A successful ARP spoofing attack allows an attacker to alter routing on a network, effectively allowing for a man-in-the-middle attack.

ARP spoofing[1] is a computer hacking technique whereby an attacker sends fake ("spoofed") Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.

ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.[2]

The attack can only be used on networks that make use of the Address Resolution Protocol (ARP), and is limited to local network segments.[3]

Contents

Vulnerabilities of the Address Resolution Protocol [link]

Main article: Address Resolution Protocol

The Address Resolution Protocol (ARP) is a widely used protocol for resolving network layer addresses into link layer addresses.[4]

When an Internet Protocol (IP) datagram is sent from one host to another on a local area network, the destination IP address must be converted into a MAC address for transmission via the data link layer.[3] When another host's IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply, which contains the MAC address for that IP.[3]

ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether or not they requested them. Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received. There is no method in the ARP protocol by which a host can authenticate the peer from which the packet originated. This behavior is the vulnerability which allows ARP spoofing to occur.[2][3]

Anatomy of an ARP spoofing attack [link]

The basic principle behind ARP spoofing is to exploit the above mentioned vulnerabilities in the ARP protocol by sending spoofed, ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.

Generally, the goal of the attack is to associate the attacker's MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's MAC instead. The attacker could then choose to:

  1. Inspect the packets, and forward the traffic to the actual default gateway (interception)
  2. Modify the data before forwarding it (man-in-the-middle attack).
  3. Launch a denial-of-service attack by causing some or all of the packets on the network to be dropped

Defenses [link]

Static ARP entries [link]

IP-to-MAC mappings in the local ARP cache can be statically defined, and then hosts can be directed to ignore all ARP reply packets.[5] While static entries provide perfect security against spoofing if the operating systems handles them correctly, they result in quadratic maintenance efforts as IP-MAC mappings of all machines in the network have to be distributed to all other machines.[citation needed]

ARP spoofing detection software [link]

Software that detects ARP spoofing generally relies on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are then blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach a device listens for ARP replies on a network, and sends a notification via email when an ARP entry changes.[citation needed]

OS security [link]

Operating systems react differently, e.g. Linux ignores unsolicited replies, but on the other hand uses seen requests from other machines to update its cache. Solaris only accepts updates on entries after a timeout. In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount[6].

AntiARP[7] also provides Windows-based spoofing prevention at the kernel level. ArpStar is a Linux module for kernel 2.6 and Linksys routers, which drops invalid packets that violate mapping, and contains an option to repoison/heal.

The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host. This only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair of machines resulting in (n*n) ARP caches that have to be configured.[citation needed]

Legitimate usage [link]

ARP spoofing can also be used for legitimate purposes. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. This technique is used in hotels and other semi-public networks to allow traveling laptop users to access the Internet through a device known as a head end processor (HEP).[citation needed]

ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over for a defective server and transparently offer redundancy.[citation needed]

See also [link]

Tools [link]

Defense [link]

  • anti-arpspoof[8]
  • Arpwatch
  • ArpON: Portable handler daemon for securing ARP against spoofing, cache poisoning or poison routing attacks in static, dynamic and hybrid networks.
  • Antidote[9]: Linux daemon, monitors mappings, unusually large number of ARP packets.
  • Arp_Antidote[10]: Linux Kernel Patch for 2.4.18 - 2.4.20, watches mappings, can define action to take when.
  • Arpalert: Predefined list of allowed MAC addresses, alert if MAC that is not in list.
  • Arpwatch/ArpwatchNG/Winarpwatch: Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
  • Prelude IDS: ArpSpoof plugin, basic checks on addresses.
  • Snort: Snort preprocessor Arpspoof, performs basic checks on addresses
  • XArp[11]: Advanced ARP spoofing detection, active probing and passive checks. Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation. Windows and Linux, GUI-based.

Spoofing [link]

Some of the tools that can be used to carry out ARP spoofing attacks:

Name OS GUI Free Protection Per interface Active/passive
Agnitum Outpost Firewall Windows Yes No Yes No passive
AntiARP Windows Yes No Yes No active+passive
Antidote Linux No Yes No ? passive
Arp_Antidote Linux No Yes No ? passive
Arpalert Linux No Yes No Yes passive
ArpON Linux/Mac/BSD No Yes Yes Yes active+passive
ArpStar Linux No Yes Yes ? passive
Arpwatch Linux No Yes No ? passive
ArpwatchNG Linux No Yes No No passive
Colasoft Capsa Windows Yes No No Yes no detection, only analysis with manual inspection
Prelude IDS ? ? ? ? ? ?
remarp Linux No Yes No No passive
Snort Windows/Linux No Yes No Yes passive
Winarpwatch Windows No Yes No No passive
XArp[14] Windows, Linux Yes Yes (+pro version) Yes (Linux, pro) Yes active + passive
Seconfig XP Windows 2000/XP/2003 only Yes Yes Yes No only activates protection built-in some versions of Windows

References [link]

 This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (January 2012)
  1. ^ Also known as ARP cache poisoning or ARP poison routing(APR)
  2. ^ a b Ramachandran, Vivek & Nandi, Sukumar (2005). "Detecting ARP Spoofing: An Active Technique". In Jajodia, Suchil & Mazumdar, Chandan. Information systems security: first international conference, ICISS 2005, Kolkata, India, December 19-21, 2005 : proceedings. Birkhauser. p. 239. ISBN 978-3-540-30706-8. https://books.google.com/books?id=4LmERFxBzSUC&pg=PA239. 
  3. ^ a b c d Lockhart, Andrew (2007). Network security hacks. O'Reilly. p. 184. ISBN 978-0-596-52763-1. https://books.google.com/books?id=6weH75ATpbUC&pg=PA184. 
  4. ^ ARP was defined by RFC 826 in 1982.
  5. ^ Lockhart, Andrew (2007). Network security hacks. O'Reilly. p. 186. ISBN 978-0-596-52763-1. https://books.google.com/books?id=6weH75ATpbUC&pg=PA186. 
  6. ^ https://technet.microsoft.com/en-us/library/cc940021.aspx
  7. ^ AntiARP
  8. ^ anti-arpspoof
  9. ^ Antidote
  10. ^ Arp_Antidote
  11. ^ XArp
  12. ^ "Seringe - Statically Compiled ARP Poisoning Tool". https://www.securiteam.com/tools/5QP0I2AC0I.html. Retrieved 2011-05-03. 
  13. ^ a b c d e f g h i j "ARP Vulnerabilities: The Complete Documentation". l0T3K. https://www.l0t3k.org/security/tools/arp/. Retrieved 2011-05-03. 
  14. ^ XArp

External links [link]


https://wn.com/ARP_spoofing

Podcasts:

Email this Page Play all in Full Screen Show More Related Videos
PLAYLIST TIME:
×
×
×
×