Edit: This is a semi-crappy paper I wrote for an assignment in college awhile back, I posted it mostly for nostalgic/comedic purposes, so take this with a grain (or three) of salt...
ARP poisoning is a security risk that can endanger corporations, individuals, and even government agencies -- anyone with data on a network -- but few people understand the mechanics or ARP poisoning,or the effects it can have on them. Before ARP Poisoning can be described in detail, one must understand the basics: what is ARP? What is a NIC, what is a MAC, and how do IP addresses tie in? Let's look at a few examples which illustrate the relationship between ARP, NIC, MAC, and IP addresses, and then focus on ARP poisoning: how it's done, what kind of damage it can cause, and how to prevent it.
ARP poisoning is a security risk that can endanger corporations, individuals, and even government agencies -- anyone with data on a network -- but few people understand the mechanics or ARP poisoning,or the effects it can have on them. Before ARP Poisoning can be described in detail, one must understand the basics: what is ARP? What is a NIC, what is a MAC, and how do IP addresses tie in? Let's look at a few examples which illustrate the relationship between ARP, NIC, MAC, and IP addresses, and then focus on ARP poisoning: how it's done, what kind of damage it can cause, and how to prevent it.
As our base example, let's imagine we have a desktop computer named Alfred. Alfred is on a LAN (local area network), along with a variety of other desktops, servers, printers, and other network devices. Every device on this network, including Alfred, has an IP address. An IP address can be thought of as a mailing address for each device on the network, similar to the address we would put on a letter. IP addresses look a little different than a standard mailing address, though; an IP address will look like a number separated by periods, e.g. 192.168.5.32. IP addresses can be either statically or dynamically assigned. What does "statically or dynamically assigned" mean? If every device on the network has an IP address, it must get that address from somewhere. An IP address can be statically assigned by manually assigning it; after a device receives a static IP address, it will keep that address until it is manually reassigned. Otherwise, an IP address can be assigned “automatically” every time a computer gets on a new network through DHCP, or Dynamic Host Configuration Protocol.
To be sure we understand IP addresses and DHCP, let's look at another scenario. Say we have a laptop named Alice; we bring Alice to Starbucks, hop on the wireless network, and within seconds we are browsing the internet. Then, we bring Alice home, hop on our wireless network, and proceed to check our e-mail. How does this work? When Alice hopped on the network at Starbucks, she had no IP address. Alice automatically contacted the DHCP server, which in turn looked through its list of unused IP addresses (or mailing addresses), and passed one back to Alice for her use. After we brought Alice home, Alice again had to contact a DHCP server, who again assigned Alice a temporary (dynamic) IP address. It is perfectly possible that Alice might be assigned a new IP address while staying on the same network for a period of time; the temporary addresses assigned by DHCP have a set amount of time before they expire and must be renewed.
DHCP is a complex topic, and this is just a brief overview; there are numerous resources online that explain DHCP in greater detail (Nachreiner, Foundations: What are NIC, MAC, and ARP?). Let it suffice to say, that when Alice goes from Starbucks, to the office, to home -- anytime she needs to get on the internet -- the DHCP server doles out a different IP address for her to use.
The reader may ask, what happened to Alfred? Now that a brief overview of DHCP and IP addresses has been presented, we can say Alfred is on the LAN with a dynamic IP address of 192.168.30.5 and know what we are talking about. With devices (such as laptops) entering and leaving networks, and DHCP leases expiring and renewing, how do devices on a LAN (like Alfred) determine who the other devices are at any given time? For example, how does Alfred know that 192.168.30.12 is the office printer, and not the secretary’s laptop, if DHCP could assign 192.168.30.12 to either device at any time? We said an IP address is like a mailing address; if your mailing address could randomly be reassigned to your neighbors all the time, how would people know how to send you a letter? The solution to this problem lies involves another unique identifier for networked devices, known as a MAC address. Every device on a network not only has an IP address, it has a MAC (Medium Access Control) address as well.
