Unit 2 ARP Poisoning Attack ARP Poisoning Attack.
- 1. ARP Poisoning Attack ARP (Address Resolution Protocol) poisoning is a type of attack where an attacker sends falsified ARP messages over a local network, associating their MAC address with the IP address of another device (often the gateway). This allows the attacker to intercept, modify, or stop network traffic—commonly used for Man-In-The-Middle (MITM) attacks. Steps to Detect ARP Poisoning Attacks Step 1: Understand Normal ARP Behavior ● ARP maps IP addresses to MAC addresses. ● Under normal conditions, each IP corresponds to a unique MAC address, and this mapping doesn’t frequently change. ● Network devices cache ARP entries for a period. Step 2: Monitor ARP Tables ● Continuously monitor ARP cache entries on hosts and network devices. ● Look for multiple IP addresses mapping to the same MAC address or vice versa. ● Sudden changes or frequent updates to ARP mappings can be suspicious. Step 3: Analyze Network Traffic for Anomalies ● Capture ARP packets using packet analyzers (e.g., Wireshark, tcpdump). ● Identify ARP replies sent without a preceding request (unsolicited ARP replies or “gratuitous ARP”). ● Detect ARP replies that map multiple IP addresses to a single MAC address (or MAC address changes for a single IP). Step 4: Use Intrusion Detection Systems (IDS)
- 2. ● Deploy IDS solutions with ARP poisoning signatures, such as: ○ Snort with ARP spoofing rules. ○ Arpwatch for monitoring ARP changes. ● IDS can alert administrators of suspicious ARP activity. Step 5: Correlate Host Behavior ● Check for signs of disrupted network connectivity or degraded performance, which may indicate interception. ● Analyze logs from switches for MAC address flapping or inconsistent forwarding. Common Detection Methods Detection Method Description Tools/Techniques Static ARP Table Verification Use fixed ARP entries for critical devices to avoid changes Manual configuration on hosts/routers ARP Cache Monitoring Track ARP cache changes and raise alerts on suspicious entries Scripts, Arpwatch, custom monitoring tools Packet Sniffing & Analysis Capture and inspect ARP packets for abnormal patterns Wireshark, tcpdump IDS/IPS with ARP Detection Rules Use network security tools to detect ARP spoofing signatures Snort, Suricata, OSSEC MAC Address Consistency Checks Detect MAC addresses associated with multiple IPs Network monitoring tools, switch logs
- 3. Network Segmentation & Isolation Limit ARP broadcast domains to reduce attack surface VLANs, subnetting Countermeasures Against ARP Poisoning 1. Static ARP Entries ● Manually configure static ARP entries on critical systems like servers and gateways. ● This prevents ARP spoofing by disabling dynamic ARP resolution for these IP-MAC mappings. ● Limitation: Not scalable for large networks. 2. Dynamic ARP Inspection (DAI) ● Supported on many managed switches. ● Switches validate ARP packets against a trusted database (e.g., DHCP snooping bindings). ● Invalid ARP packets are dropped, preventing spoofing. ● Requires network infrastructure that supports DAI. 3. Use of Secure Protocols ● Implement end-to-end encryption (TLS, IPSec) to secure communication even if MITM is attempted. ● Reduces impact of ARP poisoning on confidentiality. 4. Network Segmentation ● Segment networks using VLANs to limit broadcast domains. ● Smaller broadcast domains reduce the potential scope of ARP poisoning.
- 4. 5. Host-Based Detection Tools ● Use endpoint security solutions that detect ARP spoofing attempts locally. ● Some OS and security software can alert users or block suspicious ARP activity. 6. Regular Network Monitoring ● Continuously monitor ARP tables and network traffic. ● Automated alerts help respond quickly to suspicious behavior. 7. Switch Port Security ● Limit the number of MAC addresses per switch port. ● Bind MAC addresses to specific ports to prevent attackers from sending spoofed packets from unauthorized ports.