A few Facts
ARP spoofing is one of the most dangerous man-in-the-middle (MITM)attacks a hacker can inflict on a network.
ARP stands for address resolution protocol. It maps the IP address to the MAC address of your network device.
Hackers have always leveraged the ARP protocol vulnerability to poison legitimate data transmission sessions since the protocol’s inception in the 1980s.
Each machine on the internet has a unique IP and MAC address.
ARP spoofing attacks are notoriously known to be carried out over a Local Area Network(LAN) connection.
How It All Starts
Each computer connected to a network has an arp table.
Spoofing allows the attacker to intercept communications between network devices. Potential victims of this kind of attack include credit card information, passwords, banking information, and just about any comprising information that could be traveling on a network.
Let’s Break This Down Further…
The internet protocol address (known as IP address), is assigned to a computer to facilitate communications with other computers across the internet. The media access control (MAC) address is a 48-bit globally unique identifier assigned (hard-coded) to communications devices used by your computing equipment.
MAC addresses are unique by design. It is highly unlikely two devices will have the same MAC address. MAC addresses are issued out by different device manufacturers including Dell, Cisco, Nortel, and Belkin. Interested in knowing the manufacturer of your MAC address? Use macvendors.com to find your match.
Consider This Scenairo…
Two computers (A & B), need to complete some form of communication transaction. Computer A needs to communicate with computer B.However, Computer A sits on subnet-1 while computer B is located on a different subnet.
Under Normal Circumstances…
Computer A would use the Address Resolution Protocol (ARP, a stateless protocol used for resolving IP address to computers MAC addresses), to lookup its table for Computer B’s MAC address and IP information.
Why? Because Fetching From The Local Cache Is Faster, And Faster Is Better.
Here’s What Happens Next
If by some chance a previous communication session was established in the past, Computer B’s address is found and the connection established. Otherwise, if Computer B’s MAC address is not found in Computer A’s cache table, an ARP request ( think of this as a howl from a wolf) is broadcast over the entire network (subnet_1). This arp request will also include the IP address of the gateway device.
Accordingly, all of the machines attached to that network (subnet-1) will hear the ARP ( the pack hears the howl!) and see the message’s header.
Just like a wolf’s howl, an ARP request causes devices on the network to compare the broadcast message to their local ARP cache tables with the goal of finding a match. Because Computer B is on a different network, the gateway device (a router) will take ownership of the message and reply to Computer A with a confirmation message.
In plain English, the confirmation would translate to something along this line.. ( “hey, this is me Mr. Router! I’ve got Computer B’s information, and I can safely dispatch your message since I am the only bridge that connects both of you. You are clear to send”).
Satisfied with this response, Computer A will transmit the entire IP packet to the gateway to be eventually routed to Computer B. When “Computer B” gets the message, it will compare the ARP request with its own IP and MAC address information. Once a match is found as intended, “Computer B” will generate an Address Resolution Protocol (ARP) reply, (an all good signal) message to the requesting computer.
Computer A, (the requesting computer) will then store computer B’s address in it’s local ARP table ( the intent of this action is to avoid running a new query in the future) and then open the communication session.
Because machines operating on the same network segment have a trust relationship that prevalidates all packets sent within their broadcast domain as legitimate, an attacker can join a transmission session under the guise of being a legitimate communicator and inflict havoc at will.
ARP Spoofing attacks can be launched with the use of third party programs and tools like VMware workstation, Kali Linux, Ettercap Tool, or other custom-built tools using a bash shell or windows command prompt. Check tutorials point for more information on how these tools can be used (in an ethical manner) with ARP poisoning.
Building upon our previous scenario, in order for arp poisoning to occur, a bad actor (man-in-the-middle) with a “Computer C” would have to insert himself within the transmission link and perform the following three actions:
- The attacker (Computer C), sends a false arp reply message to computer A pretending to be the default network gateway.
- Computer A then updates its local cache (arp table) to reflect the new information from(Computer C), the attacker’s computer.
- Equipped with full access and visibility to the network traffic between Computer A and the network gateway, the attacker can modify packets before forwarding it to its real destination. At this point, your guess is good as mine. Computer A, the gateway (router), and Computer B cache are poisoned and are pretty much at the hacker’s mercy. Denial-of-service and Session hijacking are just a few of the many attacks the attacker can mount at this stage.
Why Is This Even Possible?
The ARP protocol was designed purely for effeciency and not security.
Radware. (n.d.). ARP poisoning — ARP poisoning protection. Current DDoS Attacks: Recent DDoS Attacks and Reports | Radware. https://security.radware.com/ddos-knowledge-center/ddospedia/arp-poisoning/
This design creates a vulnerability and provides opportunities for bad actors. Implementing an ARP poisoning operation is very easy as long as the attacker has some form of control and access to a machine within the target network.
How Can ARP Spoofing Be Prevented?
One simple and well-known tool that is used for the detection of an arp activity is the “Command Prompt”.
To prevent an ARP poisoning attack, VERACODE recommends that organizations use packet filtering tools, spoofing detection software, implement cryptographic network protocols, and avoid the development of protocols that rely on trust relationships.
ARP protocol has always been prone to ARP poisoning attacks. Perhaps the most effective spoofing attack prevention measure is a security policy that includes staff awareness and implements relentless traffic filtering.