ARP spoofing, also known as
ARP cache poisoning or
ARP poison routing (APR), is a technique used to attack a local-area network (LAN). ARP spoofing may allow an attacker to intercept
data frameIn computer networking and telecommunication, a frame is a digital data transmission unit or data packet that includes frame synchronization, i.e. a sequence of bits or symbols making it possible for the receiver to detect the beginning and end of the packet in the stream of symbols or bits...
s on a LAN, modify the traffic, or stop the traffic altogether. The attack can only be used on networks that make use of the
Address Resolution ProtocolAddress Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
(ARP) and not another method of address resolution.
Principle
The principle of ARP spoofing is to send fake, or
spoofedIn the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
, ARP messages onto a LAN. Generally, the aim is to associate the attacker's
MAC addressA Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
with the
IP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
of another
hostA network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address....
(such as the
default gatewayIn computer networking, a gateway is a node on a TCP/IP network that serves as an access point to another network. A default gateway is the node on the computer network that the network software uses when an IP address does not match any other routes in the routing table.In home computing...
).
Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (interception) or modify the data before forwarding it (
man-in-the-middle attackIn cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
). The attacker could also launch a
denial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.
A
denial-of-service attackA denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
may be executed if the attacker is able to use ARP snooping to associate an alternate MAC address with the IP address of the default gateway. Denied access to the gateway in this way, nothing outside the LAN will be reachable by hosts on the LAN.
ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.
Legitimate usage
ARP spoofing can also be used for legitimate purposes. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. This technique is used in hotels and other semi-public networks to allow traveling laptop users to access the Internet through a device known as a head end processor (HEP).
ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over for a defective server and transparently offer redundancy.
Operating System Approaches
- Static ARP entries: entries in the local ARP cache can be defined as static to prevent overwrite. While static entries provide perfect security against spoofing if the operating systems handles them correctly, they result in quadratic maintenance efforts as IP-MAC mappings of all machines in the network have to be distributed to all other machines.
- OS security: Operating systems react differently, e.g. Linux ignores unsolicited replies, but on the other hand uses seen requests from other machines to update its cache. Solaris only accepts updates on entries after a timeout. In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, namely ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount.
The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host. This only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair of machines resulting in (n*n) ARP caches that have to be configured.
Software Approaches
- ArpON
ArpON is a computer software project to improve network security.-Motivation:The Address Resolution Protocol has security issues. These include the Man In The Middle attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing attacks...
: Portable handler daemon for securing ARP against spoofing, cache poisoning or poison routing attacks in static, dynamic and hybrid networks.
- Agnitum Outpost Firewall: Reply only accepted if request sent.
- AntiARP: Windows-based spoofing prevention in kernel.
- Anticap: Kernel patch for Linux 2.2/2.4, FreeBSD 4.6, NetBSD 1.5, prevents mapping being overwritten (no longer available).
- Antidote: Linux daemon, monitors mappings, unusually large number of ARP packets.
- Arp_Antidote: Linux Kernel Patch for 2.4.18 - 2.4.20, watches mappings, can define action to take when.
- Arpalert: Predefined list of allowed MAC addresses, alert if MAC that is not in list.
- ArpStar: Linux module for kernel 2.6 and Linksys router, drops invalid packets that violate mapping, option to repoison/heal.
- Arpwatch/ArpwatchNG/Winarpwatch: Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
- remarp: Remote Arpwatch, SNMP-based monitoring, mapping changes.
- Colasoft Capsa: Alert ARP storms, imbalance on ARP request/response.
- Prelude IDS: ArpSpoof plugin, basic checks on addresses.
- SnoopNetCop: minitors local ARP cache (no longer available).
- Snort: Snort preprocessor Arpspoof, performs basic checks on addresses
- XArp: Advanced ARP spoofing detection, active probing and passive checks. Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation. Windows and Linux, GUI-based.
Defenses against ARP spoofing generally rely on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach a device listens for ARP replies on a network, and sends a notification via
emailElectronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
when an ARP entry changes.
Hardware Approaches
- Virtual LANs: VLANs separate the broadcast domains of the network. ARP is only operated in each VLAN separately. This enables to build up VLANs based on threat levels.
- Port security: High-end switches have built-in security features where MAC addresses are bound to specific switch ports.
- ARPDefender: A hardware applicance running ARPwatch.
- ARPGuard: A hardware appliance that performs ARP detection.
Some switch vendors have devised a defense against this form of attack that imposes very strict control over what
ARPAddress Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
packets are allowed into the network. The feature is known as ARP Security or Dynamic ARP Inspection.
Defense
- ArpON
ArpON is a computer software project to improve network security.-Motivation:The Address Resolution Protocol has security issues. These include the Man In The Middle attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing attacks...
- ARP handler inspection
- anti-arpspoof
- ARPDefender appliance
- Arpwatch
arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network...
- XArp
Spoofing
Some of the tools that can be used to carry out ARP spoofing attacks:
- Arpspoof (part of the DSniff
Dsniff is a password sniffer written by Dug Song and a package of utilities that parse many different application protocols and extract interesting information....
suite of tools)
- Arpoison
- Ettercap
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows...
- Cain&Abel
- Seringe
- ARP-FILLUP -V0.1
- arp-sk -v0.0.15
- ARPOc -v1.13
- arpalert -v0.3.2
- arping -v2.04
- arpmitm -v0.2
- arpoison -v0.5
- ArpSpyX -v1.1
- ArpToXin -v 1.0
- SwitchSniffer
See also
- ArpON
ArpON is a computer software project to improve network security.-Motivation:The Address Resolution Protocol has security issues. These include the Man In The Middle attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing attacks...
- Static ARP Inspection
- Dynamic ARP Inspection
- Hybrid ARP Inspection
- Netcat
Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts...
- arping
arping is a computer software tool that is used to discover hosts on a computer network. The program tests whether a given IP address is in use on the local network, and can get additional information about the device using that address....
- Arpwatch
arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network...
- arptables
The arptables computer software utility is a network administrator's tool for maintaining the Address Resolution Protocol packet filter rules in the Linux kernel firewall modules....
External links