ARP spoofing (or ARP poisoning) is a type of attack that exploits vulnerabilities in the Address Resolution Protocol (ARP), which is used to determine the MAC addresses (physical network addresses) of devices by their IP addresses. Victims are sent ARP packets that map the IP addresses of devices on the network to the attackers’ own or other devices’ MAC addresses. This allows the attackers to intercept, modify or redirect any data subsequently sent from the victim’s device.
How the ARP protocol works
To exchange data, devices on a network need to know not only the IP address, but also the MAC address of the recipient. ARP provides two basic ways of determining the MAC address of a device whose IP address is known: by searching the local ARP cache for a mapping entry, or by broadcasting an ARP request that all devices on the network receive. In response to this request, the device with the required IP sends an ARP packet specifying its MAC address. The mapping between the IP address and this MAC address is then cached on the sending device.
In some cases, an ARP response is sent without a request to all devices on the network. Known as gratuitous ARP, this mechanism is used, for example, to notify that the IP or MAC address of a device has changed, or that a new device has joined the network.
ARP spoofing mechanism
There is no authentication in the ARP protocol, so any device on the network can send an ARP packet mapping an IP address to a certain MAC address, and destination devices will accept this information as true. Attackers can exploit this quirk to carry out the following types of attacks:
- Man-in-the-middle(MitM). Attackers assign their MAC address to the IP address of a legitimate device on the network (such as a network gateway) by sending a spoofed gratuitous ARP packet or a spoofed response to an ARP request. Victim devices that have cached the falsified data start sending network packets to the attackers’ device. As a result, the attackers can view and modify the contents of these packets, discard them or redirect them to the intended recipient. MitM attacks can be carried out for espionage, malware distribution or other purposes.
- Denial of Service (DoS). Attackers can overload a device by sending ARP packets mapping multiple IP addresses to its MAC address.
ARP entries are cached for a short period of time, ranging from several minutes on user devices to several hours on routers. Therefore, ARP spoofing has a short-term effect, and normal traffic flow is restored soon after an attack ends. However, ARP spoofing may be just one link in the chain of a multi-stage attack.
How to prevent ARP spoofing
There are various technologies and methods that can be used defend against ARP spoofing. They include:
- Static ARP tables. Assigning and manually updating fixed mappings between IP and MAC addresses can be laborious, but worth it to protect critical subnets, for example.
- Dynamic ARP inspection (DAI). DAI automatically validates ARP packets and drops any that look suspicious. This functionality is available on most managed switches used in local area networks.
- Network segmentation. ARP packets can be sent only within the local network. If this network is divided into multiple subnets (for example, in VLANs), ARP packets will be sent only within one of these subnets. The smaller the segments, the harder it is for attackers to carry out an ARP spoofing attack, since they require access to the target device inside the subnet. Besides, such an attack would make less sense in a segmented network.