ARP Poisoning is a type of cyberattack that exploits weaknesses in the widely used Address Resolution Protocol (ARP) to disrupt, redirect, or monitor network traffic. In this article, we'll take a quick look at why you need ARP, analyze its weaknesses that make ARP poisoning possible, and what steps you can take to keep your organization safe.
What is ARP?
ARP is for determining the MAC address from the IP address of another computer. ARP allows devices connected to a network to query which device is currently assigned a specific IP address. Devices can also communicate this assignment to the rest of the network without prompting. For efficiency, devices typically cache these responses and create a list of current MAC-IP assignments.
What is ARP Poisoning?
ARP poisoning (spoofing) is the use of ARP weaknesses to disrupt MAC-IP assignments to other devices on the network. In 1982, when ARP was introduced, security was not a primary concern, so the protocol designers never used authentication mechanisms to validate ARP messages. Any device on the network can respond to an ARP request, regardless of whether or not it is the recipient of the request. For example, if Computer A asks for the MAC address of Computer B, an attacker on Computer C can respond, and Computer A will accept the response as valid. Due to this vulnerability, a huge number of attacks were carried out. Using readily available tools, an attacker can poison the ARP cache of other hosts on the local network, filling it with incorrect data.
ARP Poisoning Stages
The stages of ARP poisoning can vary, but usually the minimum list is as follows:
- Attacker Chooses Victim Machine or Machines
The first step in planning and implementing an ARP Poisoning attack is targeting. This can be a specific endpoint on a network, a group of endpoints, or a network device such as a router. Routers are attractive targets because a successful router ARP poisoning can disrupt traffic for an entire subnet. -
, ARP, . . ARP . -
ARP () - . , ยซ ยป, . .
ARP Poisoning
There are two main ways of poisoning ARP: an attacker can either wait for an ARP request for a specific target and respond to it, or use gratuitous ARP requests. The first option will be less visible on the web, but its potential impact will also be less. Self-directed ARP requests may be more effective and affect more victims, but they have the downside of generating a lot of network traffic. With either approach, a corrupted ARP cache on victim devices can be used for further purposes:
Man-in-the-Middle Attacks
MiTM attacks are probably the most common and potentially most dangerous target of ARP poisoning. The attacker sends bogus ARP replies to the specified IP address (usually the default gateway for a particular subnet). This forces the victim devices to populate their ARP cache with the attacker's MAC address instead of the local router's MAC address. The victim devices then incorrectly forward the network traffic to the attacker. Tools like Ettercap allow an attacker to act as a proxy by viewing or modifying information before sending traffic to its destination. At the same time, the victim may not notice any changes in the work.
Simultaneous ARP Poisoning and DNS Poisoningcan significantly improve the effectiveness of a MiTM attack. In this scenario, the victim user can enter the address of a legitimate site (for example, google.com) and get the IP address of the attacker's machine instead of the correct one.
Denial of Service (DoS)
A DoS attack is when one or more victims are denied access to network resources. In the case of ARP, an attacker could send an ARP response that falsely assigns hundreds or even thousands of IP addresses to a single MAC address, potentially overloading the target device. This type of attack, sometimes called ARP flooding (ARP flooding), can also target switches, potentially affecting the performance of the entire network.
Session hijacking
Session hijacking is similar in nature to MiTM except that the attacker will not directly redirect traffic from the victim's machine to the target device. Instead, it captures the victim's genuine TCP sequence number or cookie and uses it to impersonate the victim. So he can, for example, gain access to the account of a given user on the social network, if he is logged into it.
What is the purpose of ARP poisoning?
Hackers always have a variety of motives, including when carrying out ARP poisoning, ranging from high-level espionage to the excitement of creating chaos on the network. In one possible scenario, an attacker could use bogus ARP messages to assume the role of the default gateway for a given subnet, effectively directing all traffic to their device instead of the local router. Then he can monitor the traffic, change or dump it. Such attacks are โloudโ because they leave behind evidence, but they do not necessarily affect the operation of the network. If the target of the attack is espionage, the attacker's machine simply redirects traffic to the original recipient, giving him no reason to suspect that something has changed.
Another target could be significant network disruption. For example, it is not uncommon for DoS attacks to be performed by less experienced hackers simply to enjoy the problems they create. Insider attacks
are a dangerous type of ARP poisoning . Spoofed ARP messages do not go outside the local network, so the attack must come from the local device. An external device can also potentially initiate an ARP attack, but first it needs to remotely compromise the local system in other ways, while the insider only needs a network connection and some readily available tools.
