Open In App

How to Avoid ARP Poisoning?

Improve
Improve
Like Article
Like
Save
Share
Report

Many cyber-attacks take place by exploiting the weaknesses in the network. ARP poisoning is also one such cyber-attack. It exploits the Address Resolution Protocol (ARP) to attack network traffic. Before we go in-depth to understand the concept of ARP poisoning, let us first understand the ARP protocol. 

ARP Protocol:

In earlier days of computer networking, Address Resolution Protocol (ARP) was used extensively as it supported the layered approach. In the layered approach, different layers worked independently of each other.  

ARP translates between MAC addresses and IP addresses. MAC addresses are present at the data link layer and IP addresses are present at the network layer. This way, networked devices can know the other device to which the current IP address is currently assigned. This mapping can also be made public to the rest of the network. Further, to maintain efficiency, devices cache all the responses to keep a list of MAC-IP mappings at a present moment.  

ARP Poisoning:

As mentioned previously, this attack exploits the weaknesses present in the ARP protocol to corrupt the mappings that are present over the network. ARP protocol was introduced in 1982 and security was not a concern at that time. Thus, there were no authentication mechanisms devised to validate ARP messages. This way, even malicious devices can answer an ARP request. This is a major loophole in ARP protocol as it leaves a huge space for malicious users to poison the caches of other devices. If this happens, then the ARP cache would be filled with incorrect entries. 

General steps involved in ARP Poisoning Attack:

The steps of an ARP Poisoning attack can change but generally, it has the following steps:

  1. Selection of Victim: First and foremost, a target is selected. It can be a single machine or a group of machines depending on the intention of the attack. Moreover, an attacker may choose a single endpoint or a group of endpoints over the network. However, the most attractive target is a router as this may disrupt the entire network.
  2. Launching of tools and initiation of attack: To conduct an ARP poisoning attack, there is a wide variety of tools that we can use. After choosing a specific tool, the settings are configured and the attacker is all set to start the attack. An attacker may choose to broadcast ARP messages or wait for a request.
  3. Meddling with the traffic: After corrupting the machines in the network, the attacker can perform any kind of malicious activity. They can change, inspect, or permanently block the data from going to its destination.

Various ARP Poisoning Attacks:

These are the few main types of ARP poisoning attacks:

  1. Man-in-the-Middle Attack: Also abbreviated as MiTM, it is an attack where a third person comes into the picture disguised as an authentic party. It is a very dangerous attack where the middle man can send false data to other devices over the network. Moreover, this leads to the victim machine being populated with an ARP cache of MAC addresses of the device of attack and not that of the MAC address of the local router. The machines that have been attacked will then incorrectly forward the traffic to the attacker.
  2. Denial of Services Attack: Also abbreviated as DoS, it is an attack that aims at denying access to the network to the victims. When ARP comes into the picture, then the attacker can falsely map thousands of IP addresses to a single MAC. This is also called ARP flooding and it impacts the performance of the entire network.
  3. Session Hijacking: These are a bit similar to the Man-in-the-Middle attacks. The only difference which exists is that the attacker does not forward traffic maliciously. Rather, he takes over the genuine TCP sequence number to take the identity of the victim.

Prevention of ARP Poisoning Attacks:

Following are the five ways of avoiding ARP Poisoning attacks:

Prevention of ARP Poisoning Attacks

Prevention of ARP Poisoning Attacks

1. Static ARP Tables: Half of the problem will be solved if we can be sure of the correct mapping of MAC addresses to IP addresses. This can be done but it is heavy on the part of the administration. ARP tables keep a record of all the mappings and any network change is updated in these tables manually. Now, manually updating ARP tables for all hosts is not feasible for organizations. 

2. Switch Security: Most Ethernet switches have features that can help mitigate ARP Poisoning attacks. These features are also known as Dynamic ARP Inspection(DAI) and help in validating the ARP messages and drop packets that show any kind of malicious activity. This also allows one to limit the rate at which ARP messages can pass through the switch. 

DAI and other such features are now not only available on high-end networking gear but also on all business-grade switches. Usually, DAI is enabled on all ports but the ones connected to other switches. Port security on a switch helps in reducing ARP Cache Poisoning attacks. While using port security, there is no chance that an attacker may take multiple identities over the network. This is because, using port security, a single MAC address can be configured on a switch port. 

3. Physical Security: A very simple way to mitigate ARP Poisoning attacks is to control the physical space of your business. Routing of ARP messages takes place only within a local network. Thus, probable attackers are in physical proximity to the network of the victim. Also, in the case of wireless systems, an attacker might be present in a street or a parking lot. The use of technologies like 802.1x can help in removing any threats to the devices and the network. 

4. Network Isolation: Since ARP messages don’t have a scope greater than the local subnet, a well-segmented network is better than a normal network. This way, even if the attack occurs, a part of the network will only be affected and the other parts will be safe. Attack in one subnet does not impact the devices in any other subnet. Thus, important resources can be placed in a dedicated segment with high security.

5. Encryption: Encryption does not help in preventing ARP Poisoning, however, it does help in mitigating the damage that might occur in case of attacks. As in the case of MiTM attacks, login credentials are stolen from the network. However, with technologies like SSL and TLS, data in the encrypted form might get stolen but it can be read by the attacker, rendering it of no use to the attacker. 


Last Updated : 10 Mar, 2022
Like Article
Save Article
Previous
Next
Share your thoughts in the comments
Similar Reads