What is ARP Spoofing and how does it work?

Firewalls, proxy servers, de­mil­it­ar­ized zones (DMZ) – companies are in­creas­ingly deploying tactics like these to protect their private networks from the dangers of the internet. But not all attacks come from the outside. The weakest link in the chain of network security is the Local Area Network (LAN). An attacker who is already inside the network has countless ways available to them to view data traffic and ma­nip­u­late it at will. Internal attackers use the vul­ner­ab­il­ity of the ARP protocols. This is used with the IPv4-based Ethernet networks to resolve IP addresses to MAC addresses, present­ing security problems to ad­min­is­trat­ors.

ARP entries can easily be ma­nip­u­lated using falsified data packets. These cases are referred to using the term ARP spoofing, a man-in-the-middle attack that enables hackers to switch unnoticed between two com­mu­nic­at­ing systems. Here we show how the address res­ol­u­tion can be spe­cific­ally ma­nip­u­lated via ARP and suggest possible coun­ter­meas­ures.

Unlike devices on the internet, devices in the LAN don’t com­mu­nic­ate directly via IP addresses. Instead, they use physical hardware addresses for ad­dress­ing in local IPv4 networks. These MAC addresses (Media Access Control) are unique 48-bit numbers, and make it possible to identify each device in the LAN via its network card.

                Example of a MAC address: 00-80-41-ae-fd-7e

MAC addresses are assigned by their re­spect­ive hardware man­u­fac­tur­ers and are unique worldwide. The­or­et­ic­ally, these hardware addresses would be suitable for global ad­dress­ing. But in practice, this doesn’t work because IPv4 addresses are too short to com­pletely map the MAC address. In networks based on IPv4 the address res­ol­u­tion via ARP is un­avoid­able.

If Computer A wants to contact Computer B within the same network, it must first determine the ap­pro­pri­ate MAC address for its IP address. This uses the Address Res­ol­u­tion Protocol (ARP), a network protocol that operates according to the request response scheme.

After searching for the ap­pro­pri­ate MAC address, Computer A sends a broadcast request (or ARP request) to all devices on the network. This request contains the following in­form­a­tion:

A computer with the MAC address xx-xx-xx-xx-xx-xx and the IP address yyy.yyy.yyy.yyy would like to get in contact with a computer with the IP address zzz.zzz.zzz.zzz and requires the ap­pro­pri­ate MAC address.

The ARP request is received by all computers in the LAN. In order to prevent an ARP request from being submitted prior to the sending of each data packet, every computer in the network performs a local table, called the ARP cache. In these tables, all known MAC addresses are tem­por­ar­ily stored along with their matching IP addresses.

In this way, all computers in the network record the broadcast request along with the ac­com­pa­ny­ing sender address. An answer to the broadcast request is only expected from Computer B. Its ARP reply contains the following in­form­a­tion:

This is the system with the IP address zzz.zzz.zzz.zzz. The requested MAC address is aa-aa-aa-aa-aa-aa.

If this ARP reply is delivered to Computer A, then it has all of the in­form­a­tion required to send data packets to Computer B. Com­mu­nic­a­tion over the local network is now not prevented by anything.

What then, if the intended computer doesn’t reply, but instead the reply comes from another device con­trolled by an internal attacker with criminal in­ten­tions? This is where ARP spoofing comes into play.

Pro­grammes that operate in the framework of ARP spoofing as hacking software are usually presented as security tools and are available for free online. Ad­min­is­trat­ors can use the programs to test their network and protect against common attack patterns. The most common ap­plic­a­tions are ARP0c/WCI, Arpoison, Cain&Abel, Dsniff, Ettercap, FaceNiff, and NetCut.

• ARP0c/WCI: According to the provider, ARP0c/WCI is a tool that uses ARP spoofing to intercept con­nec­tions in a private network. To do this, the software sends false ARP response packets, which redirect traffic to the system running ARP0c/WCI. The in­teg­rated bridging engine is used to forward in­form­a­tion to the actual target system. Packets that aren’t delivered locally are forwarded by ARP0c/WCI to the ap­pro­pri­ate router. A man-in-the-middle attack generally remains un­detec­ted. The programme is available for both Linux and Windows and can be down­loaded free of charge on the provider’s website.

