ARP spoofing

Last updated
A successful ARP spoofing (poisoning) attack allows an attacker to alter routing on a network, effectively allowing for a man-in-the-middle attack. ARP Spoofing.svg
A successful ARP spoofing (poisoning) attack allows an attacker to alter routing on a network, effectively allowing for a man-in-the-middle attack.

In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

Contents

ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks. [1]

The attack can only be used on networks that use ARP, and requires attacker have direct access to the local network segment to be attacked. [2]

ARP vulnerabilities

The Address Resolution Protocol (ARP) is a widely used communications protocol for resolving Internet layer addresses into link layer addresses.

When an Internet Protocol (IP) datagram is sent from one host to another in a local area network, the destination IP address must be resolved to a MAC address for transmission via the data link layer. When another host's IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply that contains the MAC address for that IP. [2]

ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether network hosts requested them. Even ARP entries that have not yet expired will be overwritten when a new ARP reply packet is received. There is no method in the ARP protocol by which a host can authenticate the peer from which the packet originated. This behavior is the vulnerability that allows ARP spoofing to occur. [1] [2] [3]

Attack anatomy

The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.

An attacker using ARP spoofing will disguise as a host to the transmission of data on the network between the users. [4] Then users would not know that the attacker is not the real host on the network. [4]

Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

Defenses

Static ARP entries

The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host. IP address-to-MAC address mappings in the local ARP cache may be statically entered. Hosts don't need to transmit ARP requests where such entries exist. [5] While static entries provide some security against spoofing, they result in maintenance efforts as address mappings for all systems in the network must be generated and distributed. This does not scale on a large network since the mapping has to be set for each pair of machines resulting in n2-n ARP entries that have to be configured when n machines are present; On each machine there must be an ARP entry for every other machine on the network; n-1 ARP entries on each of the n machines.

Detection and prevention software

Software that detects ARP spoofing generally relies on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are then blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach a device listens for ARP replies on a network, and sends a notification via email when an ARP entry changes. [6]

AntiARP [7] also provides Windows-based spoofing prevention at the kernel level. ArpStar is a Linux module for kernel 2.6 and Linksys routers that drops invalid packets that violate mapping, and contains an option to repoison or heal.

Some virtualized environments such as KVM also provide security mechanisms to prevent MAC spoofing between guests running on the same host. [8]

Additionally some Ethernet adapters provide MAC and VLAN anti-spoofing features. [9]

OpenBSD watches passively for hosts impersonating the local host and notifies in case of any attempt to overwrite a permanent entry [10]

OS security

Operating systems react differently. Linux ignores unsolicited replies, but, on the other hand, uses responses to requests from other machines to update its cache. Solaris accepts updates on entries only after a timeout. In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount. [11]

Legitimate usage

The techniques that are used in ARP spoofing can also be used to implement redundancy of network services. For example, some software allows a backup server to issue a gratuitous ARP request in order to take over for a defective server and transparently offer redundancy. [12] [13] Circle [14] and CUJO are two companies that have commercialized products centered around this strategy.

ARP spoofing is often used by developers to debug IP traffic between two hosts when a switch is in use: if host A and host B are communicating through an Ethernet switch, their traffic would normally be invisible to a third monitoring host M. The developer configures A to have M's MAC address for B, and B to have M's MAC address for A; and also configures M to forward packets. M can now monitor the traffic, exactly as in a man-in-the-middle attack.

