What is ARP Poisoning Attack
ARP (Address Resolution Protocol) poisoning is a type of network attack technique in which the ARP cache of systems on the network is modified to point to an IP address with the Media Access Control (MAC) address of an unauthorized user. ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.
The attacker sends spoofed ARP messages to the network and masquerades as another system so that returned network packets will go to the attacker’s system and not its original destination. The malicious user can then modify the data in transit or modify the routing information to use the data as a DoS attack against a router.
The effects of ARP spoofing attacks can have serious implications for enterprises. In their most basic application, ARP spoofing attacks are used to steal sensitive information. Beyond this, ARP spoofing attacks are often used to facilitate other attacks such as:
- Denial-of-service attacks: DoS attacks often leverage ARP spoofing to link multiple IP addresses with a single target’s MAC address. As a result, traffic that is intended for many different IP addresses will be redirected to the target’s MAC address, overloading the target with traffic.
- Session hijacking: Session hijacking attacks can use ARP spoofing to steal session IDs, granting attackers access to private systems and data.
- Man-in-the-middle attacks: MITM attacks can rely on ARP spoofing to intercept and modify traffic between victims.
The following methods are recommended measures for detecting, preventing and protecting against ARP spoofing attacks:
- ARP poisoning and spoofing can be mitigated by using DHCP or other network services that help network clients keep track of the MAC address of connecting systems to detect receipt of an ARP that does not resolve properly.
- Physical access to the network should also be controlled by disabling unused ports on network switches and hubs and using port security to limit who can connect to the enabled ports.
- Packet filters inspect packets as they are transmitted across a network. Packet filters are useful in ARP spoofing prevention because they are capable of filtering out and blocking packets with conflicting source address information (packets from outside the network that show source addresses from inside the network and vice-versa).
- There are many programs available that help organizations detect ARP spoofing attacks. These programs work by inspecting and certifying data before it is transmitted and blocking data that appears to be spoofed.
- Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols bolster ARP spoofing attack prevention by encrypting data prior to transmission and authenticating data when it is received.
Did you find this tutorial helpful? Don’t forget to share your views with us.