ARP Poisoning What It Is & How to Prevent ARP Spoofing Attacks

#readwise # ARP Poisoning: What It Is & How to Prevent ARP Spoofing Attacks ![rw-book-cover](https://readwise-assets.s3.amazonaws.com/static/images/article4.6bc1851654a0.png) ## Metadata - Author: [[varonis.com]] - Full Title: ARP Poisoning: What It Is & How to Prevent ARP Spoofing Attacks - URL: https://www.varonis.com/blog/arp-poisoning ## Highlights ARP Poisoning is a type of cyberattack that abuses weaknesses in the widely used Address Resolution Protocol (ARP) to disrupt, redirect, or spy on network traffic. --- The purpose of ARP is to translate between addresses at the data link layer – known as MAC Addresses – and addresses at the network layer, which are typically IP addresses. It allows networked devices to “ask” what device is currently assigned a given IP address. Devices can also announce this mapping to the rest of the network without being prompted. For efficiency’s sake, devices will typically cache these responses and build a list of current MAC-to-IP mappings. --- ARP Poisoning consists of abusing the weaknesses in ARP to corrupt the MAC-to-IP mappings of other devices on the network. Security was not a paramount concern when ARP was introduced in 1982, so the designers of the protocol never included authentication mechanisms to validate ARP messages. Any device on the network can answer an ARP request, whether the original message was intended for it or not. For example, if Computer A “asks” for the MAC address of Computer B, an attacker at Computer C can respond and Computer A would accept this response as authentic. This oversight has made a variety of attacks possible. By leveraging easily available tools, a threat actor can “poison” the ARP cache of other hosts on a local network, filling the ARP cache with inaccurate entries. ^iclkdl --- There are two general ways in which an ARP Poisoning attack can occur: The attacker can either wait to see ARP requests for a particular target and issue a response, or send out an unsolicited broadcast message known as a “gratuitous ARP”. The first approach is less noticeable on the network, but potentially less far-reaching in its impacts. A gratuitous ARP can be more immediate and impact a greater number of victims but comes with the downside of generating lots of network traffic. In either approach, the corrupted ARP cache(s) on victim machines may be leveraged to further ends. --- Man-in-the-Middle (MiTM) Attack MiTM attacks are probably the most common, and potentially most dangerous, goal of ARP poisoning. The attacker sends out falsified ARP responses for a given IP Address, typically the default gateway for a particular subnet. This causes victim machines to populate their ARP cache with the MAC address of the attacker’s machine, instead of the local router’s MAC address. Victim machines will then incorrectly forward network traffic to the attacker. Tools like Ettercap allow the attacker to act as a proxy, viewing or modifying information before sending the traffic to its intended destination. To the victim, everything may appear normal. Marrying ARP Poisoning with DNS Poisoning can dramatically increase the effectiveness of a MiTM attack. In this scenario, a victim user might type in a legitimate site such as google.com and be given the IP address of the attacker’s machine, rather than the rightful address. --- Denial of Service (DoS) Attack A DoS attack is aimed at denying one or more victims access to network resources. In the case of ARP, an attacker might send out ARP Response messages that falsely map hundreds or even thousands of IP addresses to a single MAC address, potentially overwhelming the target machine. This type of attack, sometimes known as ARP flooding, can also be used to target switches, potentially impacting the performance of the entire network. --- Session Hijacking Session Hijacking attacks are similar in nature to Man-in-the-Middle, except that the attacker will not directly forward traffic from the victim machine to its intended destination. Instead, the attacker will capture a genuine TCP sequence number or web cookie from the victim and use it to assume the victim’s identity. This could be used, for instance, to access a target user’s social media account if they happen to be logged in. --- The terms ARP Spoofing and ARP Poisoning are generally used interchangeably. Technically, spoofing refers to an attacker impersonating another machine’s MAC address, while poisoning denotes the act of corrupting the ARP tables on one or more victim machines. In practice, however, these are both sub-elements of the same attack, and in general parlance, both terms are used to refer to the attack as a whole. Other similar terms might include ARP cache poisoning or ARP table corruption. ^o6pdgq --- A variety of commercial and open-source software exists to detect ARP cache poisoning, but you can easily check the ARP tables on your own computer without installing anything. On most Windows, Mac, and Linux systems, issuing the “arp -a” command from a terminal or command line will display the current IP-to-MAC address mappings of the machine. Tools like arpwatch and X-ARP are useful for continuous monitoring of the network and can alert an administrator if signs of an ARP Cache Poisoning Attack are seen. However, false positives are a concern and can create a large number of unwanted alerts. ---