ARP spoofing

This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. (February 2009)

A typical Ethernet frame. A spoofed frame could have false source MAC addresses to trick devices on the network.

Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The attack can only be used on networks that actually make use of ARP and not another method of address resolution.

The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.

ARP spoofing attacks can be run from a compromised host, or from an attacker's machine that is connected directly to the target Ethernet segment.

Application

ARP is a Layer 2 protocol. ARP requests are considered broadcast traffic, while legitimate ARP Replies are not. ARP is not designed to perform any ID validation on transactions. While ARP spoofing can occur in the course of a legitimate ARP transaction, creating a race condition, the most common attack method is the distribution of unsolicited ARP responses which are cached by the clients, creating an ARP cache poison scenario.

Defenses

An open source solution is ArpON "Arp handler inspectiON". It is a portable ARP handler which detects and blocks all ARP poisoning and spoofing attacks with a static ARP inspection (SARPI) and dynamic ARP inspection (DARPI) approach on switched or hubbed LANs with or without DHCP.

Another method, DHCP snooping, can be used on larger networks. The DHCP service on the network device keeps a record of the MAC addresses that are connected to each port, so it can readily detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, ProCurve, Extreme Networks, Dlink and Allied Telesis.

Detection is another avenue of defense against ARP spoofing. Arpwatch is a Unix program which listens for ARP replies on a network, and sends a notification via email when an ARP entry changes. Under Windows, the GUI-driven software XArp v2 is available. XArp performs ARP packet inspection on a per-network-interface basis with configurable inspection filters and active verification modules. anti-arpspoof creates static ARP entries in the client and default gateway cache, and cleans poisoned dynamic entries.

Checking for the existence of MAC address cloning may uncover an ARP spoof attack, although there are legitimate uses of MAC address cloning. Reverse ARP (RARP) is a protocol used to query the IP address(es) associated with a given MAC address. If more than one IP address is returned, MAC cloning is present.

A simple defense that only works for simple ARP spoofing attacks is the use of static IP-MAC mappings. However, this only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair of machines resulting in (n*n) ARP caches that have to be configured.

Legitimate usage

ARP spoofing can also be used for legitimate reasons. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network.

Another legitimate implementation of ARP spoofing is used in hotels to allow traveling laptop users to access the Internet from their room, using a device known as a head end processor (HEP), regardless of their IP address.

ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over a defective server and transparently offer redundancy.

ARP spoofing tools

Arpspoof (part of the DSniff suite of tools), Arpoison, Cain and Abel, and Ettercap are some of the tools that can be used to carry out ARP poisoning attacks.

Other Arpspoofing tools are Seringe,^[1] ARP-FILLUP -V0.1, Aarp-sk -v0.0.15, ARPOc -v1.13, arpalert -v0.3.2, arping -v2.04, arpmitm -v0.2, arpoison -v0.5, ArpSpyX -v1.1, ArpToXin -v 1.0 ^[2]

See also

• Ethernet
• Ettercap
• Netcat
• arping
• Arpwatch
• arptables

References

External links

• free anti-arpspoof
• ArpON home page
• Quick Detect ARP Poisoning/Spoofing Live Demo
• Introduction to APR (Arp Poison Routing) by MAO
• ARPDefender - Hardware ARP Spoofing detection appliance
• GRC's Arp Poisoning Explanation
• XArp2 ARP spoofing detection tool performing packet inspection using active and passive methods
• AntiARP - Professional defence ARP spoof/poison/attack
• arptables, and ARP poisoning
• ARP spoofing simulation