Address Resolution Protocol(ARP) poisoning one of the serious problem in the networks. Starting with basic, suppose ‘X’ and ‘Y’ are on the network. If ‘X’ shares all his secrets with ‘Y’. Now if a guy ‘Z’ in the network pretends to be ‘Y’. Then all secrets send by ‘X’ goes to the ‘Z’. This is the basic concept of arp poisoning. Now to make it clearer let’s move toward the working of ARP protocol.
There are four types of messages which can be sent by ARP. They are
- Address Resolution Request(ARP request) in which computer request on the network with the IP
- Address Resolution Reply(ARP reply) in which computer on the network reply with that requested IP and its mac address,
- Reverse Address Resolution Request (RARP request) is like ARP Request but in this time the message of MAC address is broadcast on the network
- Reverse Address Resolution Reply(RARP reply) in which computer on the network reply with MAC (which was broadcasted on the request) and with its IP address.
All the devices that are connected to the network have an ARP cache. This cache contains the mapping of all the MAC and IP address for the network devices this host communicate.
ARP Poisoning Concept
In the above explanation, it illustrates the working of ARP protocol which was simple. But this protocol lacks authentication i.e. there is no way to authenticate the IP to MAC address mapping in the ARP reply. Further, the host does not even check where the ARP request goes to. If the computer ‘X’ has sent an ARP request and it gets an ARP reply but ARP protocol has no means to check whether the message or the IP to MAC mapping ARP protocol is correct or not.So, anyone on the network can exploit the weakness of ARP protocol by sending the valid ARP reply in which any IP is mapped to any MAC address and send this message to the complete network. The sent message will accept and update their ARP tables so, an attacker can intercept on the network, modify the traffic or stop all traffic.This ARP poisoning attacks will open the door for other attacks such as denial of service, a man in the middle and session hijacking attacks. The following picture will make more clear about the arp poisoning.
Figure: ARP Poisoning
How to Prevent
ARP poisoning is a serious issue which needs to be prevented so if you are in the small networks, maintaining the static ARP entries will be helpful because it will prevent attacker in mapping IP address and mac address. But for the large networks, it will not works. We need to look for every device in the network manually.
For the bigger network, port security features for the network switches will be helpful features like turning on the switch to allow only one MAC address for each physical port. This feature makes sure that device cannot change their MAC address and cannot map more than one MAC to their device and hence prevent from attacks like ‘man in middle’ attack Using monitoring tools like ARPwatch, Snort, Antidote, Arpalert and many others network monitoring software can be helpful to prevent Arp poisoning