ARP spoofing (ARP spoofing, ARP poisoning): what it is

Ruslan Rakhmetov, Security Vision

To realize successful cyberattacks, attackers are constantly improving their tactics, techniques and procedures, developing malware and searching for new vulnerabilities. However, some types of modern attacks are carried out using insecure network protocols that were developed decades ago when network security was not even considered. One typical example is the ARP network protocol, whose features allow attackers to perform an ARP spoofing attack, which is the first stage in the realization of more serious MiTM attacks to intercept credentials and spoof traffic in even the largest corporate networks. The ARP spoofing attack is the subject of this article.

In order to understand what an ARP spoofing attack is, first we need to explain how the ARP protocol works. ARP (Address Resolution Protocol) is a data link layer protocol that was described in RFC 826 in 1982 by David C. Plummer, a researcher at the Massachusetts Institute of Technology. The ARP protocol allows you to determine the MAC address of a device from a known IP address within a single broadcast domain (broadcast domain), i.e. a single subnet. In modern realities, such a subnet can be a group of devices connected to one network switch or router, which provides access of connected devices to the Internet through a gateway. To transmit data within one subnet it is not enough for the sending device to know only the IP address of the receiving device - it is necessary to know its MAC address, and it is for obtaining the MAC address of the host by its IP address that the ARP protocol is used. This protocol was developed over 40 years ago, when the presence of malicious devices in computer networks seemed like science fiction and was not considered in threat modeling, so it has certain architectural features and vulnerabilities:

1. ARP is a stateless protocol, which allows an attacker to unilaterally send ARP messages to the victim.

2. ARP protocol does not encrypt or sign the transmitted data, which allows an attacker to view intercepted ARP messages and forge them.

3. The ARP protocol does not provide for message authentication and there is no way to reliably identify the sending device of an ARP message.

4. Based on the received ARP messages, which can be spoofed by the attacker, an APR table is generated and cached (temporarily stored) on the device, in which the IP addresses and MAC addresses of other hosts are mapped, and based on the data from this table, network traffic is forwarded within the same subnet.

5. ARP protocol in accordance with the specification allows sending and receiving unsolicited ARP messages - the so-called Gratuitous ARP alerts (voluntary (spontaneous) ARP alerts).

All of these features, and especially the last point, allow an attacker to implement an ARP spoofing attack (ARP spoofing), which is also called “ARP cache poisoning” (ARP poisoning or ARP cache poisoning). Now let's see how such an attack is realized.



First of all, we should understand how the ARP protocol works under normal conditions, without malicious influence of the attacker:

1. Suppose user A wants to send a message over the network to user B, and user A only knows his IP address and the IP address of host B (10.10.10.20). Sender host A needs to obtain the MAC address of receiver host B in order for the message to be sent over the network. To do this, host A sends a broadcast ARP request that contains a MAC address request from host B with IP 10.10.10.10.20, along with the IP address of the requesting host A (10.10.10.10.10) and the MAC address of host A (AA:AA:AA:AA:AA:AA:AA:AA:AA). The request is called a broadcast request because it is sent to all devices within the same subnet aggregated by the switch. Such a request uses the special broadcast MAC address FF:FF:FF:FF:FF:FF:FF:FF:FF:FF as the destination MAC address. Host A is forced to do such a “mass broadcast” to all devices on the network, since it does not yet know where exactly to send the request, and does not even know if host B is currently on the network.

2. All devices within the same subnet receive a broadcast ARP request from host A, but only host B will respond, because it sees that the request contains its IP address 10.10.10.20 - so the request is intended for him.

3. Host B sends an ARP response to host A that contains host B's requested MAC address (BB:BB:BB:BB:BB:BB:BB:BB:BB:BB) as well as host B's IP address (10.10.10.20). At the same time, host B sends an ARP response to host A using the MAC address of host A (AA:AA:AA:AA:AA:AA:AA:AA:AA:AA) passed in the original request as the destination MAC address.

4. As a result, host A is left with the information that host B with IP 10.10.10.10.20 has MAC address BB:BB:BB:BB:BB:BB:BB:BB:BB. Accordingly, host B is left with the information that host A with IP 10.10.10.10.10 has MAC address AA:AA:AA:AA:AA:AA:AA:AA:AA. This data (IP address to MAC address mapping) is written to APR tables on each of the hosts. These tables are cached on the devices in order not to request the same information again next time - the so-called ARP cache is formed. At the same time the ARP table entries storage period for different OS types is 15 to 45 seconds by default (can be changed manually), and for network devices the ARP cache storage period can be several hours (for example, 4 hours for Cisco devices).

5. User A can now send messages to user B over the network, and user B can respond.

The mechanism for sending spontaneous ARP (Gratuitous ARP) alerts, as laid out by the creators of the ARP protocol, was originally intended to accomplish the following tasks:

1. updating ARP tables: if a device changes its IP address, it should notify its subnet neighbors that its MAC address now corresponds to the new IP address. A similar notification is sent when the MAC address of the device changes.

