning is a type of cyberattack that exploits weaknesses in the widely used Address Resolution Protocol (ARP) to disrupt, redirect or monitor network traffic. In this article, we will briefly review why ARP is needed, analyze its weaknesses that make it possible to poison ARP, as well as measures that can be taken to ensure the security of an organization.

What is ARP?

ARP is designed to determine the MAC address from the IP address of another computer. ARP allows devices connected to a network to query which device is currently assigned a particular IP address. Devices can also announce this assignment to the rest of the network without being prompted. For efficiency purposes, devices typically cache these responses and create a list of current MAC-IP assignments.

What is ARP Poisoning?

ARP “poisoning” (spoofing) is about exploiting the weaknesses of ARP to violate MAC-IP assignments for other devices on the network. In 1982, when the ARP protocol was introduced, security was not a top priority, so the designers of the protocol never used authentication mechanisms to validate ARP messages. Any device on the network can respond to an ARP request, whether or not it is the recipient of the request. For example, if computer A asks for the MAC address of computer B, an attacker on computer C can respond, and computer A will accept this answer as valid. Due to this vulnerability, a huge number of attacks were carried out. Using readily available tools, an attacker can poison the ARP cache of other hosts on the local network by filling it with invalid data.

Stages of ARP poisoning

The stages of ARP poisoning may vary, but usually the minimum list is as follows:

1. Attacker Selects Victim’s Machine or Machines
2. The first step in planning and implementing an ARP Poisoning attack is to select a target. This can be a specific endpoint on the network, a group of endpoints, or a network device such as a router. Routers are attractive targets because successful router ARP poisoning can disrupt traffic for the entire subnet.
3. Attacker Runs Tools and Launches Attack
4. For all attackers who wish to perform ARP poisoning, a wide range of tools are readily available. After launching the selected tool and setting the appropriate parameters, the attacker starts the attack. It can immediately begin sending ARP messages or wait until it receives a request.
5. The attacker takes some action on the misdirected traffic
6. Once the ARP cache on the victim’s device(s) is corrupted, the attacker usually takes some action on the misdirected traffic. He can view or change it, or create a “black hole” so that the data never reaches the addressee. The choice of action depends on the attacker’s motives.

Types of ARP Poisoning Attacks

There are two main ways to poison ARP: an attacker can either wait for an ARP request for a specific target and respond to it, or use self-requested requests (gratuitous ARP). The first answer will be less visible on the web, but its potential impact will also be less. Self-directed ARP requests may be more efficient and affect more victims, but they have the downside of generating a lot of network traffic. With either approach, corrupted ARP cache on victim devices can be used for further purposes:

Man-in-the-Middle attacks

MiTM attacks are probably the most common and potentially most dangerous target of ARP poisoning. The attacker sends bogus ARP replies to a given IP address (usually the default gateway for a specific subnet). This causes victim devices to populate their ARP cache with the MAC address of the attacker’s machine instead of the MAC address of the local router. The victim devices then incorrectly forward network traffic to the attacker. Tools such as Ettercap allow an attacker to act as a proxy, viewing or modifying information before sending traffic to its intended destination. In this case, the victim may not notice any changes in the work.

Simultaneous ARP poisoning and DNS poisoningcan significantly increase the effectiveness of the MiTM attack. In this scenario, the victim user can enter the address of a legitimate site (for example, google.com) and get the IP address of the attacker’s machine instead of the correct address.

Denial of Service (DoS)

A DoS attack is when one or more victims are denied access to network resources. In the case of ARP, an attacker can send an ARP response that falsely assigns hundreds or even thousands of IP addresses to a single MAC address, potentially overloading the target device. This type of attack, sometimes referred to as “ARP flooding” (ARP flooding), can also target switches, potentially impacting the performance of the entire network.

Session hijacking

Session hijacking is similar in nature to MiTM, except that the attacker will not directly redirect traffic from the victim’s machine to the target device. Instead, it captures the victim’s real TCP sequence number or cookie and uses it to impersonate the victim. So he can, for example, gain access to the user’s account on the social network if he is logged into it.

What is the purpose of ARP poisoning?

Hackers always have a variety of motives, including when performing ARP poisoning, ranging from high-level espionage to the excitement of wreaking havoc on the network. In one possible scenario, an attacker could use spoofed ARP messages to assume the role of the default gateway for a given subnet, effectively directing all traffic to their device instead of the local router. It can then monitor the traffic, change it, or drop it. Such attacks are “high-profile” because they leave evidence behind them, but they do not necessarily affect the operation of the network. If the target of the attack is espionage, the attacker’s machine simply redirects the traffic to the original destination without giving the attacker any reason to suspect that anything has changed.