So, what is a MAC address? To answer this question, we need to know about a piece of hardware called a NIC. What is a NIC? A NIC, or Network Interface Card, is a hardware component of every networked device (desktop, printer, laptop, etc.) that handles all data going to and coming from the network. Every NIC has a unique MAC address; no two NICs in the world have the same MAC address. Every NIC’s MAC address is permanent; this is why MAC addresses are sometimes referred to as the physical address of a device. How is it possible that every NIC in the world has a unique, permanent, MAC address? The IEEE Standards Association gives each manufacturer of NICs a unique code with which to start the MAC address of any NIC they create. The manufacturers are then trusted to ensure the remaining part of the MAC address is unique. An example of a MAC address is 00:13:CE:3E:FC:E5. The first chunk, 00:13:CE identifies the manufacturer, Intel. The last half, 3E:FC:E5, is used to identify the unique NIC manufactured by Intel (Nachreiner, Foundations: What are NIC, MAC, and ARP?).
It seems as if we have left Alfred behind, yet again. However, now that we have an understanding of MAC addresses, we can say that Alfred is on a LAN with a dynamic IP address of 192.168.30.5 and a MAC address of 00:13:CE:3E:FC:E5, and understand what that means. So, since each device on the network has both an IP address and a MAC address, we can make the conclusion there is a way to discern between devices, despite the fact that IP addresses of various devices on the LAN are constantly changing. In other words, even if our temporary (IP) address is constantly changing (like the address of a rock band that's on tour), we have a permanent physical address (MAC) that never changes.
How do we connect temporary IP addresses (mailing addresses) with permanent MAC addresses? That's where ARP enters the scene. ARP, or Address Resolution Protocol, is the method through which devices determine which IP addresses are associated with which MAC addresses on the local network.
Let's say Alfred needs to send a print job to the office printer, conveniently named Printy. Alfred looks for Printy’s IP address and sees it is 192.168.30.7, which means Printy is on the local network. Alfred knows he can send the file directly to Printy; he just needs to find out Printy’s MAC address. How does Alfred go about doing this? Alfred sends out an ARP request. The ARP request is sent to a special broadcast address, FF:FF:FF:FF:FF:FF. Since the ARP Request is sent to this special broadcast address, all the devices on the network receive Alfred’s ARP request. Alfred’s ARP request contains Alfred’s own MAC address, and asks all the devices on the network, “Which one of you has the IP Address 192.168.30.7? Let me know at my IP address, 192.168.30.5.” All of the devices on the network will ignore this ARP request, except for Printy; Printy recognizes the ARP request and sends out an ARP reply. Printy’s ARP reply tells Alfred, “My IP address is 192.168.30.7, and here’s my MAC address: 00:13:CE:3E:4C:21.” So now Alfred knows Printy’s IP address and MAC address, and stores it into a table, known as the ARP cache. Additionally, since Printy received an ARP request from Alfred with Alfred’s MAC address and IP address, Printy stores Alfred’s information into his own ARP cache. Alfred proceeds to send the file to Printy to be printed (Nachreiner, Foundations: What are NIC, MAC, and ARP?).
Through the process of ARP caching, devices on the network do not have to deal with broadcasting ARP requests every time they want to communicate with each other. This provides greater efficiency by reducing overhead, but also provides a soft spot for malicious hackers to exploit. What if a hacker could somehow gain access to, or modify, these MAC-address-to-IP-address tables, the ARP caches? Essentially, the hacker could redirect traffic on a local network to wherever he or she pleased.
The main issue with ARP that makes such an attack possible is that ARP has no authentication scheme. That is to say, ARP is trusting; if a networked device sends out an ARP request, that networked device assumes the first ARP reply it gets back is actually coming from the real device it sent the request to. There is no check to make sure the ARP reply is authentic. If a hacker were to fabricate an ARP reply to attack the integrity of a device’s ARP cache, it seems as if the success of the attack would really just be a matter of correct timing. However, "spoofing" an ARP reply is even easier than that; many operating systems will implement ARP such that any device will accept an ARP reply at any time, regardless of whether or not that device had recently sent out an ARP request. So, by simply sending out an ARP reply with an IP address and MAC address of the hacker’s choice, they can cause any device to send traffic anywhere they please. This is why the process is known as ARP Poisoning, or ARP Cache Poisoning; hackers essentially “poison” the ARP cache of a device (or multiple devices) on a network, thus manipulating the device’s understanding of the location of other devices on the network (Nachreiner, Anatomy of an ARP Poisoning Attack).
