🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
ARP spoofing is a cyberattack technique where the attacker manipulates the Address Resolution Protocol (ARP) to pretend to be another machine on the local network. ARP spoofing is also called ARP cache poisoning or simply ARP poisoning. This technique is used primarily for man-in-the-middle attacks (MITM attacks). Attackers may also use ARP poisoning attacks for other purposes, such as denial-of-service attacks (DoS attacks) and distributed denial-of-service attacks (DDoS attacks).
Note: ARP spoofing/poisoning is an issue related to network security, not web application security, but it can have a major impact on the security of web servers and web applications.
The Address Resolution Protocol (ARP protocol) is a communication protocol at the computer network link layer that translates between the physical address of a network device (MAC address – media access control) and the IP address assigned to it on the local area network (LAN). In simple terms, it tells you the physical address that corresponds to a specified IP address.
All machines connecting to IPv4 networks must use ARP first to learn the physical addresses of other machines, such as the local router. Without ARP, there can be no IPv4 connections.
An attacker making an ARP cache poisoning attack tries to inject false information into local area network traffic to redirect connections to their device. If the attacker succeeds, future connections to a specific IP address will be made to an attacker-controlled device because the connection initiator will find this false information in the cache and use it to establish its connection.
Note that the cybersecurity term ARP spoofing means using a fake address in ARP messages, while ARP poisoning means storing a fake address in the ARP cache. While they are two different things, both apply to the same sequence of events and are often discussed together.
ARP information is never routed beyond the local subnet, so there is no possibility of an ARP spoofing attack coming from outside the current network. These types of attacks are only a threat if attackers have a way to connect to the same local network as the victim’s machine.
ARP is used both in Ethernet and Wi-Fi networks, so Wi-Fi hotspots could be an easy attack entry point. As long as the attacker can connect to a hotspot (and they can connect like any other user), they can send ARP packets to its network. This is one reason to be extra careful when using your portable devices with free Wi-Fi networks and to never establish insecure (plain-text) connections.
Let’s assume that your router has the IP address 192.168.0.1. To connect to the internet, your laptop needs to send IP (Internet Protocol) packets to this address. First, it must know which physical device has this address. The router has the following MAC address: 00-00-00-00-00-01.
Now, let’s say that Nancy is a black-hat hacker:
ARP spoofing attacks are not caused by misconfigurations or vulnerabilities. The real vulnerability lies in the ARP protocol itself, which was designed in the early days of networking, before cybersecurity became a major issue. Since we can’t change the ARP protocol itself, we can only take measures to safeguard networks and machines as much as possible.
To safeguard your local networks:
Note that safeguarding your local network from ARP spoofing won’t prevent other types of attacks, such as IP spoofing or DNS spoofing. Use the following general principles to minimize the negative consequences of such attacks:
In an ARP spoofing attack, the attacker spoofs MAC (Media Access Control) addresses to pretend to be another machine on the local network. ARP spoofing is mainly used for man-in-the-middle attacks (MITM attacks).
ARP spoofing is not considered very dangerous on its own because it requires the attacker to be connected to the same local network as the victim. To be useful in a man-in-the-middle attack on web assets, it must also be combined with other techniques, such as SSL stripping or SSL hijacking.
ARP spoofing is most likely to succeed against users of public WiFi hotspots. You should always be vigilant when using public networks and use VPN connections whenever possible to avoid most man-in-the-middle attack techniques.
Find out more about how to prevent man-in-the-middle attacks (MITM).