Another goal could be a significant network disruption. For example, quite often DoS attacks are performed by not very experienced hackers just to enjoy the problems created.

A dangerous type of ARP poisoning is insider attacks . Spoofed ARP messages do not travel outside the local network, so the attack must originate from the local device. An external device can also potentially initiate an ARP attack, but first it needs to remotely compromise the local system by other means, while an insider only needs a network connection and some easily accessible tools.

ARP spoofing vs ARP poisoning

The terms “ARP spoofing” and “ARP poisoning” are commonly used interchangeably. Technically, spoofing is understood as giving an attacker his address for the MAC address of another computer, while poisoning (substitution) refers to damage to ARP tables on one or more victim machines. However, in practice, these are elements of the same attack. This attack is also sometimes referred to as “arp cache poisoning” or “arp table corruption”.

Consequences of ARP Poisoning Attacks

The main effect of ARP poisoning is that traffic destined for one or more hosts on a local network is instead directed to a device of the attacker’s choice. The specific consequences of an attack depend on its specifics. Traffic can be directed to an attacker’s machine or to a non-existent location. In the first case, there may not be a noticeable effect, while in the second, access to the network may be blocked.

By itself, ARP cache poisoning does not have a lasting effect. ARP entries are cached from minutes on end devices to hours on switches. As soon as the attacker stops actively infecting the tables, the corrupted records simply become outdated, and the normal traffic flow soon resumes. By itself, ARP poisoning does not leave permanent infection or “footholds” on victim machines. However, it is not uncommon for hackers to perform a series of attacks in a chain, and ARP poisoning can be part of a larger attack.

How to detect ARP cache poisoning

There are many paid and open source programs for detecting ARP cache poisoning, but you can check the ARP tables on your computer even without installing special software. On most Windows, Mac, and Linux systems, entering the arp -a command in a terminal or command prompt will display the machine’s current IP and MAC address assignments.

Tools such as arpwatch and X-ARP allow continuous network monitoring and can alert the administrator to signs of ARP cache poisoning. However, the probability of false positives is quite high.

How to prevent ARP poisoning

There are several methods to prevent ARP poisoning:

Static ARP tables

You can statically assign all MAC addresses on the network to the corresponding IP addresses. This is very effective in preventing ARP poisoning, but requires a huge amount of labor. Any change to the network will require a manual update of the ARP tables on all hosts, making static ARP tables impractical for most large organizations. But in situations where security is paramount, having a separate network segment for static ARP tables can help protect critical information.

Switch Protection

Most managed Ethernet switches are equipped with ARP Poisoning attack prevention features. These features, known as Dynamic ARP Inspection (DAI), evaluate the validity of each ARP message and discard packets that look suspicious or malicious. DAI can also limit the rate at which ARP messages pass through the switch, effectively preventing DoS attacks.

DAI and similar features were once exclusive to high-end networking equipment, but are now found on virtually all business-class switches, including those used by small businesses. It is generally recommended to enable DAI on all ports except those connected to other switches. This feature does not have a significant performance impact; however, you may need to enable other features along with it, such as DHCP Snooping.

Enabling port security on the switch can also help minimize the effects of ARP cache poisoning. Port security can be configured to allow only one MAC address per switch port, making it impossible for an attacker to use multiple network IDs.

Physical protection

Proper control of physical access to the user’s workplace will also help prevent ARP Poisoning attacks. ARP messages do not travel outside the local network, so potential attackers must be in physical proximity to the victim’s network or already have control of a machine on the network. Note that in the case of a wireless network, proximity does not necessarily mean direct physical access: a signal that reaches a yard or parking lot may be enough. Regardless of the type of connection (wired or wireless), using technology like 802.1x can ensure that only trusted and/or managed devices connect to the network.

Network isolation

A well-segmented network may be less susceptible to ARP cache poisoning in general, since an attack on one subnet does not affect devices on another. Concentrating critical resources on a dedicated network segment with more stringent security measures can greatly reduce the potential impact of an ARP Poisoning attack.

Encryption

Although encryption does not prevent an ARP attack, it can reduce the potential damage. Previously, a popular target for MiTM attacks was to obtain login credentials that were once transmitted in plain text. With the rise of SSL/TLS encryption, such attacks have become more difficult to carry out.

Just one of many threats

Although ARP poisoning technology is much older than many modern malware such as ransomware, ARP Poisoning is still a threat that needs to be addressed. As with all other cyber threats, this is best done in an integrated manner. Threat detection and response solutions help you gain insight into your organization’s overall security posture. And solutions like Varonis Edge will detect signs of data leakage after ARP poisoning.