An ARP Attack Prevention & Security Primer: How ARP Spoofing & ARP Poisoning Differ
ARP attack prevention is an important part of your cybersecurity plan; ARP spoofing and ARP poisoning serve as a conduit to facilitate other attacks. If you have read some of our other blog posts on penetration testing, you may have noticed that a number of different attacks, like SMB relaying or credential sniffing, can only be conducted if we can first elicit a connection from our target(s). These types of attacks were once known as “Man-in-the-Middle” (or MitM) attacks, though a more general term like “Machine-in-the-Middle” is more appropriate.
How do ARP Spoofing & ARP Poisoning Differ?
We’ve written other blog posts that describe how we elicit these connections to perform MitM attacks using IPv6 poisoning and broadcast query poisoning with protocols like Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBNS), and Multicast Domain Name System (mDNS).
Another technique for achieving a MitM position is the combination ARP spoofing and ARP poisoning. These terms aren’t quite synonymous and are often both employed when conducting ARP attacks. ARP spoofing is an attack technique where crafted messages are sent to systems on the local network in order to impersonate an existing host and direct traffic to the attacking host. ARP poisoning occurs when ARP caches are modified. ARP spoofing leads to ARP poisoning as the spoofed messages are accepted and incorporated into the ARP cache of the target host.
What is ARP?
ARP was developed in the early 1980s and is defined in RFC 826. The acronym “ARP” stands for Address Resolution Protocol. ARP operates at layer 2 (the data link layer) of the OSI model. The data link layer bridges the gap between the physical layer (i.e., network cables or 802.11 wireless) and the more commonly understood network layer (IPv4, IPv6, ICMP, etc.). ARP is responsible for mapping layer 2 addresses with layer 3 addresses, the most common resolution being Media Access Control (MAC) addresses to Internet Protocol (IP) addresses. Layer 2 devices, such as switches, store this mapping in “ARP caches” that the switch then uses to direct traffic bound for a specific IP address to the correct switch port.
Security was not a primary concern when ARP was developed, which means it has some well-known and highly exploitable vulnerabilities. For example, ARP has no authentication mechanism, no way to validate a host’s identity, and no way to check the authenticity of an ARP message. This is one of the reasons it is important to have an ARP attack detection and prevention strategy.
The vulnerabilities in ARP can be exploited through cache poisoning attacks in which unsolicited ARP replies are sent to hosts on the network. It is important to note that with ARP, replies are authoritative. This means that the replies are accepted, and the ARP cache is updated regardless of whether an ARP request preceded the reply. The crafted ARP reply maps the IP address of a target system to the MAC address of the attacking host. The target system is usually a high value system on the local network or the network gateway address. If a target system is specified, any legitimate traffic destined for that system will be directed to the attacking host. However, if the network gateway is specified instead, all the traffic except for the traffic destined for the LAN will be directed through the attacking host, which usually then forwards the traffic to the legitimate network gateway. This allows the attacker to capture the host’s unencrypted communications and facilitates additional MitM attacks.
Alternatively, ARP replies can be used to conduct Denial-of-Service (DoS) attacks on local networks. These DoS attacks can be performed either by configuring the ARP replies with invalid mappings so that the traffic gets dropped, or by directing the traffic to the attacker’s system where it is dropped and not forwarded along to the network gateway.
Value in ARP Poisoning
From a penetration tester’s perspective, ARP poisoning can be very effective. Personally, I’ve had great success collecting credentials via MitM attacks with Ettercap (which is my tool of choice when it comes to ARP poisoning) through passively eavesdropping (“sniffing”) on poisoned hosts’ network traffic looking for credentials. Despite the increased use of encryption, we still frequently see unencrypted protocols in use on LANs.
ARP Attack Prevention and Detection
How does the saying go, “an ounce of prevention is worth avoiding a possible security incident”? Well, something like that anyway…
Purpose-built tools exist to combat ARP attacks, but some simple mitigating controls can go a long way too. Let’s look at some other ARP attack prevention strategies. First, let’s consider the two possible results of ARP poisoning, DoS and MitM. Like DNS, static entries can be configured, which will be treated as authoritative and will prevent the system from sending ARP requests for that specific mapping since it will already be known. Further, all network traffic should be encrypted using strong end-to-end encryption. Encryption is meant to ensure the confidentiality and integrity of data and strong encryption mechanisms will help to limit the effectiveness of a MitM attack. Controlling LAN access is another prevention technique and tools like Network Access Control (NAC) or simple port security using MAC filtering can prove effective. Outside of purpose-built tools, these are the more effective ARP attack prevention strategies.
Detecting ARP spoofing and ARP poisoning attacks can be difficult. Monitoring and alerting on network traffic are probably not the most effective means of detection as false positives may be overwhelming. Monitoring the ARP caches and alerting on duplicate MAC entries may be more effective, although some false positives are likely with this as well, particularly in DHCP network segments. We don’t recommend relying solely on these methods for ARP attack prevention.
We hope this information has been helpful. Please contact us if you need help with technical testing, advisory or compliance services, incident response or training!