Demystifying ARP Spoofing

What is ARP Poisoning or ARP Spoofing attack?

ARP spoofing attack is an attack in which an attacker sends falsified ARP (Address Resolution Protocol) messages over LAN. As a result, the attacker can link his MAC address with the IP address of a legitimate computer (or server) on the network.

How does it work?

If the attacker manages to link his MAC address to an authentic IP address, he starts receiving any data that can be accessed by that IP address. ARP spoofing allows malicious attackers to intercept, modify or even stop data which is in-transit. ARP spoofing attacks can only occur on local area networks that utilize Address Resolution Protocol.

Effects of the Attack

ARP spoofing attacks can have serious effects on enterprises. At the most basic level, ARP spoofing attacks are used to steal sensitive information from the company. Apart from this, ARP spoofing attacks are often used to facilitate other attacks like:

▪ Denial-of-service attacks: DoS attacks use ARP spoofing to link multiple IP addresses in a LAN with a single target’s MAC address. Due to this, traffic that is meant for different IP addresses will be redirected to the target’s MAC address, thus overloading the target with traffic.

▪ Session hijacking: Session hijacking attacks can make use of ARP spoofing to steal session IDs, thus granting attackers access to private systems and data.

▪ Man-in-the-middle attacks: MITM attacks can use ARP spoofing to intercept and/or modify traffic between two victims.

Attack Procedure

Typically, ARP spoofing attacks follow similar steps which include:

1. First the attacker opens an ARP spoofing tool, and sets the tool’s IP address to match the IP of a target. Some of the popular ARP spoofing softwares include Arpspoof, Arppoison, Cain & Abel and Ettercap.

2. The attacker makes use of the ARP spoofing tool to scan for MAC and IP addresses of hosts in the target’s subnet.

3. The attacker chooses his target and starts sending ARP packets across the LAN which contains the attacker’s MAC address and the victim’s IP address.

4. As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the victim goes to the attacker instead. From here, the attacker can steal data or launch more sophisticated follow-up attacks.

Detection, Prevention and Protection

Some recommended measures for detecting, preventing and protecting against ARP spoofing attacks:

▪ Packet filtering: Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in ARP spoofing prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa).

▪ Use ARP spoofing detection software: There are many programs available which can help organisations detect ARP spoofing attacks. These programs basically work by inspecting and certifying data before it is transmitted and blocking the data that appears to be spoofed.

▪ Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols bolster ARP spoofing attack prevention by encrypting data prior to transmission and authenticating data when it is received.

Research by SDS Raju