Now that we understand the basics of how ARP Poisoning works, let us focus on exactly what ARP Poisoning can do. Let us assume, for the moment, that the hacker is going after information passing between a desktop computer, like Alfred, and the “gateway,” the point of contact between Alfred’s local network and the internet. Let us also assume that a slew of important data passes between Alfred and the gateway; for example, Alfred’s owner’s passwords to their Gmail account, Wells Fargo account, et cetera. Since all of this juicy information is most likely to be found passing between Alfred and the gateway, it seems like the switch would be the first thing to attack. Why the switch? Before we answer that, let's briefly review the difference between the switch and a hub.
Every port on a hub receives all network traffic; that is to say, when Alfred sends a print job to Printy, the hub has no idea who the recipient is (Printy), and thus broadcasts the print job to all the devices on the network. When Printy sees the broadcasted print job, he knows it is for him, and thus deals with it accordingly, whereas every other device on the network ignores it. In the case of a hub, a hacker that has access to the local network can easily observe all the traffic coming and going from any device with a “packet sniffer”; a packet sniffer allows the hacker to put his NIC in “promiscuous mode” and collect all the data passing through the network. A switch, on the other hand, is “smarter” than a hub, in that it knows where each device is. When the switch receives a print job from Alfred, instead of broadcasting it to all devices on the network, the switch sends the print job specifically to Printy. Since the information is not broadcasted, this stops the hacker from simply turning on a packet sniffer and observing all the data traversing the network (Seth, The Ingredients to ARP Poison).
Now we can go back to answering the question of why a hacker would first attack the switch. Some switches, when overloaded with too much information, will go into a fail-safe mode, in which it acts exactly like a hub. In essence, a hacker merely needs to overload the switch with a technique known as MAC Flooding. A hacker can flood a switch’s ARP cache with numerous fake ARP replies, thus causing the switch to attempt to process a constant stream of MAC addresses, overloading the switch, and causing it to drop into fail-safe mode. As we know from the above description of how hubs work, all the hacker needs to do at this point is turn on a packet sniffing program like Wireshark, allowing them to see all the data traversing the network. Alfred’s privacy is as good as gone. However, this does not always work; some switches do not have this fail-safe mode, and there are ways to prevent this attack (which will be discussed further on).
Let us assume the hacker has attempted to flood the switch, but to no avail. The hacker would have to resort to an attack that requires a little more effort, known most commonly as a Man-in-the-Middle attack. Earlier, we mentioned that determining traffic flow for any device was possible through spoofing ARP replies. A hacker can exploit this weakness to control traffic that is traveling between two specific devices. Let us assume, again, that the hacker wants to intercept all traffic traveling between Alfred and the gateway, the router at 192.168.30.1. Alfred’s IP address, again, is 192.168.30.5.
To launch a Man-in-the-Middle attack, the hacker first needs to trick the router into thinking the hacker’s own machine, Eve, is in fact Alfred. The hacker does this by sending a spoofed ARP reply to the router, telling the router that Alfred’s IP address is associated with Eve’s MAC address; which is obviously false, but ARP is “trusting” and thus the router does not catch on to this. So now, all traffic intended for Alfred from the router is going to Eve; this in itself can be a bad thing, because the hacker has essentially cut off Alfred’s connection to the internet, which is a dead giveaway that something is wrong. So, immediately after tricking the router, the hacker must also trick Alfred. Thus, the hacker sends a spoofed ARP reply to Alfred, causing Alfred to believe that the router’s IP address is associated with Eve’s MAC address. At this point, all the data Alfred intends on sending to the router gets passed to Eve. Essentially, Eve is now the Man in the Middle, intercepting all traffic between Alfred and the router. The hacker just needs to ensure they have IP forwarding enabled, thus allowing traffic to flow freely between Alfred and the router (with an intermediate stop at Eve); otherwise, the hacker will have essentially blocked traffic in both directions, which again is a dead giveaway that something is wrong. Now that the hacker can see all the traffic passing between Alfred and the internet, they can sniff out sensitive information such as passwords sent in clear text, and can even hijack supposedly “secure” sessions. For example, even if SSL is used to encrypt Alfred’s owner’s data when they log into their Wells Fargo account, since Eve is controlling all the traffic between Alfred and the gateway, Eve can act as Alfred since Eve is “within” the secure connection (Silky, ARP Cache Poisoning Prevention and Detection).
