ARP spoofing
Encyclopedia
ARP spoofing, also known as ARP cache poisoning or ARP poison routing (APR), is a technique used to attack a local-area network (LAN). ARP spoofing may allow an attacker to intercept data frame
s on a LAN, modify the traffic, or stop the traffic altogether. The attack can only be used on networks that make use of the Address Resolution Protocol
(ARP) and not another method of address resolution.
, ARP messages onto a LAN. Generally, the aim is to associate the attacker's MAC address
with the IP address
of another host
(such as the default gateway
).
Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (interception) or modify the data before forwarding it (man-in-the-middle attack
). The attacker could also launch a denial-of-service attack
against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.
A denial-of-service attack
may be executed if the attacker is able to use ARP snooping to associate an alternate MAC address with the IP address of the default gateway. Denied access to the gateway in this way, nothing outside the LAN will be reachable by hosts on the LAN.
ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.
ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over for a defective server and transparently offer redundancy.
The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host. This only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair of machines resulting in (n*n) ARP caches that have to be configured.
Defenses against ARP spoofing generally rely on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach a device listens for ARP replies on a network, and sends a notification via email
when an ARP entry changes.
Some switch vendors have devised a defense against this form of attack that imposes very strict control over what ARP
packets are allowed into the network. The feature is known as ARP Security or Dynamic ARP Inspection.
Data frame
In computer networking and telecommunication, a frame is a digital data transmission unit or data packet that includes frame synchronization, i.e. a sequence of bits or symbols making it possible for the receiver to detect the beginning and end of the packet in the stream of symbols or bits...
s on a LAN, modify the traffic, or stop the traffic altogether. The attack can only be used on networks that make use of the Address Resolution Protocol
Address Resolution Protocol
Address Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
(ARP) and not another method of address resolution.
Principle
The principle of ARP spoofing is to send fake, or spoofedSpoofing attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.- Spoofing and TCP/IP :...
, ARP messages onto a LAN. Generally, the aim is to associate the attacker's MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
with the IP address
IP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
of another host
Host (network)
A network host is a computer connected to a computer network. A network host may offer information resources, services, and applications to users or other nodes on the network. A network host is a network node that is assigned a network layer host address....
(such as the default gateway
Default gateway
In computer networking, a gateway is a node on a TCP/IP network that serves as an access point to another network. A default gateway is the node on the computer network that the network software uses when an IP address does not match any other routes in the routing table.In home computing...
).
Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (interception) or modify the data before forwarding it (man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
). The attacker could also launch a denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.
A denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
may be executed if the attacker is able to use ARP snooping to associate an alternate MAC address with the IP address of the default gateway. Denied access to the gateway in this way, nothing outside the LAN will be reachable by hosts on the LAN.
ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.
Legitimate usage
ARP spoofing can also be used for legitimate purposes. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network. This technique is used in hotels and other semi-public networks to allow traveling laptop users to access the Internet through a device known as a head end processor (HEP).ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over for a defective server and transparently offer redundancy.
Operating System Approaches
- Static ARP entries: entries in the local ARP cache can be defined as static to prevent overwrite. While static entries provide perfect security against spoofing if the operating systems handles them correctly, they result in quadratic maintenance efforts as IP-MAC mappings of all machines in the network have to be distributed to all other machines.
- OS security: Operating systems react differently, e.g. Linux ignores unsolicited replies, but on the other hand uses seen requests from other machines to update its cache. Solaris only accepts updates on entries after a timeout. In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, namely ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount.
The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host. This only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair of machines resulting in (n*n) ARP caches that have to be configured.
Software Approaches
- ArpONArpONArpON is a computer software project to improve network security.-Motivation:The Address Resolution Protocol has security issues. These include the Man In The Middle attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing attacks...
: Portable handler daemon for securing ARP against spoofing, cache poisoning or poison routing attacks in static, dynamic and hybrid networks. - Agnitum Outpost Firewall: Reply only accepted if request sent.