• Arpoison: The command line tool Arpoison generates user-defined ARP packets, in which the user can set the sender and target addresses. Arpoison can be used for network analysis, but is also used as an attack software. The tool is available for free and operated under the GNU license.

• Cain&Abel: The Cain&Abel programme, developed as an old password recovery tool, makes it possible to intercept networks and decrypt their encrypted passwords. Since version 2.5, the software also contains ARP poisoning functions that intercept IP traffic in the switched LANs. Even SSH and HTTPS con­nec­tions are no hurdle for Cain&Abel. In order to analyse WLAN network traffic, the programme has supported the AirPcap adapter since version 4.0, which enables the passive reading of data traffic in the WLAN. Attacks against WPA-secured wireless networks have been possible since version 4.9.1.

• Dsniff: Dsniff is a col­lec­tion of pro­grammes that provide a variety of tools for network analysis and pen­et­ra­tion tests: with Dsniff, Filesnarf, Mailsnarf, Msgsnarf, Urlsnarf, and Webspy it’s possible to spy on networks and intercept data, emails, or passwords. Arpspoof, Dnsspoof, and Macof make it possible to detect data that’s normally not ac­cess­ible in switched networks. Man-in-the-middle attacks on SSH and SSL/TLS secured con­nec­tions can be im­ple­men­ted through SShmitm and Webmitm pro­grammes.

• Ettercap: The user-friendly APR spoofing tool Ettercap is primarily used for man-in-the-middle attacks. The software supports diverse Linux dis­tri­bu­tions as well as Max OS X (Snow Leopard and Lion). A Windows in­stall­a­tion is possible, but requires ad­di­tion­al settings. In addition to the user interface, the ncurses front-end and the GTK2 GUI graphical user in­ter­faces are available.  Actions such as Sniffing, ARP attacking, and col­lec­tion of passwords can be automated. Ettercap can ma­nip­u­late in­ter­cep­ted data and attack con­nec­tions that are secured via SSH or SSL. The programme is of­fi­cially offered as security software and is used in product testing.

• FaceNiff: The Android app FaceNiff allows users to read session cookies in WLAN networks and to take offer sessions. Hackers utilise the tool in order to hack into Facebook, Amazon, or Twitter accounts, so it doesn’t matter whether the wireless network is freely available or encrypted via WEP, WPA-PSK, or WPA2-PSK. A reliable pro­tec­tion against FaceNiff can be found in au­then­tic­a­tion protocol EAP (Ex­tens­ible Au­then­tic­a­tion Protocol) such as SSL. The Android software is based on the Firefox extension Firesheep and can be used on smart­phones in com­bin­a­tion with the pre­vi­ously installed standard browser.

• NetCut: With the network man­age­ment software NetCut, ad­min­is­trat­ors can manage their network on the basis of ARP. The tool detects all devices connected to the network and outputs their MAC addresses. A simple click on one of the listed addresses is enough to dis­con­nect the device from the network. NetCut is par­tic­u­larly suitable for DoS attacks, provided the attacker is on the same network as the victim; man-in-the-middle attacks cannot be im­ple­men­ted with this software.

If a hacker succeeds in switching between two com­mu­nic­a­tion partners, they have free rein over the un­pro­tec­ted con­nec­tions. Because the entire com­mu­nic­a­tion of a hacked con­nec­tion runs through the system of the hacker, they can read and ma­nip­u­late the data at will. Pro­tec­tion against data espionage can be promised by some en­cryp­tion tech­niques and cer­ti­fic­ates for au­then­tic­a­tion. If an attacker only catches encoded data, the worst case is limited to a denial of service by dis­card­ing data packets. But reliable data en­cryp­tion has to be im­ple­men­ted con­sist­ently.

Numerous tools that can be used for the purpose of man-in-the-middle attacks provide ARP spoofing functions as well as client and server im­ple­ment­a­tion for SSL/TLS, SSH and other en­cryp­tion protocols. These have the ability to imitate ap­pro­pri­ate cer­ti­fic­ates and establish encrypted con­nec­tions. Cain&Abel, for example, simulates a SSL-capable webserver, which then sends an un­trust­worthy SSL-cer­ti­fic­ate to the victim system. Ad­mit­tedly, network users are warned in this case, but these warnings are usually either ignored or mis­in­ter­preted by the user, so lessons on the subject of network security should also cover the re­spons­ible handling of digital cer­ti­fic­ates.

