Fix ARP Spoofing on Ubuntu

TL;DR

ARP spoofing often fails on modern Ubuntu systems due to security features like dynamic ARP inspection (DAI) and ARP guard. This guide explains how to temporarily disable these features to allow testing or troubleshooting, but remember to re-enable them afterwards for a secure network.

Understanding the Problem

ARP spoofing relies on sending false Address Resolution Protocol (ARP) messages onto your local network. Ubuntu and other operating systems now have built-in protections against this type of attack, making it harder to perform successfully without adjustments. These protections are good – they prevent malicious actors from redirecting traffic.

Solution: Temporarily Disable ARP Protections

This solution focuses on disabling the features that block ARP spoofing for testing purposes. Important: Re-enable these features once you’ve finished your work to maintain network security!

1. Check Current ARP Settings: First, see if ARP filtering is already active.
   • Open a terminal.
   • Run the following command:

     sudo sysctl -a | grep net.ipv4.conf.all.arp_filter

     If it returns net.ipv4.conf.all.arp_filter = 1, ARP filtering is enabled. A value of 0 means it’s disabled.

2. Disable ARP Filtering (if active): If ARP filtering is on, disable it for all interfaces.

   sudo sysctl -w net.ipv4.conf.all.arp_filter=0

   This change is temporary and will be lost on reboot.

3. Disable ARP Announcements (if active): Another protection is ARP announcements, which can also block spoofing.

   sudo sysctl -w net.ipv4.conf.all.arp_announce=0

   Again, this is temporary.

4. Disable Gratuitous ARPs (if active): Gratuitous ARP packets are also often filtered.

   sudo sysctl -w net.ipv4.conf.all.gratuitous_arp=0

   Temporary change only.

5. Repeat for Specific Interfaces: For more targeted control, disable these features on specific network interfaces (e.g., eth0, wlan0).
   • Replace ‘eth0’ with your actual interface name.

     sudo sysctl -w net.ipv4.conf.eth0.arp_filter=0

     sudo sysctl -w net.ipv4.conf.eth0.arp_announce=0

     sudo sysctl -w net.ipv4.conf.eth0.gratuitous_arp=0

6. Test ARP Spoofing: Now try your ARP spoofing tool (e.g., ettercap, arpspoof). It should work more reliably.
7. Make Changes Permanent (Optional – NOT RECOMMENDED for production): To make these changes permanent, edit the /etc/sysctl.conf file.
   • Open the file with a text editor as root:

     sudo nano /etc/sysctl.conf

   • Add the following lines to the end of the file (adjust interface names if needed):

     net.ipv4.conf.all.arp_filter = 0

     net.ipv4.conf.all.arp_announce = 0

     net.ipv4.conf.all.gratuitous_arp = 0

   • Save the file and exit.
   • Apply the changes:

     sudo sysctl -p

8. Re-Enable Protections: Crucially, re-enable ARP protections after testing! Use the same commands as above, but set the values back to 1.
   • For all interfaces:

     sudo sysctl -w net.ipv4.conf.all.arp_filter=1

     sudo sysctl -w net.ipv4.conf.all.arp_announce=1

     sudo sysctl -w net.ipv4.conf.all.gratuitous_arp=1

Important Considerations

• Security Risk: Disabling ARP protections makes your network vulnerable to attacks. Only do this in a controlled testing environment.
• Dynamic ARP Inspection (DAI): Some switches also perform DAI, which can block spoofing even if the Ubuntu settings are adjusted. You may need to configure your switch accordingly.
• ARP Guard: Similar to DAI, ARP guard on switches provides another layer of protection.