Address Resolution Protocol (ARP) Spoofing:
What It Is and How to Prevent an ARP Attack

Bart Lenaerts-Bergmans - May 19, 2022

Address Resolution Protocol (ARP) spoofing or ARP poisoning is a form of spoofing attack that hackers use to intercept data. A hacker commits an ARP spoofing attack by tricking one device into sending messages to the hacker instead of the intended recipient. This way, the hacker gains access to your device’s communications, including sensitive data such as passwords and credit card information. Luckily, you can protect yourself against these attacks in several ways.

The ARP Protocol and ARP Spoofing

ARP spoofing occurs on a local area network (LAN) using an ARP. An ARP is a communication protocol connecting a dynamic internet protocol (IP) address to a physical machine address. The latter is referred to as a media access control (MAC) address. The ARP protocol directs the communication on the LAN.

Each network device has both an IP address and a MAC address. To send and receive messages, hosts on a network must know the addresses of the others on that network. In doing so, a host will connect a (typically dynamic IP address to a physical MAC address).

For example, Host A on a computer network wants to connect its IP address to the MAC address of Host B. Therefore, it sends an ARP request to all the other hosts on the LAN. Following this request, it receives an ARP response from Host B, with its MAC address. The requesting host then stores this address on its ARP cache, which is similar to a contacts list. This cache is sometimes referred to as an ARP table, as the addresses are stored in the form of a table.

ARP spoofing refers to an attacker with access to the LAN pretending to be Host B. The attacker sends messages to Host A with the goal of tricking Host A into saving the attacker’s address as Host B’s address. Host A will ultimately send communications intended for Host B to the attacker instead. Once the attacker becomes this middle man, each time Host A communicates with Host B, that host will in fact be communicating first with the attacker. Host B will typically be the default gateway, or the router.

Purpose of an ARP Spoof Attack

An ARP spoof attack can have several goals. Attackers can use ARP spoofing for spying, man-in-the-middle attacks or for additional cyberattacks, such as denial-of-service attacks.

What Are Spying and Denial-of-Service Attacks?

Spying happens when the attacker does not modify the communications between Hosts A and B but only reads the communications and then forwards them to the intended host. With a man-in-the-middle attack, the attacker modifies the information before sending it on to the intended host.

However, these acts of spying and modifying messages are often a part of a more elaborate cyberattack involving lateral movement. One is a denial-of-service attack, in which the attacker prevents communications from being sent between two or more hosts. Attackers may also send malicious files between hosts.

Who Uses ARP Spoofing?

Hackers have used ARP spoofing since the 1980s. Attacks by hackers can be planned or opportunistic. Planned attacks include denial-of-service attacks, whereas stealing information from a public WI-FI network would be an example of opportunism. Although these attacks are preventable, they are still frequently used because they are easy to conduct from both financial and technical points of view.

However, ARP spoofing can also be done for worthy purposes. Developers also use ARP spoofing to debug network traffic by purposely inserting a middle man between two hosts. Ethical hackers will also simulate ARP cache poisoning attacks to ensure networks are safe from such attacks.

Effects of ARP Spoofing

ARP spoofing has similar effects to other forms of spoofing, such as email spoofing. Noticeable effects of ARP spoofing can range from none to a full loss of connection to the network if the attacker implements a denial-of-service attack. Whether the effects of the attack are seen depends on the goals of the hacker. If they are only looking to spy on or modify information between hosts, they may well go unnoticed. If they are looking to instigate a further attack, as is often the case with ARP spoofing attacks, they will also want to remain unnoticed. However, such attacks will become obvious once their end goal is reached. For instance, your system may be overloaded by malware communications or your machine could be infected with ransomware.

Why ARP Spoofing Is Dangerous

ARP spoofing can be dangerous for many reasons. Most prominently, it grants hackers unauthorized access to private information. A hacker can then use this access for a number of malicious purposes, such as accessing passwords, identifying information or credit card information. These attacks can also be used to introduce malicious software such as ransomware.

How to Tell if Someone is Spoofing Your ARP

To tell if you’re being spoofed, check your task automation and configuration management program. Here, you will be able to find your ARP cache. If there are two IP addresses with the same MAC address, you might be the victim of an attack. Hackers typically use a spoofing software that sends messages stating that its address is the default gateway’s.

However, it is also possible that this software tricks its victim into overwriting the MAC address of the default gateway with its own. In this case, you are going to have to review ARP traffic for anything unusual. The unusual form of traffic is typically unsolicited messages claiming to own either the IP or MAC address of the router. Thus, unsolicited messages can be a sign of an ARP spoofing attack.

How Attackers Attempt to Remain Hidden

ARP spoofing attackers often want to go unnoticed. This way, they can collect information or further infiltrate the network they are on to launch a more significant attack. If hosts on the network were to realize their received ARP requests were false, the spoof would be mitigated.

Victims will not normally detect a poisoned ARP cache; they will continue to receive their communications as usual. However, the attacker will intercept these communications sent over the ARP protocol, such as the victims’ usernames and passwords.

How to Protect Your Systems from ARP Spoofing

Fortunately, you can implement a number of procedures and tools as part of your incident response plan to prevent ARP spoofing. These methods include certifying ARP requests, packet filtering, anti-ARP spoofing software and encryption.

Tools for Validating ARP Requests

Static ARP entries represent the simplest way to validate IP and MAC addresses. A static ARP entry is entered or accepted manually, removing the possibility that a device automatically modifies the ARP cache following the ARP protocol. This can be done for only some entries (e.g., the addresses of the default gateway), while others remain dynamic. Most addresses will likely need to remain dynamic, as cache maintenance on many networks would be too demanding otherwise.

Software also exists to validate ARP requests and thus help protect you against ARP spoofing. This software certifies IP and MAC addresses and actively blocks uncertified responses. Other software exists that notifies a host when an ARP table entry has been modified. There are numerous software options, with some operating at the kernel level, whereas others may be a part of the network’s dynamic host configuration protocol or network switch.

Tools for Preventing ARP Spoofing

A fairly simple way of protecting against ARP spoofing is to use packet-filtering firewalls. Packet-filtering firewalls flag data packets from an address that is found twice in the network, as this duplication suggests the presence of someone disguising themselves as another host.

Encryption, however, is probably the most important way to protect against an ARP attack. Due to the widespread use of encrypted communication protocols today, ARP hacking has become much more difficult. For example, most website traffic is encrypted using HTTPS, which prevents the hacker from reading the messages after intercepting them. Thus, the most important way to mitigate such attacks is to avoid sending unencrypted data.

Software can also help ensure you remain protected. Many cybersecurity protection software programs notify users if they are on a site, for example, where data is unencrypted.

Another encryption tool worth noting is the virtual private network (VPN). When connected to a VPN, all your data will enter through an encrypted tunnel.

Finally, although not exactly a “tool,” you can simulate ARP spoofing on your own network to look for potential holes in your cybersecurity system. In fact, most of the tools used to initiate these attacks are widely available and easy to use, making ethical hacking a feasible strategy for protecting yourself against such attacks.

GET TO KNOW THE AUTHOR

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.