The Address Resolution Protocol (ARP) Spoofing attack, also called ARP Cache Poisoning or ARP Poison Routing, is a technique by which an attacker sends spoofed ARP messages onto a Local Area Network (LAN). It is used to allow the attacker access to incoming internet traffic on a LAN by having their Media Access Control (MAC) Address be linked to the Internet Protocol (IP) Address of another host (usually, the default gateway). Through this, they’re able to receive incoming traffic intended for that IP Address which allows them to intercept the data, modify traffic, or even stop all traffic on the network. Because of this, the technique is often used to open up the possibility of other attacks such as a Denial of Service (DoS) attack, a man in the middle attack, and a session hijacking attack. The success of the attack depends heavily on the attacker gaining direct success to the targeted local network segment and it can only be used on networks which use ARP.
The ARP is a common protocol used for communication to resolve Internet layer addresses into link layer addresses. When a datagram is sent from one device to another on a LAN, the destination Internet Protocol (IP) Address must be changed to a MAC Address for transmission across the data link layer. This is accomplished by a device, whose IP Address is known to the network, sending out a broadcast packet (an ARP Request) to all devices on the local network. The intended recipient of the datagram with the matching IP Address in the request responds to the broadcast with an ARP Reply which contains the MAC Address for the IP.
The protocol is stateless and network hosts automatically cache all ARP Replies they receive regardless of whether network hosts requested them or not. Even replies which have yet to expire will be overwritten by this behavior. As there is no method in the protocol to help authenticate which peer the packet originated from, it is possible to take advantage of the protocol through ARP Spoofing.
Prevention and Mitigation
When it comes to prevention and defenses against ARP Spoofing, there are a few key methods which can be used. For instance, Static ARP entries are some of the simplest forms of certificates for the protocol’s critical services. It focuses on the ARP cache of connected hosts but only prevents the simplest forms attacks and cannot be used on larger networks since the mapping has to be set for each pair of machines. This means that on every machine, there must be an ARP entry for every other machine. Having an IP Address-to-MAC Address mapping statically entered in the local ARP cache of these machines means that they can ignore all ARP Replies and have some security against spoofing attacks if the operating system utilizes them correctly. However, there is a significant increase in maintenance effort as address mappings will need to be distributed to all systems on the network.
There is also software specifically designed to detect and prevent ARP Spoofing attacks which usually relies on some form of certification or cross-checking ARP responses for authentication. This allows networks to block ARP Replies through this software, which may also be sometimes integrated onto a Dynamic Host Configuration Protocol (DHCP) server as well to certify its dynamic and static IP Addresses. Typically, the software is integrated into an individual host on the network, the network’s ethernet switch, or some other node on the network to be functional. Through this software, they can identify any mapping which has multiple IP Address to one MAC Address as a spoofing attack even though they are legitimate uses of such a setup. Another method utilized by software is to have a device listen for ARP Replies on the network and send an email whenever it notices an ARP entry changes. Finally, operating systems offer their own means of security against these attacks depending on the system in use. Linux ignores unsolicited replies but uses responses of requests from other machines to update its own cache. Solaris accepts updates on entries only after they have timed out and Windows allows various different configurations through the registry.
While there’s no doubt that ARP Spoofing is harmful, there can actually be some good to be had from the technique. Through its vulnerability, network administrators can use it to develop some level of redundancy of network services, for example. For instance, some software allows a backup server to issue a gratuitous ARP request in order to take over a defective server’s duties and transparently offer redundancy.
Another case is developers using it to debug IP traffic between two hosts on the network when a switch is in use. Typically, if the two nodes are communicating through a switch on a network, the traffic would be secure and invisible to anyone else on the network; however, if the developer configures each node to have their MAC Address for the other node they were communicating to instead of the correct node’s, while also configuring their own node to forward packets, they can now monitor the traffic between the two nodes like a man-in-the-middle attack.