TL;DR
ARP poisoning attacks are harder to pull off on networks where each computer is in its own subnet, but still possible. This guide shows you how to detect and prevent them using static ARP entries and network monitoring tools.
Understanding the Problem
ARP (Address Resolution Protocol) translates IP addresses into MAC addresses. ARP poisoning tricks computers into associating the wrong MAC address with an IP address, allowing attackers to intercept traffic. In a divided network (each PC on its own subnet), the attack requires targeting each subnet individually, making it more complex but not impossible.
Solution: Static ARP Entries & Monitoring
- Identify Critical Devices: List all important devices like routers, servers and other key PCs. These are the ones you *must* protect.
- Get their IP addresses and MAC addresses. You can find these using
arp -aon Windows orarp -anon Linux/macOS.
- Get their IP addresses and MAC addresses. You can find these using
- Create Static ARP Entries: Tell each computer to *always* use the correct MAC address for those critical IP addresses.
- Windows: Open a command prompt as administrator and use
arp -s [IP Address] [MAC Address]. For example:arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF - Linux/macOS: Use the command
sudo arp -s [IP Address] [MAC Address]. For example:sudo arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF - Repeat for each critical device on *every* computer.
- Windows: Open a command prompt as administrator and use
- Network Monitoring (Recommended): Use tools to watch for suspicious ARP activity.
- Wireshark: A powerful packet analyser. Filter for ARP packets and look for entries where the source MAC address doesn’t match the expected IP address.
- Arpwatch: A tool specifically designed to monitor ARP traffic changes. It logs any new or changed ARP entries.
- Install on a central server/PC with network access.
- Configure it to email alerts when suspicious activity is detected.
- Security Information and Event Management (SIEM) systems: If you have one, configure it to collect and analyse ARP logs.
- Router Security: Ensure your routers are up-to-date with the latest firmware. Some routers have built-in ARP inspection features – enable these if available.
- Regular Checks: Periodically verify static ARP entries haven’t been altered (especially after network changes).
- Run
arp -a(Windows) orarp -an(Linux/macOS) and compare the results to your expected list.
- Run
Important Considerations
- Static ARP is not a perfect solution: It requires manual configuration and maintenance.
- False Positives: Network monitoring tools can generate false alarms, so investigate carefully before taking action.
- Multiple Subnets: Repeat the static ARP entry process for each subnet in your network.