ARP Poisoning

Image by Ulrike Leone from Pixabay

Image by Ulrike Leone from Pixabay

ARP is an integral part of IPv4 networking and is the protocol that helps networked devices such as phones, laptops, workstations, and servers to communicate with each other. APR is used to find what network card is associated with what IP address. ARP is used to find out where to send a packet that is destined for a specific IP address on the local network. Because ARP is based on trust it can be exploited.

In this article, I will try to explain how ARP poisoning works, why it's so evil, and how you can mitigate ARP poisoning using Cisco switches.


Address Resolution Protocol - Review

To fully understand how ARP poisoning works, you first need to have a pretty detailed understanding of how ARP works.

When a host on the network wants to communicate to a host on the local network it will look inside its ARP table for a MAC address associated with the IP address it wants to send a packet to. If it finds a MAC address the IP packet will be encapsulated inside an ethernet frame and sent to that MAC address over the local network.

If the IP address is not found on the network it will send out an ARP request as a broadcast on the entire network. The switch will receive the broadcast frame from and flood it out on all its interfaces except the one it came in. Every host on the network will look at the ARP request. If the IP address does not match its own it will discard the ARP request. If the IP address in the ARP request matches the IP address of the host that receives the broadcast frame that host will respond with an ARP reply back to the host that originally sent the ARP request using a unicast frame.

When the first host receives the ARP response it will update its ARP table and use the learned MAC address to encapsulate the IP packet it wanted to send inside an ethernet frame and send it to the correct host.

If a MAC address has not been used in a while it will be removed from that ARP table. So in IPv4 networks, ARP messages are common.

In addition to sending an ARP reply as a response to an ARP request, it's possible to send ARP responses without the initial ARP request. This is called an unsolicited ARP response. It can be sent as both a unicast to a single host or as a broadcast to the entire network. This will update the ARP table on the reviving host in the same way as with the typical request/response scenario.

Denial of Service

How to kill a network

ARP can be used to cause mayhem by simply announcing to the network that what they previously knew to be the MAC address for the default gateway is now a MAC address that does not exist. By sending this as a broadcast that every device on the network will listen to, every host on the network will update its ARP table and from that moment try to send packets that are meant to go out on the internet to a MAC address that does not exist.

Because the MAC address does not exist the hosts will continue to try to reach the MAC address causing the switch to be overloaded. This will in turn make the switch very slow. To sum it up ARP poisoning is a very efficient denial of service attack.

ARP poisoning is so deadly that it can take down an entire network. It's a very efficient way to prevent anyone from accessing the network. For a typical business, this would mean that employees cannot do their work simply because they depend on networked resources such as local servers, printers, and services on the internet to complete their tasks.

Man in the middle

How to read all the traffic on a network

ARP poisoning can be used in a man-in-the-middle (MiM) attack in a similar way as the DoS variant of ARP poisoning.

To make it work the attacker has to send a gracious (unrequested) ARP update to the victim's computer that it has the MAC address of the default gateway. The default gateway has to receive a gracious ARP update saying that the attacker's MAC address is that of the victim host.

By doing so the attacker can intercept all the traffic from the victim host that is destined for the internet. In addition, all traffic returning from the internet destined to the victim will also be sent to the attacker. When the attacker receives the packages it will make a copy of them for later inspection and then forward it to the real destination. This way the victim host will never realize that they were intercepted by a man in the middle.

Using tools like Ethercat makes the job of using ARP poisoning in a man-in-the-middle attack trivial on unsecured networks.

Please note that performing man-in-the-middle attacks or denial-of-service attacks are illegal to perform unless given permission of both the network owner and the victim.

Using tools and techniques like this without permission will put you in legal trouble.

Link-layer Mitigation

How to prevent ARP poisoning on the network

Cisco and other managed switches have two features that can help against ARP poisoning attacks. One is called DHCP snooping, another is called Dynamic ARP Inspection (DIA).

DHCP snooping is used on a switch to prevent a rogue DHCP server from leasing IP addresses out to the hosts on the network causing problems. DHCP snooping defines a trusted interface that is allowed to lease out IP addresses and send what is considered DHCP server messages. If there are any DHCP server messages coming in on untrusted interfaces on the switch, it will discard those frames. Trunk ports and ports that are connected to a DHCP server should be configured as trusted interfaces.

In the example below we start by enabling DHCP snooping globally on the switch. Since the DHCP server is running on a firewall that is connected to interface g0/1. That interface is configured to be trusted. All other interfaces are by default untrusted by the DHCP snooping service.

configure terminal
ip dhcp snooping
interface g0/1
ip dhcp snooping trust

By adding Dynamic ARP inspection to the same switch, it's possible to look at what IP addresses were leased out by the DHCP server to a host on the network and have an overview of what interface that host was connected to.

When there is a mismatch between the MAC address in an ARP advertisement and the registered interface the MAC address is associated with the switch will stop the ARP advertisement from being sent out on the network. Dynamic ARP Inspection will prevent gracious (unrequested) ARP responses and broadcasts by dropping the frames. This will effectively stop the ARP poisoning attack from happening.

In the example below Dynamic ARP inspection is enabled globally on the switch. Just like with DHCP snooping we have to define that the interface that the DHCP server is connected to is trusted by the Dynamic ARP Inspection service.

configure terminal
ip arp inspection
interface g0/1
ip arp inspection trust

By applying both DHCP snooping and Dynamic ARP Inspection, you prevent ARP poisoning from being possible on all devices attached to the switch.

Data-layer Mitigation

Encryption is king

Modern applications use encryption to prevent man-in-the-middle attacks from having any real impact. By encrypting the data that is transmitted over the network an attacker cannot read the data that is captured. Thus making the attack functional on the technical level, but not on the practical level.

Today it's rare to find web pages that do not use HTTPS to encrypt the data sent between the web server and the web client. Most other communication protocols also make use of data encryption. So in reality, if you don't have a managed switch that you can provide DHCP snooping and Dynamic ARP Inspection you are pretty safe from typical man-in-the-middle attacks.