If all else fails, or if the hacker simply has different goals in mind, the hacker can easily perform a Denial of Service attack on the network. For example, a hacker can send an ARP reply to the broadcast address mentioned earlier (FF:FF:FF:FF:FF:FF), thus affecting all devices on your network. In this spoofed ARP reply, the hacker can tell every device on the network that the router’s IP address is associated with some fake MAC address that does not exist on the network. Thus, any device that thinks it knows where the default gateway is located is actually sending all of their data not intended for the local network to, essentially, nowhere. Through this simple attack, the entire network’s connection to the internet has been severed. While it does not provide any sensitive information to the hacker, it compromises the availability of resources, and can cause huge financial damage, depending on the network in question.
ARP Poisoning, as seen above, is a relatively simple attack to implement once a hacker has gained local access to a network. While gaining local access to a network may or may not be trivial, it definitely happens, and when it does, a network administrator must be prepared to handle the consequences. The fact that such a relatively simple method of attack can cause such severe damage to a network is somewhat intimidating -- and for good reason. ARP is a protocol that any TCP/IP network needs in order to work. Many, many networks today use the TCP/IP suite, and the security flaws associated with ARP are associated with every single one of them. Thus, it is vital for network administrators to be equipped to defend against such attacks if possible, or be well prepared for the damage control following such.
If the network is on the smaller side (small being a subjective term), one method to prevent ARP Poisoning attacks is to use static IP addresses instead of dynamic addresses issued through DHCP. This requires a bit of work on the administrator’s part, as the administrator has to manually assign an IP address to every device on the network, and then manually add static ARP entries into every ARP cache on every device on the network. To make the task easier, a login script could be installed on all the PCs on the network, ensuring the static ARP entries remain in the ARP cache, regardless of whether or not the PCs are rebooted. The obvious drawback of this technique is that devices come and go from the network, and with any minor change in the network topology, the administrator must go through every ARP cache, every login script, for every single machine, and make sure everything still lines up. While this is feasible on a smaller network, it would be highly inefficient, or even impossible, on larger networks.
In the case of large networks, the administrator can look into the network switch’s port security features. It is possible to make the switch allow one MAC address per physical port on the switch; this would effectively stop a hacker from spoofing their MAC address. Some switches have the option to turn off the fail-safe mode which, as mentioned above, makes the switch act like a hub when it is overloaded.
Another solution for large networks lies within the network design itself. When designing a network, the administrator can subnet the network through the use of VLANs (Virtual Local Area Networks). This basically segments out the potential areas of attack. For example, a network for a company could have a VLAN for their accounting department, a VLAN for their sales department, and a VLAN for the engineering department. By “chopping” the network into smaller pieces, the administrator can potentially use the static IP technique discussed earlier for smaller networks, as changes in the network will have an isolated effect on the VLAN in which the change took place. Additionally, some switches are designed such that ARP Poisoning attacks that take place in one VLAN have no way of reaching devices on a separate VLAN. If a hacker sends out a broadcasted ARP reply in an attempt to launch a Denial of Service attack like the one mentioned previously, that broadcasted ARP reply will only reach the devices on the VLAN which the hacker is on.
While all of the techniques mentioned thus far have their benefits and drawbacks, the best approach any network administrator can take is to understand how ARP Cache Poisoning works, and watch for it. A combination of preventative measures, such as the ones mentioned above, along with careful monitoring of the network, can greatly reduce the chances of damage occurring due to an ARP Poisoning attack. One tool used to monitor networks for potential ARP Poisoning attacks is Arpwatch. Arpwatch is an open-source application used to monitor networks for any ARP activity. Arpwatch looks out for unusal ARP activity, and can notify the network administrator when it occurs via e-mail. Arpwatch keeps a database of Ethernet/IP address pairings while monitoring Ethernet activity by capturing packets through use of libpcap (SecurityFocus, Arpwatch).
According to the World Internet Usage Statistics News and Populations Stats, an estimated 1.14 million people are using the internet worldwide. TCP/IP networks are everywhere; no one can deny that. Since ARP is necessary for any TCP/IP network to function, and ARP is inherently flawed from a security standpoint, it is vital for network administrators to understand the principles of ARP Poisoning and how to defend against it. Through relatively simple attacks, a hacker can intercept sensitive data without being detected, or take down an entire network within seconds. Only by understanding how these attacks work can a network administrator recognize and defend against them. Through various techniques, depending on the size of the network, various defense measures can be taken; however, the best medicine for ARP Poisoning is a combination of preventative measures and vigilance on the network administrator’s part.