ARP spoofing

From Wikipedia, the free encyclopedia

This article does not cite any references or sources. Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed. (February 2009)

A typical Ethernet frame. A spoofed frame could have false source MAC addresses to trick devices on the network.

Address Resolution Protocol (ARP) spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The attack can obviously only happen on networks that actually make use of ARP and not another method of address resolution.

The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.

ARP spoofing attacks can be run from a compromised host, or a hacker's machine that is connected directly onto the target Ethernet segment.

[edit] Application

ARP is a Layer 2 protocol. ARP request is considered broadcast traffic, while legitimate ARP Replies are not. As such, it is not designed to allow for any ID validation on the transaction. While ARP spoofing can occur in the course of ARP transactions, creating a race condition, the more common utilization is the distribution of unsolicited ARP responses which are cached by the clients creating the ARP cache poison scenario.

[edit] Defenses

An open source solution is ArpON "Arp handler inspectiON". It is a portable ARP handler which detects and blocks all ARP poisoning and spoofing attacks with static ARP inspection (SARPI) and dynamic ARP inspection (DARPI) approach on switched or hubbed LANs with or without DHCP.

Another method, such as DHCP snooping, can be utilised on larger networks. Via DHCP, the network device keeps a record of the MAC addresses that are connected to each port, so it can readily detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, ProCurve, Extreme Networks, Dlink and Allied Telesis.

Detection is another avenue for defending against ARP spoofing. Arpwatch is a Unix program which listens for ARP replies on a network, and sends a notification via email when an ARP entry changes. Under Windows the GUI-driven software XArp v2 is available. It performs ARP packet inspection on a per network interface basis with configurable inspection filters and active verification modules. anti-arpspoof creates static ARP entries in the client and default gateway cache, and cleans poisoned dynamic entries.

Checking for the existence of MAC address cloning may also provide a clue as to the presence of ARP spoofing, though there are legitimate uses of MAC address cloning. Reverse ARP (RARP) is a protocol used to query the IP address(es) associated to one MAC address. If more than one IP address is returned, MAC cloning is present.

A simple defense that only works for simple ARP spoofing attacks is the use of static IP-MAC mappings. However, this only prevents simple attacks and does not scale on a large network as the mapping has to be set for each pair of machines, resulting in n*n ARP caches that have to be configured.

[edit] Legitimate usage

ARP spoofing can also be used for legitimate reasons. For instance, network registration tools may redirect unregistered hosts to a signup page before allowing them full access to the network.

Another legitimate implementation of ARP spoofing is used in hotels to allow traveling laptop users to access the Internet from their room, using a device known as a head end processor (HEP), regardless of their IP address.

ARP spoofing can also be used to implement redundancy of network services. A backup server may use ARP spoofing to take over a defective server and transparently offer redundancy.

[edit] ARP spoofing tools

Arpspoof (part of the DSniff suite of tools), Arpoison, Cain and Abel, and Ettercap are some of the tools that can be used to carry out ARP poisoning attacks.

[edit] See also

• Ethernet
• Ettercap
• Netcat
• arping
• Arpwatch
• arptables

[edit] External links

• free anti-arpspoof
• ArpON home page
• Quick Detect ARP Poisoning/Spoofing Live Demo
• Introduction to APR (Arp Poison Routing) by MAO
• ARPDefender - Hardware ARP Spoofing detection appliance
• GRC's Arp Poisoning Explanation
• XArp2 ARP spoofing detection tool performing packet inspection using active and passive methods
• AntiARP - Professional defence ARP spoof/poison/attack
• arptables, and ARP poisoning

• ARP spoofing animation