ARP spoofing

In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

A successful ARP spoofing (poisoning) attack allows an attacker to alter routing on a network, effectively allowing for a man-in-the-middle attack.

ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.[1]

The attack can only be used on networks that use ARP, and requires attacker have direct access to the local network segment to be attacked.[2]

ARP vulnerabilities

The Address Resolution Protocol (ARP) is a widely used communications protocol for resolving Internet layer addresses into link layer addresses.

When an Internet Protocol (IP) datagram is sent from one host to another in a local area network, the destination IP address must be resolved to a MAC address for transmission via the data link layer.[2] When another host's IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply that contains the MAC address for that IP.[2]

ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether network hosts requested them. Even ARP entries that have not yet expired will be overwritten when a new ARP reply packet is received. There is no method in the ARP protocol by which a host can authenticate the peer from which the packet originated. This behavior is the vulnerability that allows ARP spoofing to occur.[1][2]

Anatomy of an ARP spoofing attack

The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.

Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.

Defenses

Static ARP entries

The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host. IP address-to-MAC address mappings in the local ARP cache may be statically entered. Hosts don't need to transmit ARP requests where such entries exist.[3] While static entries provide some security against spoofing, they result in maintenance efforts as address mappings for all systems in the network must be generated and distributed. This does not scale on a large network since the mapping has to be set for each pair of machines resulting in n²-n ARP entries that have to be configured when n machines are present; On each machine there must be an ARP entry for every other machine on the network; n-1 ARP entries on each of the n machines.

ARP spoofing detection and prevention software

Software that detects ARP spoofing generally relies on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are then blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach a device listens for ARP replies on a network, and sends a notification via email when an ARP entry changes.[4]

AntiARP[5] also provides Windows-based spoofing prevention at the kernel level. ArpStar is a Linux module for kernel 2.6 and Linksys routers that drops invalid packets that violate mapping, and contains an option to repoison/heal.

Some virtualized environment such as KVM also provides security mechanism to prevent MAC spoofing between guest running on the same host.[6]

Additionally some ethernet adapters provides MAC and VLAN anti-spoofing features.[7]

OpenBSD watches passively for hosts impersonating the local host and notifies in case of any attempt to overwrite a permanent entry[8]

OS security

Operating systems react differently. Linux ignores unsolicited replies, but, on the other hand, uses responses to requests from other machines to update its cache. Solaris accepts updates on entries only after a timeout. In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount.[9]

Legitimate usage

The techniques that are used in ARP spoofing can also be used to implement redundancy of network services. For example, some software allows a backup server to issue a gratuitous ARP request in order to take over for a defective server and transparently offer redundancy.[10] [11] There are two companies known to-date that have tried to commercialize products centered around this strategy, Disney Circle[12] and CUJO. The latter has recently run into significant problems with its ARP-spoofing strategy in consumer's homes; they have now completely removed that capability and replaced it with a DHCP-based strategy.

ARP spoofing is often used by developers to debug IP traffic between two hosts when a switch is in use: if host A and host B are communicating through an Ethernet switch, their traffic would normally be invisible to a third monitoring host M. The developer configures A to have M's MAC address for B, and B to have M's MAC address for A; and also configures M to forward packets. M can now monitor the traffic, exactly as in a man-in-the-middle attack.