Tools

Defense

NameOSGUIFreeProtectionPer interfaceActive/passiveNotes
Agnitum Outpost FirewallWindowsYesNoYesNopassive
AntiARPWindowsYesNoYesNoactive+passive
Antidote [15] LinuxNoYesNo?passiveLinux daemon, monitors mappings, unusually large number of ARP packets.
Arp_Antidote [16] LinuxNoYesNo?passiveLinux Kernel Patch for 2.4.18 – 2.4.20, watches mappings, can define action to take when.
ArpalertLinuxNoYesNoYespassivePredefined list of allowed MAC addresses, alert if MAC that is not in list.
ArpON LinuxNoYesYesYesactive+passivePortable handler daemon for securing ARP against spoofing, cache poisoning or poison routing attacks in static, dynamic and hybrid networks.
ArpGuard MacYesNoYesYesactive+passive
ArpStarLinuxNoYesYes?passive
Arpwatch LinuxNoYesNoYespassiveKeep mappings of IP-MAC pairs, report changes via Syslog, Email.
ArpwatchNGLinuxNoYesNoNopassiveKeep mappings of IP-MAC pairs, report changes via Syslog, Email.
Colasoft Capsa WindowsYesNoNoYesno detection, only analysis with manual inspection
cSploit [17] Android (rooted only)YesYesNoYespassive
elmoCut [18] WindowsYesYesNo?passiveEyeCandy ARP spoofer for Windows
Prelude IDS??????ArpSpoof plugin, basic checks on addresses.
Panda SecurityWindows??Yes?ActivePerforms basic checks on addresses
remarpLinuxNoYesNoNopassive
Snort Windows/LinuxNoYesNoYespassiveSnort preprocessor Arpspoof, performs basic checks on addresses
WinarpwatchWindowsNoYesNoNopassiveKeep mappings of IP-MAC pairs, report changes via Syslog, Email.
XArp [19] Windows, LinuxYesYes (+pro version)Yes (Linux, pro)Yesactive + passiveAdvanced ARP spoofing detection, active probing and passive checks. Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation. Windows and Linux, GUI-based.
Seconfig XPWindows 2000/XP/2003 onlyYesYesYesNoonly activates protection built-in some versions of Windows
zANTIAndroid (rooted only)YesYesNo?passive
NetSec FrameworkLinuxNoYesNoNoactive
anti-arpspoof [20] WindowsYesYes???
DefendARP: [21] ??????A host-based ARP table monitoring and defense tool designed for use when connecting to public wifi. DefendARP detects ARP poisoning attacks, corrects the poisoned entry, and identifies the MAC and IP address of the attacker.
NetCutDefender: [22] Windows?????GUI for Windows that can protect from ARP attacks

Spoofing

Some of the tools that can be used to carry out ARP spoofing attacks:

See also

Related Research Articles

<span class="mw-page-title-main">Wake-on-LAN</span> Mechanism to wake up computers via a network

Wake-on-LAN is an Ethernet or Token Ring computer networking standard that allows a computer to be turned on or awakened from sleep mode by a network message.

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

<span class="mw-page-title-main">IP address spoofing</span> Creating IP packets using a false IP address

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

Proxy ARP is a technique by which a proxy server on a given network answers the Address Resolution Protocol (ARP) queries for an IP address that is not on that network. The proxy is aware of the location of the traffic's destination and offers its own MAC address as the destination. The traffic directed to the proxy address is then typically routed by the proxy to the intended destination via another interface or via a tunnel.

<span class="mw-page-title-main">Network address translation</span> Protocol facilitating connection of one IP address space to another

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

<span class="mw-page-title-main">Proxy server</span> Computer server that makes and receives requests on behalf of a user

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. It improves privacy, security, and performance in the process.

A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

<span class="mw-page-title-main">Captive portal</span> Web page displayed to new users of a network

A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing or log-in page which may require authentication, payment, acceptance of an end-user license agreement, acceptable use policy, survey completion, or other valid credentials that both the host and user agree to adhere by. Captive portals are used for a broad range of mobile and pedestrian broadband services – including cable and commercially provided Wi-Fi and home hotspots. A captive portal can also be used to provide access to enterprise or residential wired networks, such as apartment houses, hotel rooms, and business centers.

dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data. arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker. sshmitm and webmitm implement active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

NetBIOS over TCP/IP is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.

<span class="mw-page-title-main">Ettercap (software)</span> Network traffic analysis and interception software

Ettercap is a free and open source network security tool for man-in-the-middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. Its original developers later founded Hacking Team.

The Neighbor Discovery Protocol (NDP), or simply Neighbor Discovery (ND), is a protocol of the Internet protocol suite used with Internet Protocol Version 6 (IPv6). It operates at the network layer of the Internet model, and is responsible for gathering various information required for network communication, including the configuration of local connections and the domain name servers and gateways.

The gateway address is a router interface connected to the local network that sends packets out of the local network. The gateway has a physical and a logical address.

Cain and Abel was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel. Cain and Abel was maintained by Massimiliano Montoro and Sean Babcock.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

<span class="mw-page-title-main">ArpON</span> Computer software project

ArpON is a computer software project to improve network security. It has attracted interest among network managers and academic researchers and is frequently cited as a means of protecting against ARP-based attacks.

In computer networking, a unicast flood is when a switch receives a unicast frame from an unknown sender and treats it as a broadcast frame, flooding the frame to all other ports on the switch.

The link layer is the lowest layer in the TCP/IP model. It is also referred to as the network interface layer and mostly equivalent to the data link layer plus physical layer in OSI. This particular layer has several unique security vulnerabilities that can be exploited by a determined adversary.

An ARP cache is a collection of Address Resolution Protocol entries, that are created when an IP address is resolved to a MAC address.

