TL;DR
Someone’s messing with your Wi-Fi network by sending fake replies to ARP requests, meaning no internet for you. This guide shows how to find the attacker and block them.
What’s happening?
ARP (Address Resolution Protocol) poisoning – sometimes called ARP spoofing – is when someone sends false messages on your network claiming to be other devices. This tricks computers into sending data to the wrong place, usually allowing the attacker to intercept it. If you’re seeing no internet access and suspect this, follow these steps.
Solution
- Identify Connected Devices: First, get a list of everything currently connected to your Wi-Fi.
- Log into your router’s admin panel. The address is usually something like http://192.168.1.1 or http://192.168.0.1 (check your router’s manual if unsure).
- Look for a section called ‘Connected Devices’, ‘DHCP Clients’, or similar. Note the IP addresses and MAC addresses of all legitimate devices.
- Use ARP Scanning: Now, scan your network to see which MAC addresses are associated with each IP address.
- On a computer connected to the Wi-Fi (preferably wired if possible), open a command prompt or terminal.
- Run an ARP scan using a tool like
arping(Linux/macOS) ornmap(cross-platform).arping -a <network_address>/24(Replace <network_address> with your network’s address, e.g., 192.168.1.0)
- Alternatively (using nmap):
nmap -sn <network_address>/24
- Look for Discrepancies: Compare the results of your ARP scan with the list from your router.
- Pay close attention to IP addresses that show a different MAC address than what’s listed in your router. This is a strong indicator of ARP poisoning.
- Also, look for multiple MAC addresses associated with the same IP address – this is very suspicious.
- Identify the Attacker’s MAC Address: Once you’ve found a suspect MAC address, try to identify it.
- Use an online MAC address lookup tool (search for ‘MAC address vendor lookup’). This will tell you the manufacturer of the network card.
- If the manufacturer doesn’t match any of your devices, that’s a red flag.
- Block the Attacker: There are several ways to block the attacker.
- Router Access Control: The best method is usually through your router’s admin panel. Look for ‘MAC address filtering’, ‘Access Control’, or similar settings. Add the attacker’s MAC address to a blacklist to prevent it from connecting.
- Static ARP Entries (Advanced): You can manually set static ARP entries on your computers, forcing them to use the correct MAC addresses for known IP addresses. This is more complex and requires some technical knowledge.
sudo arp -s <IP_address> <MAC_address>(Linux/macOS – replace with the correct values)
- Change Wi-Fi Password: As a precaution, change your Wi-Fi password to something strong and unique. This won’t directly block the attacker but will prevent them from easily reconnecting.
- Firmware Update: Ensure your router has the latest firmware installed. Updates often include cyber security improvements.
If you’re still having trouble, consider contacting a cyber security professional for assistance.