Stop ARP & DNS Spoofing Attacks

TL;DR

ARP (Address Resolution Protocol) and DNS (Domain Name System) spoofing attacks redirect your internet traffic through a malicious machine. This guide shows you how to detect and prevent these attacks, protecting your data and privacy.

What are ARP & DNS Spoofing?

ARP Spoofing: An attacker sends fake messages on your network claiming to be other devices (like your router). This makes your computer send traffic to the wrong place. Think of it like someone giving you a false address for a friend.

DNS Spoofing: An attacker redirects you to a fake website when you type in a real web address. They do this by poisoning the DNS cache, so your computer thinks the fake site is the real one. Like being given the wrong phone number for a business.

How to Detect ARP Spoofing

1. Use arpwatch: This tool monitors ARP traffic and alerts you to changes.
   • Install on Linux (Debian/Ubuntu):

     sudo apt update && sudo apt install arpwatch

   • Run it in the background. It logs suspicious activity. Check its log file regularly (usually /var/log/arpwatch.log).
2. Check your ARP cache: See if MAC addresses match IP addresses.
   • On Windows, use

     arp -a

     .

   • On Linux/macOS, use

     arp -an

     .

   • Look for multiple MAC addresses associated with the same IP address – this is a red flag.
3. Network Scanner: Use tools like Nmap to scan your network and verify MAC-IP pairings.
   • Example Nmap command:

     nmap -sn 192.168.1.0/24

     (replace with your network address)

How to Prevent ARP Spoofing

1. Static ARP Entries: Manually assign IP addresses to MAC addresses for critical devices (like your router).
   • On Windows:

     arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF

     (replace with correct IP and MAC)

   • On Linux/macOS, edit /etc/arp file (requires root privileges). This is less common now due to DHCP.
2. DHCP Snooping & Dynamic ARP Inspection: Configure your switch to only allow trusted devices to respond to ARP requests. This requires a managed switch.
   • Consult your switch’s documentation for setup instructions.
3. Use 802.1x Authentication: Requires users to authenticate before gaining network access, making spoofing harder.

How to Detect DNS Spoofing

1. Check your DNS server settings: Make sure you’re using legitimate DNS servers (like those provided by your ISP or trusted public servers like Cloudflare 1.1.1.1 or Google Public DNS 8.8.8.8).
   • On Windows, check Network Connections -> Properties of your connection -> Internet Protocol Version 4 (TCP/IPv4)
2. Use nslookup or dig: Verify the IP address associated with a domain name.

   • nslookup example.com

     or

     dig example.com

   • Compare the results to known good sources (e.g., whois records).
3. Monitor DNS cache: Look for unexpected changes.
   • On Windows, use

     ipconfig /displaydns

     .

   • On Linux/macOS, use tools like dnsmasq or check system logs.

How to Prevent DNS Spoofing

1. Use DNSSEC: DNS Security Extensions add cryptographic signatures to DNS data, verifying its authenticity.
   • Your DNS provider needs to support DNSSEC.
2. Enable Full Mode in your Browser: Some browsers have built-in protection against DNS spoofing (check browser settings).
3. Use a VPN: A Virtual Private Network encrypts your internet traffic and uses its own DNS servers, bypassing your ISP’s potentially compromised ones.
4. Keep Your Software Updated: Ensure your operating system and antivirus software are up-to-date to patch security vulnerabilities.

Important Considerations

• ARP spoofing is usually a local network attack, meaning it happens within your home or office network.
• DNS spoofing can happen remotely if attackers compromise DNS servers.
• Regularly scan your network for vulnerabilities and suspicious activity.