ARP spoofing

What is ARP spoofing (ARP poisoning)?

ARP spoofing is a cyberattack technique where the attacker manipulates the Address Resolution Protocol (ARP) to pretend to be another machine on the local network. ARP spoofing is also called ARP cache poisoning or simply ARP poisoning. This technique is used primarily for man-in-the-middle attacks (MITM attacks). Attackers may also use ARP poisoning attacks for other purposes, such as denial-of-service attacks (DoS attacks) and distributed denial-of-service attacks (DDoS attacks).

Note: ARP spoofing/poisoning is an issue related to network security, not web application security, but it can have a major impact on the security of web servers and web applications.

What is the Address Resolution Protocol (ARP)?

The Address Resolution Protocol (ARP protocol) is a communication protocol at the computer network link layer that translates between the physical address of a network device (MAC address – media access control) and the IP address assigned to it on the local area network (LAN). In simple terms, it tells you the physical address that corresponds to a specified IP address.

All machines connecting to IPv4 networks must use ARP first to learn the physical addresses of other machines, such as the local router. Without ARP, there can be no IPv4 connections.

How does ARP spoofing/ARP poisoning work?

An attacker making an ARP cache poisoning attack tries to inject false information into local area network traffic to redirect connections to their device. If the attacker succeeds, future connections to a specific IP address will be made to an attacker-controlled device because the connection initiator will find this false information in the cache and use it to establish its connection.

Note that the cybersecurity term ARP spoofing means using a fake address in ARP messages, while ARP poisoning means storing a fake address in the ARP cache. While they are two different things, both apply to the same sequence of events and are often discussed together.

Where do ARP poisoning attacks happen?

ARP information is never routed beyond the local subnet, so there is no possibility of an ARP spoofing attack coming from outside the current network. These types of attacks are only a threat if attackers have a way to connect to the same local network as the victim’s machine.

ARP is used both in Ethernet and Wi-Fi networks, so Wi-Fi hotspots could be an easy attack entry point. As long as the attacker can connect to a hotspot (and they can connect like any other user), they can send ARP packets to its network. This is one reason to be extra careful when using your portable devices with free Wi-Fi networks and to never establish insecure (plain-text) connections.

ARP spoofing attack example

Let’s assume that your router has the IP address 192.168.0.1. To connect to the internet, your laptop needs to send IP (Internet Protocol) packets to this address. First, it must know which physical device has this address. The router has the following MAC address: 00-00-00-00-00-01.

Now, let’s say that Nancy is a black-hat hacker:

1. Nancy uses an open-source ARP spoofing tool such as Ettercap to repeatedly inject a large number of fake ARP packets into the local network. These ARP messages pretend to be ARP responses to the non-existent ARP request “what is the MAC address of 192.168.0.1?” and they all say that the address 192.168.0.1 belongs to Nancy’s device with a MAC address of 00-00-00-00-00-2A.
2. When your laptop tries to connect to the Internet, it first checks its local ARP cache to see whether it has the MAC address of the default gateway router. If not, it broadcasts an ARP request to the entire network, asking, “what is the MAC address of 192.168.0.1?” and waits for the ARP reply. Since Nancy is flooding the network with fake responses to this question, your laptop will receive a spoofed ARP reply before it gets a genuine one from the real router. Your ARP cache now contains false routing information associating IP 192.168.0.1 with MAC 00-00-00-00-00-2A.
3. Nancy’s machine connects to your router (00-00-00-00-00-01) and connects you to the internet, so you don’t even know Nancy is there. Your laptop has no way of telling that the machine it is connected to isn’t the router, so it assumes it is the default gateway. The next time your machine tries to make a TCP connection to the default gateway, it will once again check its local cached ARP table. Because this now contains the attacker’s MAC address 00-00-00-00-00-2A, you will keep on connecting to Nancy’s machine.
4. Essentially, Nancy now has access to all unencrypted information that you send to and receive from the internet. For example, if you use a plain-text connection to a company CMS that you use regularly, your browser might send a session cookie with authentication information to log you into the CMS – and Nancy can use such session cookies for session hijacking. Nancy can even provide you with fake DNS entries, causing you to establish unencrypted connections to malicious sites despite entering valid URLs.

How to prevent ARP spoofing attacks?

ARP spoofing attacks are not caused by misconfigurations or vulnerabilities. The real vulnerability lies in the ARP protocol itself, which was designed in the early days of networking, before cybersecurity became a major issue. Since we can’t change the ARP protocol itself, we can only take measures to safeguard networks and machines as much as possible.

To safeguard your local networks:

1. Use static ARP entries. Entries in the local ARP table can be static or dynamic. The example above shows what happens with a dynamic entry. If the entry is marked as static, it does not change on the basis of the ARP response. If you’re not planning to change the MAC address of the router, you can use a static entry in every machine in your network. However, this requires a lot of work initially and just as much work again if you are forced to change the MAC address for some reason (for example, if you need to replace a failed router and the new one does not allow you to change its MAC address).
2. Use packet filtering. If your firewall notices a machine that sends out ARP responses to non-existent ARP requests, alert the administrator and block the machine from access to the network, especially if large numbers of responses are being sent continuously. Unfortunately, the XArp firewall made for that specific purpose is no longer being developed.
3. Use detection software. Use software such as Wireshark, available for both Windows and Linux, to see ARP requests on the network. Use software such as Arpwatch to monitor changes in IP/MAC pairs and receive email alerts about them.
4. Use network devices with ARP spoofing protection. Check with your network hardware vendor if their devices have such functionality and follow the instructions to configure the device accordingly.
5. Use IPv6 in your local networks wherever possible. ARP spoofing/poisoning only applies to IPv4 addresses since IPv6 uses NDP instead.

Note that safeguarding your local network from ARP spoofing won’t prevent other types of attacks, such as IP spoofing or DNS spoofing. Use the following general principles to minimize the negative consequences of such attacks:

1. Enforce encryption wherever possible. Enforce VPN connections to your company resources. Enforce SSL/TLS for your web applications, for example, by using HTTP Strict Transport Security (HSTS). Allow only SSH connections for administrative purposes. Allow only secure SMTP and POP3 connections to your email servers.
2. Educate your users continuously. Make sure they realize that connecting to potentially unsafe free hotspots puts both the company and them personally at risk of attack.