Tools

Defense

Name	OS	GUI	Free	Protection	Per interface	Active/passive	Notes
Agnitum Outpost Firewall	Windows	Yes	No	Yes	No	passive
AntiARP	Windows	Yes	No	Yes	No	active+passive
Antidote[13]	Linux	No	Yes	No	?	passive	Linux daemon, monitors mappings, unusually large number of ARP packets.
Arp_Antidote[14]	Linux	No	Yes	No	?	passive	Linux Kernel Patch for 2.4.18 – 2.4.20, watches mappings, can define action to take when.
Arpalert	Linux	No	Yes	No	Yes	passive	Predefined list of allowed MAC addresses, alert if MAC that is not in list.
ArpON	Linux	No	Yes	Yes	Yes	active+passive	Portable handler daemon for securing ARP against spoofing, cache poisoning or poison routing attacks in static, dynamic and hybrid networks.
ArpGuard	Mac	Yes	No	Yes	Yes	active+passive
ArpStar	Linux	No	Yes	Yes	?	passive
Arpwatch	Linux	No	Yes	No	Yes	passive	Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
ArpwatchNG	Linux	No	Yes	No	No	passive	Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
Colasoft Capsa	Windows	Yes	No	No	Yes	no detection, only analysis with manual inspection
cSploit[15]	Android (rooted only)	Yes	Yes	No	Yes	passive
Prelude IDS	?	?	?	?	?	?	ArpSpoof plugin, basic checks on addresses.
Panda Security	Windows	?	?	Yes	?	Active	Performs basic checks on addresses
remarp	Linux	No	Yes	No	No	passive
Snort	Windows/Linux	No	Yes	No	Yes	passive	Snort preprocessor Arpspoof, performs basic checks on addresses
Winarpwatch	Windows	No	Yes	No	No	passive	Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
XArp[16]	Windows, Linux	Yes	Yes (+pro version)	Yes (Linux, pro)	Yes	active + passive	Advanced ARP spoofing detection, active probing and passive checks. Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation. Windows and Linux, GUI-based.
Seconfig XP	Windows 2000/XP/2003 only	Yes	Yes	Yes	No	only activates protection built-in some versions of Windows
zANTI	Android (rooted only)	Yes	Yes	No	?	passive
NetSec Framework	Linux	No	Yes	No	No	active
anti-arpspoof[17]	Windows	Yes	Yes	?	?	?
DefendARP:[18]	?	?	?	?	?	?	A host-based ARP table monitoring and defense tool designed for use when connecting to public wifi. DefendARP detects ARP poisoning attacks, corrects the poisoned entry, and identifies the MAC and IP address of the attacker.
NetCutDefender:[19]	Windows	?	?	?	?	?	GUI for Windows that can protect from ARP attacks

Spoofing

Some of the tools that can be used to carry out ARP spoofing attacks:

Arpspoof (part of the DSniff suite of tools)
Arpoison
Subterfuge[20]
Ettercap
Seringe[21]
ARP-FILLUP -V0.1[22]
arp-sk -v0.0.15[22]
ARPOc -v1.13[22]
arpalert -v0.3.2[22]
arping -v2.04[22]
arpmitm -v0.2[22]
arpoison -v0.5[22]
ArpSpyX -v1.1[22]
ArpToXin -v 1.0[22]
Cain and Abel -v 4.3
cSploit -v 1.6.2[15]
SwitchSniffer[22]
APE – ARP Poisoning Engine[23]
Simsang[24]
zANTI -v2
NetSec Framework -v1
Minary[25]
NetCut[26] (Also has a defense feature)
ARPpySHEAR[27]

