Measured Insurance Partners with Canopius and Long-time Backer SCOR to Expand Critical Cyber Insurance Solutions

What Is ARP Spoofing? (And How To Prevent An Attack)

what_is_ARP_spoofing_hero_image
Measured Staff
November 1, 2022
|Share this article:

Address Resolution Protocol (ARP) spoofing, also referred to as ARP cache poisoning or ARP poison routing, refers to an invasive attack in the form of sending spoofed or malicious ARP messages or packets routed over a local area network (LAN).

The primary aim of ARP spoofing is to disrupt or stop network traffic. This move is aimed at intensifying further attacks like denial-of-service (DOS) or session hijacking. Attackers move in stealth mode, so their IP address is hidden, and they can freely ambush your devices. 

ARP attacks try to swerve the traffic from where it’s supposed to go and reroute it towards the attacker instead. ARP poisoning works by interlacing the Media Access Control (MAC) address of the attacker with that of the target’s IP address. Interestingly, this will only work against specific networks that employ ARP.

ARP was designed and built in the 1980s to streamline network connections without having devices connected individually. Unfortunately, while it can enable fast and convenient connections between two machines, it leaves your data vulnerable to several threats.

Understanding Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) are IPv4 addresses that are generally used to determine the link-layer address associated with an internet layer address for a device. As IPv4 remains the most widely used IP, ARP would usually be the middle man in between the IPv4 addresses and MAC addresses. 

The connection between a particular MAC address and its Internet Protocol (IP) address is stored in an ARP cache. When a packet goes to a LAN host onto the gateway, the gateway enables ARP to recognize the physical host or MAC address with its specific IP address.

The host will then look into its ARP cache. Once it has found the associated address, the address will be used to convert the packet format and length. However, if it can’t find the right address, ARP will have to connect with other machines within the LAN in the form of a request packet to ask around if the machines know the right address.

Once a machine replies with the correct address, the ARP cache is also updated with that data which will be helpful for the subsequent requests that come from the same source.

How ARP Spoofing Works

The ARP protocol lacks security, making it susceptible to LAN attacks. ARP spoofing happens when malicious ARP packets are sent to a gateway in the LAN. Attackers usually enable spoofing tools such as Arppoison or Arpspoof, making the attack a no-brainer.

All they have to do is to quickly set up the IP address of the spoofing tool so it matches the target’s IP address. Then, the tool will scan the target local area network to retrieve information on the MAC and IP addresses of the hosts.

Once they have the host address, the attack begins. A spoofing attack, commonly used in phishing, is another cyber attack that happens when the attacker disguises itself as a legitimate machine or user to facilitate an attack against a specific network.

Spoofing attacks are extremely slow to detect. It takes an average of 146 days for an attack to be caught, and by that time, attackers already have their hands on critical data.

What happens here is that the fraudulent ARP packets or messages will tell the recipient that the attacker’s MAC address should be allowed to connect to the IP address of the target machine.

This will hereinafter result in the recipient updating the ARP cache with the new information or the address of the attacker. Consequently, when the recipient and the target communicate in the future, the messages will now be rerouted to the attacker.

The attacker will now be in the middle of the communication and can wreak havoc on the system. Inevitably, the attacker also has the power to change the messages before it is sent to the target. In fact, the attacker can also abort the entire communication.

More so, the attackers can also use this data for facilitating future attacks, such as session hijacking or denial-of-service.

  • Session Hijacking – With ARP spoofing in place, session IDs can be stolen, which can be used to bypass or hack into accounts and systems. Once they have bypassed the system, they can now attack their targets.
  • Denial-of-Service – This type of attack works by connecting a number of individual IP addresses to the target’s MAC address. The goal is to overload the target leading to a disruption of service.

How To Prevent an ARP Spoofing Attack

Here are some tips on how you can prevent an ARP spoofing attack.

Use a VPN

Using Virtual Private Networks (VPNs) to fight off ARP spoofing attacks is applicable for individuals. However, it may not work for large organizations because you will have to set up VPN connections on every device or server. 

Instead of connecting to an Internet Service Provider (ISP) to access the internet, you use an encrypted tunnel with a VPN that blocks all your online activities from hackers. 

Both your data and online activity are securely encrypted. If you are constantly traveling and using public WiFi hotspots to access the internet, then a VPN can help secure your system. 

The only downside is that it can slow down your internet connection due to the increased encrypting and decrypting processing going on.

Use a Static ARP

Using a static ARP can create an added layer of protection that can safeguard your system from spoofing. 

This is especially helpful if you have two hosts or devices that communicate regularly with one another. With a static ARP, this builds a permanent entry directly into your ARP cache.  

Steer Clear of IP Trust Relationships

A lot of systems rely on IP trust relationships to connect automatically to trusted devices, allowing the fast and seamless sharing of information. This is especially dangerous if devices only rely on IP addresses to verify user identity because it’s easier to spoof your ARP and hack your system.

One way to bypass IP trust relationships is to set up logins and passwords that will help validate users and keep track of people in your organization who are accessing your systems.

Set Up Encryption Protocols

Setting up HTTPS and SSH protocols can help decrease ARP spoofing attacks. With encrypted traffic, attackers must use more sophisticated methods to trick the browser into accepting an illegitimate certificate.

Use Packet Filters

The packet filters help analyze and block forged packets as well as suspicious IP addresses. Packet filters can also help detect if the packet is disguised as coming from an internal network when it, in fact, comes from an external network.

Simplify and Secure Your System Today

One of the best ways to prevent and counter-attack ARP spoofing is to equip yourself with the right tools and knowledge to protect your system from successful and extremely dangerous ARP spoofing. Using a combination, or mix of these prevention methods can help simplify the complexity of ARP spoofing and keep it at bay.