Stop ARP Poisoning: Network Security Guide

TL;DR

ARP poisoning (or spoofing) lets attackers intercept network traffic by linking the wrong MAC address to an IP address. This guide shows you how to detect and prevent these ‘man-in-the-middle’ attacks on your network, using static ARP entries and tools like arpwatch.

Preventing ARP Poisoning Attacks

1. Understand the Problem: ARP (Address Resolution Protocol) maps IP addresses to MAC addresses. Attackers send fake ARP messages to associate their MAC address with legitimate IP addresses, redirecting traffic through them.
   • This allows them to eavesdrop on data or modify it before it reaches its destination.
2. Static ARP Entries: The most reliable defence is to create static ARP entries for critical devices. This tells your computer to *always* use the specified MAC address for a given IP address, ignoring any conflicting messages.
   • Find the correct MAC addresses: Use arp -a on Windows or Linux/macOS to see existing mappings. Note down the MAC address of important devices (router, servers).
   • Add static entries (Windows): Open a command prompt as administrator and use:

     arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF

     Replace 192.168.1.1 with the IP address and AA:BB:CC:DD:EE:FF with the correct MAC address.

   • Add static entries (Linux/macOS): Use:

     sudo arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF

     Again, replace with the correct IP and MAC.

3. Use ARP Monitoring Tools (arpwatch): arpwatch passively listens for ARP packets and logs any inconsistencies. It’s excellent for detecting attacks in real-time.
   • Installation (Debian/Ubuntu):

     sudo apt update

     sudo apt install arpwatch

   • Configuration: Edit /etc/arpwatch.conf to set the interface to monitor (e.g., eth0, wlan0). The default settings are usually fine for a home network.
   • Start arpwatch:

     sudo systemctl start arpwatch

   • Check logs: Logs are typically found in /var/log/arpwatch.log. Look for entries indicating changed ARP mappings.
4. Port Security (Switches): If you have a managed switch, enable port security. This restricts which MAC addresses can connect to each port, preventing attackers from plugging in their devices.
   • Consult your switch’s documentation for specific instructions – the process varies greatly between manufacturers.
5. Regularly Review ARP Tables: Periodically check your ARP table (arp -a) to ensure it contains only expected entries.
6. Network Segmentation: Separate critical devices onto their own network segment, limiting the impact of a successful attack. This is more advanced but highly effective.

Important Note: Static ARP entries need to be updated if IP addresses change. arpwatch provides detection, but doesn’t automatically correct incorrect mappings.