Since ARP spoofing exploits the address res­ol­u­tion protocol, all IPv4 networks are prone to attacks of this kind. The im­ple­ment­a­tion of IPv6 was also unable to solve this core problem. The new IP standard renounces ARP and instead controls address res­ol­u­tion in the LAN via NDP (Neighbor Discovery Protocol), which is also vul­ner­able to spoofing attacks. The security gap could be closed through the Secure Neighbor Discovery (SEND) protocol, but this isn’t supported by many desktop operating systems.

Possible pro­tec­tion from the ma­nip­u­la­tion of ARP caches is offered by static ARP entries, which can be set in Windows, for example, by using the command line programme ARP and the command arp –s. But since entries of this type have to be made manually, these security methods are generally re­stric­ted to only the most important systems in the network.

A further measure against the abuse of ARP is the division of networks into Layer 3 switches. Un­con­trolled, broadcast requests reach only the systems that are in the same network segment. ARP requests in other segments are checked by the switch. If they work on the network layer (Layer 3) then the IP address is matched with both the MAC address and the previous entries. If there are any dis­crep­an­cies or frequent re­as­sign­ments, the switch alarm will sound. But the required hardware is quite expensive. Ad­min­is­trat­ors have to gauge whether the boost in security justifies the financial expense. On the other hand, the sig­ni­fic­antly more favorable Layer 2 switches that work on the data link layer are not adequate. Although they register a change in the MAC address, the as­sign­ment to the re­spect­ive IP address remains un­af­fected.

Numerous software man­u­fac­tur­ers offer mon­it­or­ing pro­grammes that can supervise networks and detect sus­pi­cious ARP processes. Well-known tools are the open-source software Arpwatch, as well as ARP-Guard and XArp. In addition, intrusion detection systems such as Snort can be used to monitor address res­ol­u­tion via ARP.

• Arpwatch: If the cross-platform open-source tool Arpwatch is in­teg­rated into a local IPv4 network, it con­tinu­ously records all ARP activ­it­ies in the LAN. All inbound ARP packets are taken by the programme along with ac­com­pa­ny­ing address in­form­a­tion and stored in a central database. If older entries are found that don’t match the data currently being sent, the programme sends an email warning to the ad­min­is­trat­or. The procedure is effective, but is only suitable for networks with static IP addresses. If LAN IPs are dis­trib­uted dy­nam­ic­ally over a DHCP server, any change in the IP/MAC mapping results in a false alarm.

• ARP-Guard: ARP-Guard from the company ISL also monitors the internal network and relies on two different sensors. The LAN sensor works similarly to Arpwatch, analysing inbound data packets and sounding an alarm in case of any dis­crep­an­cies. The sensor man­age­ment ar­chi­tec­ture of the software also has an SNMP sensor, which uses the Simple Network Man­age­ment Protocol (SNMP) to access devices connected to the LAN and read out their ARP tables. In this way, not only are ARP attacks localised and warded off; the in­teg­rated address man­age­ment also allows ad­min­is­trat­ors to detect unwanted devices and prevent them from accessing the network.

• XArp: The XArp software relies on both active and passive modules to protect a network from ARP spoofing. The passive modules analyse ARP packets that are sent on the network, and match the ac­com­pa­ny­ing address as­sign­ment with older entries. If dis­crep­an­cies are noticed, the programme alarm sounds. The control mechanism is based on stat­ist­ic­al analyses and checks the network traffic on the basis on of various patterns which, according to de­velopers, indicate ARP attacks. The sens­it­iv­ity of this traffic filter can be adjusted gradually. The active modules of the software send their own packets into the network, in order to validate the ARP tables of the ac­cess­ible devices and to fill them with valid entries.

The intrusion detection system (IDS) Snort also operates using an in­teg­rated arpspoof pre­pro­cessor, which enables it to monitor data traffic in the network and manually compile com­par­is­on lists. But this is com­par­at­ively expensive.

More im­port­antly, IDS is mostly only used for the trans­ition to external networks. Whether the use with the LAN counts must be decided on an in­di­vidu­al basis. Oc­ca­sion­ally such measures are opposed by the works council. An ad­min­is­trat­or who monitors the network via IDS has access to the entire network and so can also monitor all activ­it­ies of the company’s employees – as a result, the control function is available but generally not desired.