ARP spoofing attack is a kind of attack in which a attacker sends falsified ARP (Address Resolution Protocol) messages over a LAN. As a result the attacker links his MAC address with the IP address of a legitimate computer (or server) on the network.
If the attacker managed to link his MAC address to an authentic IP address, he will begin receiving any data that can be accessed by that IP address. ARP spoofing allows malicious attackers to intercept, modify or even stop data which is in-transit. ARP spoofing attacks can only occur on local area networks that utilize theAddress Resolution Protocol.
ARP Spoofing Attacks
ARP spoofing attacks can have serious effects for enterprises. In their most basic level, ARP spoofing attacks are used to steal sensitive information of the company. Apart from this, ARP spoofing attacks are often used to facilitate other attacks like:
- Denial-of-service attacks: DoS attacks use ARP spoofing to link multiple IP addresses in a LAN with a single target’s MAC address. Due to this, traffic that is meant for different IP addresses will be redirected to the target’s MAC address, thus overloading the target with traffic.
- Session hijacking: Session hijacking attacks can make use of ARP spoofing to steal session IDs, thus granting attackers access to private systems and data.
- Man-in-the-middle attacks: MITM attacks can use ARP spoofing to intercept and/or modify traffic between two victims.
ARP Spoofing Tutorial
Typically ARP spoofing attacks follow a similar steps which include:
- First the attacker opens an ARP spoofing tool, and sets the tool’s IP address to match the IP of a target. Some of the popular ARP spoofing software include Arpspoof, Arpoison, Cain & Abel and Ettercap.
- The attacker makes use of the ARP spoofing tool and scan for the MAC and IP addresses of hosts in the target’s subnet.
- The attacker chooses his target and starts sending ARP packets across the LAN which contain the attacker’s MAC address and the victim’s IP address.
- As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the victim will go to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack.
ARP Spoofing Detection, Prevention and Protection
The following methods are recommended measures for detecting, preventing and protecting against ARP spoofing attacks:
- Packet filtering: Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in ARP spoofing prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa).
- Use ARP spoofing detection software: There are many programs available which will help organizations detect to ARP spoofing attacks. These programs basically work by inspecting and certifying data before it is transmitted and blocking data, that appears to be spoofed.
- Use cryptographic network protocols: Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols bolster ARP spoofing attack prevention by encrypting data prior to transmission and authenticating data when it is received.