References

Ramachandran, Vivek & Nandi, Sukumar (2005). "Detecting ARP Spoofing: An Active Technique". In Jajodia, Suchil & Mazumdar, Chandan (eds.). Information systems security: first international conference, ICISS 2005, Kolkata, India, December 19–21, 2005 : proceedings. Birkhauser. p. 239. ISBN 978-3-540-30706-8.
Lockhart, Andrew (2007). Network security hacks. O'Reilly. p. 184. ISBN 978-0-596-52763-1.
Lockhart, Andrew (2007). Network security hacks. O'Reilly. p. 186. ISBN 978-0-596-52763-1.
"(PDF) A Security Approach to Prevent ARP Poisoning and Defensive tools". ResearchGate. Retrieved 2019-03-22.
AntiARP Archived June 6, 2011, at the Wayback Machine
https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/
https://downloadmirror.intel.com/26556/eng/README.txt
https://man.openbsd.org/arp.4
Address Resolution Protocol
"OpenBSD manpage for CARP (4)"., retrieved 2018-02-04
Simon Horman. "Ultra Monkey: IP Address Takeover"., retrieved 2013-01-04
"Circle with Disney Locks Down Kids Devices from Afar"., retrieved 2016-10-12
Antidote
Arp_Antidote
"cSploit". tux_mind. Retrieved 2015-10-17.
XArp
anti-arpspoof Archived August 31, 2008, at the Wayback Machine
Defense Scripts | ARP Poisoning
http://www.arcai.com/netcut-defender/
"Subterfuge Project". Retrieved 2013-11-18.
"Seringe – Statically Compiled ARP Poisoning Tool". Retrieved 2011-05-03.
"ARP Vulnerabilities: The Complete Documentation". l0T3K. Archived from the original on 2011-03-05. Retrieved 2011-05-03.
"ARP cache poisoning tool for Windows". Archived from the original on July 9, 2012. Retrieved 2012-07-13.
"Simsang". Archived from the original on 2016-03-04. Retrieved 2013-08-25.
"Minary". Retrieved 2018-01-10.
"NetCut".
"ARPpySHEAR: An ARP cache poisoning tool to be used in MITM attacks". Retrieved 2019-11-11.

External links

Steve Gibson (2005-12-11). "ARP Cache Poisoning". GRC.
Stephanie Reigns (2014-10-07). "Clearing your ARP cache on Linux". Coders Eye. Retrieved 2018-03-05.

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.

[Ramachandran-2005-p239-1] Ramachandran, Vivek & Nandi, Sukumar (2005). "Detecting ARP Spoofing: An Active Technique". In Jajodia, Suchil & Mazumdar, Chandan (eds.). Information systems security: first international conference, ICISS 2005, Kolkata, India, December 19–21, 2005 : proceedings. Birkhauser. p. 239. ISBN 978-3-540-30706-8.

[Lockhart-2007-p184-2] Lockhart, Andrew (2007). Network security hacks. O'Reilly. p. 184. ISBN 978-0-596-52763-1.

[Lockhart-2007-p186-3] Lockhart, Andrew (2007). Network security hacks. O'Reilly. p. 186. ISBN 978-0-596-52763-1.

[4] "(PDF) A Security Approach to Prevent ARP Poisoning and Defensive tools". ResearchGate. Retrieved 2019-03-22.

[5] AntiARP Archived June 6, 2011, at the Wayback Machine

[6] ttps://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/

[7] ttps://downloadmirror.intel.com/26556/eng/README.txt

[8] ttps://man.openbsd.org/arp.4

[9] Address Resolution Protocol

[10] "OpenBSD manpage for CARP (4)"., retrieved 2018-02-04

[11] Simon Horman. "Ultra Monkey: IP Address Takeover"., retrieved 2013-01-04

[12] "Circle with Disney Locks Down Kids Devices from Afar"., retrieved 2016-10-12

[13] Antidote

[14] Arp_Antidote

[csploit-15] "cSploit". tux_mind. Retrieved 2015-10-17.

[XArp-16] XArp

[17] ti-arpspoof Archived August 31, 2008, at the Wayback Machine

[18] Defense Scripts | ARP Poisoning

[19] ttp://www.arcai.com/netcut-defender/

[20] "Subterfuge Project". Retrieved 2013-11-18.

[21] "Seringe – Statically Compiled ARP Poisoning Tool". Retrieved 2011-05-03.

[l0t3k-22] "ARP Vulnerabilities: The Complete Documentation". l0T3K. Archived from the original on 2011-03-05. Retrieved 2011-05-03.

[23] "ARP cache poisoning tool for Windows". Archived from the original on July 9, 2012. Retrieved 2012-07-13.

[24] "Simsang". Archived from the original on 2016-03-04. Retrieved 2013-08-25.

[25] "Minary". Retrieved 2018-01-10.

[26] "NetCut".

[27] "ARPpySHEAR: An ARP cache poisoning tool to be used in MITM attacks". Retrieved 2019-11-11.