ARP spoofing vs ARP poisoning
The terms ARP spoofing and ARP poisoning are commonly used synonymously. Technically, spoofing means that an attacker misrepresents his own address as the MAC address of another computer, while poisoning (spoofing) refers to damage to ARP tables on one or more victim machines. In practice, however, these are elements of the same attack. This attack is also sometimes referred to as "ARP cache poisoning" or "ARP table corruption".
Consequences of ARP Poisoning Attacks
The main effect of ARP poisoning is that traffic destined for one or more hosts on the local network is instead directed to a device of the attacker's choice. The specific consequences of an attack depend on its specifics. Traffic can be directed to the attacker's machine or to a non-existent location. In the first case, there may be no noticeable effect, while in the second, access to the network may be blocked.
By itself, ARP cache poisoning has no lasting impact. ARP entries are cached from a few minutes on endpoints to several hours on switches. As soon as an attacker stops actively infecting tables, the corrupted records are simply outdated, and normal traffic is soon resumed. By itself, ARP poisoning does not leave permanent infection or footholds on victim machines. However, it is not uncommon for hackers to carry out a series of attacks in a chain, and ARP poisoning can be part of a larger attack.
How to detect ARP cache poisoning
There are many paid and open source programs available to detect ARP cache poisoning, but you can check the ARP tables on your computer even without installing any special software. On most Windows, Mac, and Linux systems, typing arp-a in a terminal or command line will display the current IP and MAC address assignments of the machine.
Tools such as arpwatch and X-ARP allow continuous monitoring of the network and can alert the administrator when signs of ARP cache poisoning are detected. However, the probability of false positives is quite high.
How to prevent ARP poisoning
There are several methods to prevent ARP poisoning:
Static ARP tables
You can statically assign all MAC addresses on the network to their corresponding IP addresses. This is very effective in preventing ARP poisoning, but it is very labor intensive. Any change in the network will require manual updating of ARP tables on all hosts, and therefore, for most large organizations, the use of static ARP tables is impractical. But in situations where security is paramount, allocating a separate network segment for static ARP tables can help protect critical information.
Switch protection
Most managed Ethernet switches are equipped with ARP Poisoning attack prevention features. These features, known as Dynamic ARP Inspection (DAI), evaluate the validity of each ARP message and discard packets that appear suspicious or malicious. DAI can also limit the rate at which ARP messages pass through the switch, effectively preventing DoS attacks.
DAI and similar functions were once available exclusively for high-performance networking equipment, but now they are present on almost all business-class switches, including those used in small companies. It is generally recommended to enable DAI on all ports except those connected to other switches. This feature has no significant performance impact; at the same time, along with it, you may need to enable other functions, for example, DHCP Snooping.
Enabling port security on a switch can also help minimize the effects of ARP cache poisoning. Port security can be configured to allow only one MAC address on a switch port, making it impossible for an attacker to use multiple network IDs.
Physical protection
Adequate control of physical access to the user's workplace will also help prevent ARP Poisoning attacks. ARP messages do not go outside the local network, so potential attackers must be physically close to the victim's network or already have control over a machine on the network. Note that in the case of a wireless network, proximity does not necessarily mean direct physical access: the signal that reaches the courtyard or parking lot may be sufficient. Regardless of the type of connection (wired or wireless), using a technology like 802.1x can ensure that only trusted and / or managed devices connect to the network.
Network isolation
A well-segmented network may be less susceptible to ARP cache poisoning in general, since an attack on one subnet does not affect devices on the other. Concentrating critical resources on a dedicated network segment with tighter security measures can significantly reduce the potential impact of an ARP Poisoning attack.
Encryption
While encryption does not prevent an ARP attack, it can reduce potential damage. Previously, a popular target for MiTM attacks was to obtain login credentials, which were once transmitted in plain text. With the proliferation of SSL / TLS encryption, these attacks have become more difficult to carry out.
Just one of many threats
Although ARP poisoning technology appeared much earlier than many modern malware such as ransomware viruses , ARP Poisoning is still a threat that must be combated. As with all other cyber threats, it is best to do this in a comprehensive manner. Threat detection and response solutions help you gain an understanding of the overall security level of your organization. And solutions like Varonis Edge can detect signs of data leakage after ARP poisoning.