ARP spoofing

Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The attack can obviously only happen on networks that indeed make use of ARP and not another method.

The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.

ARP spoofing attacks can be run from a compromised host, a jack box, or a hacker's machine that is connected directly onto the target Ethernet segment.

Application

ARP is a Layer 2 protocol. ARP request is considered broadcast traffic, while legitimate ARP Replies are not. As such, it is not designed to allow for any ID validation on the transaction. While ARP spoofing can occur in the course of ARP transactions, creating a race condition, the more common utilization is the distribution of unsolicited ARP responses which are cached by the clients creating the ARP cache poison scenario.

Defenses

An open source solution is [http://arpon.sourceforge.net ArpON] "Arp handler inspectiON". It is a portable ARP handler which detects and blocks all ARP poisoning and spoofing attacks with static ARP inspection (SARPI) and dynamic ARP inspection (DARPI) approach on switched or hubbed LANs with or without DHCP.

Another method, such as DHCP snooping, can be utilised on larger networks. Via DHCP, the network device keeps a record of the MAC addresses that are connected to each port, so it can readily detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, ProCurve, Extreme Networks and Allied Telesis.

Detection is another avenue for defending against ARP spoofing. Arpwatch is a Unix program which listens for ARP replies on a network, and sends a notification via email when an ARP entry changes. Under Windows the GUI-driven software [http://www.chrismc.de/development/xarp XArp v2] is available. It performs ARP packet inspection on a per network interface basis with configurable inspection filters and active verification modules. [http://sync-io.net/Sec/anti-arpspoof.aspx anti-arpspoof] creates static ARP entries in the client and default gateway cache, and cleans poisoned dynamic entries.

Checking for the existence of MAC address cloning may also provide a clue as to the presence of ARP spoofing, though there are legitimate uses of MAC address cloning. Reverse ARP (RARP) is a protocol used to query the IP address(es) associated to one MAC address. If more than one IP address is returned, MAC cloning is present.

A simple defense that only works for simple ARP spoofing attacks is the use of static IP-MAC mappings. However, this only prevents simple attacks and does not scale on a large network as the mapping has to be set for each pair of machines, resulting in n*n ARP caches that have to be configured.

Legitimate usage

ARP spoofing can also be used for legitimate reasons. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network.

Another legitimate implementation of ARP spoofing is used in hotels to allow traveling laptop users to access the Internet from their room, using a device known as a head end processor (HEP), regardless of their IP address.

ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over a defective server and transparently offer redundancy.

ARP spoofing tools

Arpspoof (part of the DSniff suite of tools), Arpoison, Cain and Abel, Ettercap, and netcut are some of the tools that can be used to carry out ARP poisoning attacks.

ee also

* Ethernet
* Ettercap
* arping
* Arpwatch
* arptables

External links

* [http://sync-io.net/Sec/anti-arpspoof.aspx free anti-arpspoof]
* [http://arpon.sourceforge.net ArpON home page]
* [http://www.colasoft.com/download/arp_flood_arp_spoofing_arp_poisoning_attack_solution_with_capsa.php Quick Detect ARP Poisoning/Spoofing Live Demo]
* [http://www.arcai.com NetCut - Admin Network with ARP protocol]
* [http://www.oxid.it/downloads/apr-intro.swf Introduction to APR (Arp Poison Routing) by MAO]
* [http://www.arpdefender.com ARPDefender - Hardware ARP Spoofing detection appliance]
* [http://www.grc.com/nat/arp.htm GRC's Arp Poisoning Explanation]
* [http://www.chrismc.de/development/xarp XArp2 ARP spoofing detection tool performing packet inspection using active and passive methods]
* [http://www.antiarp.com/English/e_index.asp AntiARP - Professional defence ARP spoof/poison/attack]
* [http://ihack.co.uk/assets/ARP_Spoofing.pdf ARP Spoofing How to]
* [http://abulmagd.blogspot.com/2008/08/arptables-and-arp-poisoningnetcut.html arptables, and ARP poisoning]