ARP Poisoning

Chamal Weerasinghe
4 min readMay 19, 2021

--

Photo by Rei Yamazaki on Unsplash

“Learn to see. Realize that everything connects to everything else.”- Leonardo DaVinci

What is ARP (Address Resolution Protocol)?

ARP is a protocol that enables the devices within a network to find the appropriate device to that the other device wants to communicate.

This is how it happens. In a LAN (Local Area Network) there are multiple devices connected to the same gateway. in this LAN if a node wants to send something or initiate the communication it has to find where is the node with specific IP wants to send data or if a node wants to connect to the internet through contacting the default gateway first it has to find the address of that device, for this first it will check in the ARP Cache or it broadcast a message through the network requesting who has the specific IP.

ARP Request (Image from IPCisco)

And the appropriate node will send back a unicast reply of its MAC address confirming it is the node that looking for.

ARP Response (Image from IPCisco)

After that request is fulfilled it does not need to send a request again. it is stored in the ARP cache. ARP cache can be viewed using arp -a in command line interface/terminal (This command is compatible in both Windows & Linux)

Viewing ARP Cache

What is ARP Poisoning?

The ARP protocol was not designed for security, so it cannot verify that the actual response that claiming the ownership of the node is coming from an authorized and actual nodes. It also lets hosts accept ARP responses even if they never sent out a request this is a drawback of the ARP protocol, using this weakness hackers can do ARP Poisoning and ARP Spoofing attacks.

In ARP Spoofing attacker inspect the requests and the attacker sends his MAC address instead of the original MAC address requesting to the requesting node. due to the ARP protocol’s nature, it records the attacker's MAC address in the ARP cache and starts sending traffic to that node.

After a successful Spoofing Attack attacker can modify the entire APR Cache with MAC address as expected, this is called ARP Poisoning, which leads to entire traffic in the hand of the hacker. There are few types of attacks that hackers tend to do using ARP poisoning, one of them is the Man in the Middle Attack (MiTM).

Man in the Middle Attack (MitM)

Using ARP spoofing and ARP poisoning, an attacker can act as a middle man in the communication traffic without the actual sender or receiver doesn’t know that the information sending or receiving through another third party.

Man in the Middle Attack (Image from Network Academy)

So, Won’t encrypting cannot solve this issue? 🤔.
The encryptions happen when the sender and receiver exchange their public keys with each other, but in MitM, the attacker resides in the middle of the communication. the attacker can send his public key as the legitimate key without knowing by both parties. so instead of actual keys for encrypting the information. both ends use the attacker's key.

How to Avoid ARP-based Attacks?

Using Proper VPN - VPN establishes the secure tunnel between the two ends which makes it unable to do ARP-related attacks. But the VPN using for communication should be a trusted one.

Using a firewall - Firewall comes with the packet filtering ability which can exclude the traffic from an untrusted source. the firewall will stop any untrusted source from reaching the device.

Using Tools to Monitor Traffic - Tools like “arpwatch” and “Wireshark” provide the capability of monitoring each ongoing and outgoing traffics from the network including the changes of the IP and MAC addresses.

Using WireShark to Monitor LAN Traffic

Using Static ARP - ARP can be added permanently into the ARP cache within the network including mapping between IP and MAC.

--

--