References

  1. 1 2 Ramachandran, Vivek & Nandi, Sukumar (2005). "Detecting ARP Spoofing: An Active Technique". In Jajodia, Suchil & Mazumdar, Chandan (eds.). Information systems security: first international conference, ICISS 2005, Kolkata, India, December 19–21, 2005 : proceedings. Birkhauser. p. 239. ISBN   978-3-540-30706-8.
  2. 1 2 3 Lockhart, Andrew (2007). Network security hacks . O'Reilly. p.  184. ISBN   978-0-596-52763-1.
  3. Steve Gibson (2005-12-11). "ARP Cache Poisoning". GRC.
  4. 1 2 Moon, Daesung; Lee, Jae Dong; Jeong, Young-Sik; Park, Jong Hyuk (2014-12-19). "RTNSS: a routing trace-based network security system for preventing ARP spoofing attacks". The Journal of Supercomputing. 72 (5): 1740–1756. doi:10.1007/s11227-014-1353-0. ISSN   0920-8542. S2CID   18861134. Archived from the original on 2021-01-23. Retrieved 2021-01-23.
  5. Lockhart, Andrew (2007). Network security hacks . O'Reilly. p.  186. ISBN   978-0-596-52763-1.
  6. "A Security Approach to Prevent ARP Poisoning and Defensive tools". ResearchGate. Archived from the original on 2019-05-03. Retrieved 2019-03-22.
  7. AntiARP Archived June 6, 2011, at the Wayback Machine
  8. "Daniel P. Berrangé » Blog Archive » Guest MAC spoofing denial of service and preventing it with libvirt and KVM". Archived from the original on 2019-08-09. Retrieved 2019-08-09.
  9. "Archived copy". Archived from the original on 2019-09-03. Retrieved 2019-08-09.{{cite web}}: CS1 maint: archived copy as title (link)
  10. "Arp(4) - OpenBSD manual pages". Archived from the original on 2019-08-09. Retrieved 2019-08-09.
  11. "Address Resolution Protocol". 18 July 2012. Archived from the original on 2021-01-23. Retrieved 2017-08-26.
  12. "OpenBSD manpage for CARP (4)". Archived from the original on 2018-02-05. Retrieved 2018-02-04., retrieved 2018-02-04
  13. Simon Horman. "Ultra Monkey: IP Address Takeover". Archived from the original on 2012-11-18. Retrieved 2013-01-04., retrieved 2013-01-04
  14. Barrett, Brian. "Circle with Disney Locks Down Kids Devices from Afar". Wired. Archived from the original on 2016-10-12. Retrieved 2016-10-12., retrieved 2016-10-12
  15. "Antidote". Archived from the original on 2012-03-13. Retrieved 2014-04-07.
  16. "Arp_Antidote". Archived from the original on 2012-01-14. Retrieved 2011-08-02.
  17. 1 2 "cSploit". tux_mind. Archived from the original on 2019-03-12. Retrieved 2015-10-17.
  18. 1 2 "elmoCut: EyeCandy ARP Spoofer (GitHub Home Page)". GitHub .
  19. "XArp". Archived from the original on 2020-06-16. Retrieved 2021-01-23.
  20. anti-arpspoof Archived August 31, 2008, at the Wayback Machine
  21. "Defense Scripts | ARP Poisoning". Archived from the original on 2013-01-22. Retrieved 2013-06-08.
  22. "Netcut defender | Arcai.com". Archived from the original on 2019-04-08. Retrieved 2018-02-07.
  23. "Subterfuge Project". Archived from the original on 2016-04-27. Retrieved 2013-11-18.
  24. "Seringe – Statically Compiled ARP Poisoning Tool". Archived from the original on 2016-09-16. Retrieved 2011-05-03.
  25. 1 2 3 4 5 6 7 8 9 10 "ARP Vulnerabilities: The Complete Documentation". l0T3K. Archived from the original on 2011-03-05. Retrieved 2011-05-03.
  26. "ARP cache poisoning tool for Windows". Archived from the original on July 9, 2012. Retrieved 2012-07-13.
  27. "Simsang". Archived from the original on 2016-03-04. Retrieved 2013-08-25.
  28. "Minary". Archived from the original on 2019-04-08. Retrieved 2018-01-10.
  29. "NetCut". Archived from the original on 2020-11-12. Retrieved 2021-01-23.
  30. "ARPpySHEAR: An ARP cache poisoning tool to be used in MITM attacks". GitHub . Archived from the original on 2020-10-13. Retrieved 2019-11-11.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.