What is ARP poisoning?

How ARP poisoning works

ARP has existed since 1982 and was not designed with modern cybersecurity needs in mind. For instance, ARP does not authenticate handshakes between network devices. This flaw allows attackers to mimic legitimate devices via a technique known as ARP poisoning or ARP spoofing.

In ARP poisoning attacks, third-party devices intercept connection requests and respond on behalf of the intended recipient. Because ARP does not authenticate connections, the original device accepts the response as legitimate and sends data to the attacker's address.

Let's look at the process in more detail. An ARP attack of this type usually plays out in three stages:

• Victim selection. Threat actors seek network endpoints that receive valuable data or allow them to inflict damage. For instance, routers are common targets because they control larger subnets. Disrupting a single router can take down work locations or websites.
• Launching the attack. ARP attackers choose suitable tools for each task and then send ARP connection requests to the targeted device or await connection requests from network nodes. Attackers respond to requests, and the target enters their IP address into the network address table. The target's corrupted ARP cache now sees the attacker's device as legitimate.
• Diverting and weaponizing network traffic. Corrupting the ARP cache on their target allows attackers to pose as a legitimate device and manipulate network traffic. They must now decide what to do with the rerouted traffic. Attackers could monitor data transfers, modify the data in transit, or permanently divert it to an external server under their control.

The process above applies to man-in-the-middle style ARP attacks, but there are other varieties. Attackers can also use ARP spoofing to launch denial-of-service (DoS) attacks by sending large quantities of ARP messages.

ARP spoofing also enables session hijacking. As with man-in-the-middle attacks, attackers use ARP messages to place themselves between legitimate network devices. Instead of diverting data, the attacker extracts a cookie or TCP sequence from the target's network traffic. This lets them hijack active web sessions.

What are the consequences of ARP poisoning?

The immediate effects of ARP poisoning attacks affect network traffic flows. Attackers divert network traffic to destinations of their choosing. This process can have many indirect consequences and harmful outcomes.

Network users often experience few direct consequences. ARP cache poisoning attacks rarely have long-term negative effects on network health. ARP table timeouts normally delete spoofed IP addresses, restoring ordinary traffic flows.

Network performance and access may suffer if attackers divert large volumes of ARP packets to dummy locations or launch DoS attacks via ARP cache poisoning. More serious effects occur when attackers use stolen data for malicious purposes.

In that case, an ARP spoofing attack can lead to data breaches, reputational damage, and compliance penalties. ARP poisoning attacks can extract intellectual property for use by competitors or enable secondary phishing and ransomware attacks.

Note: Criminals rarely use ARP poisoning on its own. Attackers combine relatively primitive ARP protocol attack techniques with DNS cache poisoning, credential extraction tools, scripts to hijack session cookies, and packet injection tools. Together, these tools represent a powerful arsenal for network attacks.

ARP poisoning attacks examples

ARP poisoning does not hit the headlines, but the technique often plays a critical role in damaging cyber-attacks. Real-world examples of attacks involving ARP cache poisoning attacks include:

• LuminousMoth. This Chinese attack group employs ARP spoofing during adversary-in-the-middle attacks (AitM). LuminousMoth successfully used ARP spoofing to divert traffic from government entities across Southeast Asia.
• Cleaver. Iranian attack group Cleaver also uses ARP poisoning attacks via custom-built tools. Cleaver uses ARP spoofing attack methods in conjunction with credential extraction tools and fake LinkedIn profiles during phishing campaigns.
• Ettercap. Ettercap is a popular off-the-shelf tool for launching ARP protocol attacks that automates MAC address responses via a simple GUI. Provided the attacker knows the IP address of the target machine, they can use Ettercap to intercept communications, run DoS attacks, and even modify data in transit.

How to detect ARP poisoning

Although ARP itself possesses few defensive features, targets can detect ARP cache poisoning before attacks reach a critical stage. There are two main ways to detect ARP spoofing:

Using the command prompt

Windows users open the command prompt and type "arp -a", while Linux users can issue the same command via Terminal. This command generates the ARP table, including active IP and MAC address data. If the table shows two IP addresses with the same MAC address, an ARP spoofing attack is likely underway.

Packet filtering tools

Packet detection tools like arpwatch analyze ARP packets to detect forensic signs of cache poisoning. For example, tools may detect excessive ARP responses without matching requests (the main way attackers start ARP attacks). Tools also check MAC address data for anomalies (for instance, one MAC address responding to many IP addresses).

How to prevent ARP poisoning attacks

In cybersecurity, prevention is better than a cure. Organizations should implement strategies to prevent ARP poisoning before attackers strike.

Remember that ARP attacks have low overhead. Attackers will head elsewhere when they encounter effective defenses. Here are some tips to deter them from launching attacks:

• Use host-based prevention tools. Install tools like arpwatch on critical servers and workstations. Configure tools to deliver alerts after suspicious IP or MAC address table changes.
• Apply switch security. Enable Dynamic ARP Inspection (DAI) and DHCP snooping on critical network switches. ARP inspection checks traffic in real-time and drops packets deemed potentially malicious. DHCP snooping builds reliable IP-MAC binding tables over managed switches and blocks untrusted ARP connections.
• Check your port security. Insecure ports can open the door for ARP attackers. Configure ports to enable single MAC addresses on each switch port. This blocks MAC floods characteristic of cache poisoning attacks.
• Install advanced malware protection. Attackers rely on malware to extract data during an ARP spoofing attack. Implement robust endpoint detection and response tools, and use updated antimalware tools to remove potential threats.
• Use network segmentation. Network segmentation limits malicious actors' ability to broadcast malicious ARP responses, thereby reducing the impact of spoofing. Segmenting networks logically cuts the risk of data interception and escalation to damaging DoS attacks.
• Consider using static ARP entries. Static tables match MAC addresses to consistent IP addresses. This effectively blocks ARP poisoning attacks but adds to the admin burden, as network changes require address table updates. Even so, static IP tables are advisable when securing sensitive data that changes relatively infrequently.

Strengthen network security to block ARP spoofing attacks

ARP spoofing exploits weaknesses in the ARP protocol used to connect network MAC addresses and IP addresses. Spoofers can launch man-in-the-middle attacks, flood networks with DoS traffic, and extract data for malicious purposes.

Specialist tools and commands help detect ARP spoofing, but prevention is preferable. Strengthen security around network switches and ports. Guard against malware, use static tables where necessary, and implement segmentation to limit the scope of attacks.