- AntiARP: Windows-based spoofing prevention in kernel.
- Anticap: Kernel patch for Linux 2.2/2.4, FreeBSD 4.6, NetBSD 1.5, prevents mapping being overwritten (no longer available).
- Antidote: Linux daemon, monitors mappings, unusually large number of ARP packets.
- Arp_Antidote: Linux Kernel Patch for 2.4.18 - 2.4.20, watches mappings, can define action to take when.
- Arpalert: Predefined list of allowed MAC addresses, alert if MAC that is not in list.
- ArpStar: Linux module for kernel 2.6 and Linksys router, drops invalid packets that violate mapping, option to repoison/heal.
- Arpwatch/ArpwatchNG/Winarpwatch: Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
- remarp: Remote Arpwatch, SNMP-based monitoring, mapping changes.
- Colasoft Capsa: Alert ARP storms, imbalance on ARP request/response.
- Prelude IDS: ArpSpoof plugin, basic checks on addresses.
- SnoopNetCop: minitors local ARP cache (no longer available).
- Snort: Snort preprocessor Arpspoof, performs basic checks on addresses
- XArp: Advanced ARP spoofing detection, active probing and passive checks. Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation. Windows and Linux, GUI-based.
Defenses against ARP spoofing generally rely on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach a device listens for ARP replies on a network, and sends a notification via email
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
when an ARP entry changes.
Hardware Approaches
- Virtual LANs: VLANs separate the broadcast domains of the network. ARP is only operated in each VLAN separately. This enables to build up VLANs based on threat levels.
- Port security: High-end switches have built-in security features where MAC addresses are bound to specific switch ports.
- ARPDefender: A hardware applicance running ARPwatch.
- ARPGuard: A hardware appliance that performs ARP detection.
Some switch vendors have devised a defense against this form of attack that imposes very strict control over what ARP
Address Resolution Protocol
Address Resolution Protocol is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks. ARP was defined by RFC 826 in 1982. It is Internet Standard STD 37...
packets are allowed into the network. The feature is known as ARP Security or Dynamic ARP Inspection.
Defense
- ArpONArpONArpON is a computer software project to improve network security.-Motivation:The Address Resolution Protocol has security issues. These include the Man In The Middle attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing attacks...
- ARP handler inspection - anti-arpspoof
- ARPDefender appliance
- ArpwatchArpwatcharpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network...
- XArp
Spoofing
Some of the tools that can be used to carry out ARP spoofing attacks:- Arpspoof (part of the DSniffDSniffDsniff is a password sniffer written by Dug Song and a package of utilities that parse many different application protocols and extract interesting information....
suite of tools) - Arpoison
- EttercapEttercap (computing)Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows...
- Cain&Abel
- Seringe
- ARP-FILLUP -V0.1
- arp-sk -v0.0.15
- ARPOc -v1.13
- arpalert -v0.3.2
- arping -v2.04
- arpmitm -v0.2
- arpoison -v0.5
- ArpSpyX -v1.1
- ArpToXin -v 1.0
- SwitchSniffer
See also
- ArpONArpONArpON is a computer software project to improve network security.-Motivation:The Address Resolution Protocol has security issues. These include the Man In The Middle attack through ARP Spoofing, ARP Cache Poisoning or ARP Poison Routing attacks...
- Static ARP Inspection
- Dynamic ARP Inspection
- Hybrid ARP Inspection
- NetcatNetcatNetcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used directly or easily driven by other programs and scripts...
- arpingArpingarping is a computer software tool that is used to discover hosts on a computer network. The program tests whether a given IP address is in use on the local network, and can get additional information about the device using that address....
- ArpwatchArpwatcharpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. It generates a log of observed pairing of IP addresses with MAC addresses along with a timestamp when the pairing appeared on the network...
- arptablesArptablesThe arptables computer software utility is a network administrator's tool for maintaining the Address Resolution Protocol packet filter rules in the Linux kernel firewall modules....