2. Resolving IP address conflicts on the same subnet: If several devices on the network share the same IP address, ARP alerts sent by them containing the same IP address will help to identify the conflict and take action. This can happen, for example, when two users have manually assigned themselves the same IP addresses in the OS settings - depending on the type of OS the algorithm of conflict resolution will be different.

3. After rebooting the device, after connecting the host to the local network, when changing or turning on the network adapter, Gratuitous ARP alerts are also automatically sent to the OS, which allow devices in the subnet to update their ARP tables in advance.

4. a Gratuitous ARP alert sent by the host will allow the switch to rebuild its network port and MAC address mapping table on the subnet.

However, it is mechanics like this that allow attackers to implement ARP spoofing attacks because:

1. any device on the network can send a Gratuitous ARP notification.

2. Any field in the Gratuitous ARP notification can be spoofed - in particular, a malicious host can announce a new IP address to MAC address mapping for any device on the network.

3. ARP table data on all devices on the subnet will change immediately upon receiving such an alert, even if the ARP table cached entries have not yet expired.

Consider the above illustration in the case where the attacker's malicious influence has begun:

1. An attacker on host C (IP 10.10.10.10.30, MAC: CC:CC:CC:CC:CC:CC:CC:CC:CC:CC:CC) starts sending out a fake Gratuitous ARP alert that IP address 10.10.10.20 corresponds to MAC address CC:CC:CC:CC:CC:CC:CC:CC:CC:CC. In this case, the IP address 10.10.10.20 is still assigned to host B, and the MAC address specified in the alert belongs to the NIC of malicious host C.

2- The recipient of such a spoofed Gratuitous ARP alert could be any host on the network, but we assume that the target of the attack is user A on host A and user B on host B.

3. Host A, upon receiving the spoofed Gratuitous ARP alert from malicious host C, will overwrite its ARP table with new data, whereby the IP address of the real host B (10.10.10.10.20) corresponds to the MAC address of malicious host C (CC:CC:CC:CC:CC:CC:CC:CC:CC).

4. When user A starts sending messages to user B over the network, they will be redirected to host C, where the attacker can read or modify them and then send them to user B as if they were sent by user A.

5. Similarly, host B, upon receiving a spoofed Gratuitous ARP alert from malicious host C, will overwrite its ARP table with the new data, and user B will start sending replies to user A via the attacker's “eavesdropping” host C.

6. In the most common variants of this attack, found in real cyber incidents even in quite serious infrastructures, attackers spoof the network gateway in order to intercept all traffic going to neighboring corporate subnets or to the Internet. For example, if in the illustration, host B is the default gateway for host A, then the attacker can proxy all Internet traffic from user A through itself, with host C acting as the gateway (e.g., through a second network card connected to the Internet) and host B not receiving any information from host A.

ARP spoofing (also known as ARP Spoofing, ARP Cache Poisoning) is well known and described in the MITRE ATT&CK matrix. The ARP Spoofing method can also be used to organize DoS (Denial of Service attack) within a subnet, but the main goal of attackers is to intercept and spoof Internet traffic of corporate users. ARP spoofing is the first step for a more serious Man-In-The-Middle attack, which can, for example, implement SMB Relay / NTLM Relay attacks or try to gain access to HTTPS traffic (e.g., by applying SSL Stripping techniques or displaying a fake Captive portal with instructions to install a certificate issued by the attacker to intercept encrypted web traffic).

Note that the ARP protocol has the following features:

1. ARP protocol is used only in IPv4-based networks, while IPv6 uses NDP (Neighbor Discovery Protocol).

2. The described features of the ARP protocol are fully characteristic for both wired and wireless Wi-Fi networks. The only difference is that to realize ARP spoofing in a wireless network, an attacker must first connect to it, i.e. learn or find the password (access to wired networks is usually more trivial). If an Access Point Isolation (AP Isolation) mechanism is configured in the wireless network, then all communications between devices connected to the same network will be prohibited, and therefore an ARP spoofing attack will not be possible.

3. To work with the ARP protocol in most modern operating systems there is a built-in utility “arp”.

To implement ARP spoofing attacks there are a number of tools, including Cain and Abel, Ettercap, Intercepter-NG, arpspoof (from Kali Linux) and others. The following methods can be used for protection:

1. The simplest defense against this type of attack is to create static entries in ARP tables on hosts (e.g., hard-code the mapping of a gateway's IP address to its MAC address).

2. Port Security mechanism should be used on network devices and/or authentication of devices at the link layer using Dot1x technology (IEEE 802.1x) - this will help to limit access of unauthorized devices to the network.

3. To protect Wi-Fi networks, you should use equipment that supports the latest WPA3 security standard, use EAP technology to authenticate devices with certificates when connecting to the wireless network, use AP Isolation mechanism and filter MAC addresses of devices connecting to the wireless network.

4. Different types of network equipment may have built-in ways to detect and protect against ARP spoofing, such as by creating ARP-based ACL rules or enabling Dynamic ARP Inspection.