What is ARP Spoofing?
Table of Contents
- By Greg Brown
- Mar 10, 2023
ARP poisoning takes advantage of the weaknesses in the ARP protocol. ARP spoofing, ARP poison routing, and ARP cache poisoning are all part of the flaw in this communication protocol.
Computer networking involves using layers to separate the significant amount of activities going on behind the scenes. A system of rules, termed communication protocols, transmit information over physical or wireless technologies.
ARP is known as the Address Resolution Protocol, and it was created to resolve MAC addresses into IP addresses. The IP address is known, while the MAC is not. Before any network processes can start, a computer must know the MAC and IP address, and the ARP supports this function.
A networking model, known as the Open Systems Interconnection model, was first developed in the 1970s. The OSI model breaks down the network into layers, each having no control over the other. The model lets IT teams visualize what is going on with the network. The layer system is beneficial when determining which layer affects an application, device, or software installed on the network. The model also gives the group responsible for managing the layer.
ARP has a particular function in the overall landscape of large corporate networks. The mapping procedure is needed because the lengths of IP and MAC addresses are different sizes. A translation is needed for one to understand the other. IP addresses are 32 bits, and MAC is 48; the ARP protocol translates the information so addresses can talk.
ARP is the process that connects IP protocol addresses to their physical fixed machine addresses. This function is also known as a media access control address in a local area network. The ARP protocol works to find matches between the data link layer or MAC address and the IP address.
ARP Spoofing is a malicious attack in which the hacker sends fake ARP messages to a target LAN. This fake message intends to find a link between their MAC address and a legitimate IP address on the LAN. The hacker’s goal is to link a victim’s computer, so any information in and out of that network node is intercepted and sent to the hacker’s IP address.
Four Specific ARP Attacks
ARP Spoofing comes into play as sensitive information is passed between network nodes without the user’s knowledge. ARP poisoning is the gateway to other ARP hacks. The ARP cache is another target of hackers; the ARP cache keeps a list of every MAC and IP address flowing through the network. To combat hackers, the cache is purged regularly to keep addresses safe.
- Man-In-The-Middle (MTM) Attacks. MTM is a type of eavesdropping where the cyber attacker intercepts, alters, and relays messages between two parties, and both have no idea a third party is involved. Attackers control and manipulate messages between a single party or both. Sophisticated software mimics the tone of conversations, making this attack challenging to detect and mitigate. Online banking and e-commerce sites are highly susceptible to MTM attacks. Hackers steal the information behind browsers and create fake sites.
- Denial-of-Service attacks (DoS or DDoS). Attackers overwhelm networks, servers, and stations to deny users from accessing services. DoS attacks exploit known network protocol vulnerabilities. Larger-scale attacks are termed distributed denial-of-service. A significant number of data packets are sent into the network, confusing servers and data lines.
- Session Hijacking. This assault occurs when a hacker acquires a session ID from a user. Once the ID is acquired, the attacker manipulates the user’s web session and masquerades as the user. The attacker gains authority to perform any action on the network the user is authorized for. Session hijackers intercept the authentication process and attack in real-time.
- ARP Poisoning is a type of cyberattack that hackers carry out over a LAN or local area network. This involves malicious ARP packets being sent to a default gateway that changes the pairings from the current online IP address to the new MAC address table.
There are a variety of motives attackers would use with ARP Poisoning, from corporate espionage to the thrill of creating network chaos. One scenario is the attacker uses ARP spoofing to emulate a default gateway for a given subnet mask. This poisoning would steer all traffic to the attacker’s machine instead of the router, after which they can spy, modify, or drop the traffic altogether.
Another scenario is creating a highly noticeable network disruption. The target could be, depriving a business of all services and operating ability. Less skilled attackers will use a DDoS attack for the sheer enjoyment of creating havoc. ARP spoofing is notorious for insider attacks; spoofed messages must originate inside a locally connected network.
The final impact and total cost of ARP spoofing or poisoning may not be known for decades and could devastate online businesses. Traffic destined for a host on a network will be routed to a non-existent location.
Detection and Prevention
Several open-source and commercial software packages exist to detect ARP poisoning. Tools such as arpwatch and X-ARP are helpful in continuously monitoring a network for poisoning. However, checking for ARP problems on the computer being worked on is easy. Type “arp-a” in a command line to display the current IP to MAC address mappings for the computer.
Port security switches have helped with combatting ARP Cache poisoning. There is no chance an attacker will take multiple identities over a network while a port switch is in place. A single MAC address can be configured on a switch using port security.
Dynamic ARP Protection
This security feature validates all ARP packets on a network. It handles ARP packets after inspection and then discards them if a faulty MAC to IP address is found.
The protection also verifies all IP to MAC address before it is sent back into the network. Untrusted devices are held in storage at DHCP.
Hardware and software packages now exist as dynamic ARP protection. Network bundles allow admins to differentiate between trusted and untrusted ports. Software intercepts all ARP requests on untrusted ports before forwarding. Dynamic ARP Protection is a solid defense against man-in-the-middle attacks.