Stop ARP Poisoning on Your Wi-Fi

TL;DR

ARP poisoning attacks can let someone intercept your network traffic even on WPA secured networks. This guide shows you how to detect and prevent them, covering both home (Personal) and work (Enterprise) Wi-Fi setups.

What is ARP Poisoning?

ARP (Address Resolution Protocol) links IP addresses to physical MAC addresses. ARP poisoning tricks devices into associating the wrong MAC address with an IP address, allowing attackers to ‘sniff’ your data. It’s a man-in-the-middle attack.

Detecting ARP Poisoning

1. Use an ARP Scanner: Tools like arp-scan can show you which MAC addresses are associated with each IP address on your network. Look for duplicates – one IP having multiple MAC addresses is a strong indicator of poisoning.

   arp-scan -l

   This command scans your local network and displays the results.

2. Check Your ARP Cache: The `arp -a` command shows your computer’s current ARP cache. Compare this to what you expect based on known devices.

   arp -a

   Look for unexpected entries or MAC addresses that don’t match the device names.

3. Network Monitoring Tools: Wireshark can capture network traffic and highlight ARP requests/replies. Filtering by `arp` will show you suspicious activity.

Preventing ARP Poisoning on WPA Personal Networks (Home)

1. Static DHCP Leases: Assign fixed IP addresses to important devices (computers, printers). This prevents attackers from easily spoofing their IPs.
   • Access your router’s admin interface (usually via a web browser – check the router manual for the address and login details).
   • Find the DHCP settings section.
   • Reserve IP addresses based on MAC addresses.
2. MAC Address Filtering: Allow only known devices to connect to your Wi-Fi network.
   • In your router’s admin interface, find the Wireless settings or Access Control section.
   • Enable MAC address filtering and add the MAC addresses of your trusted devices.
3. Router Firmware Updates: Keep your router’s firmware up to date. Manufacturers often release updates that patch security vulnerabilities.
4. Use a Strong Password: A strong, unique Wi-Fi password is essential. WPA3 is preferable if your devices support it.

Preventing ARP Poisoning on WPA Enterprise Networks (Work)

Enterprise networks typically have more robust security measures in place, but these steps can add extra protection.

1. Port Security: Configure switches to limit the number of MAC addresses allowed on each port. This prevents attackers from connecting multiple devices to a single port.
   • Access your switch’s command-line interface (CLI).
   • Use commands like `interface GigabitEthernet0/1` followed by `switchport port-security maximum 1` to limit connections on each port.
2. DHCP Snooping: Prevent rogue DHCP servers from distributing incorrect IP addresses.
   • Configure your switches with `ip dhcp snooping vlan 10,20` (replace 10 and 20 with your VLAN numbers).
   • Enable `ip dhcp snooping verify` to validate DHCP messages.
3. Dynamic ARP Inspection (DAI): Validate ARP packets to ensure they are legitimate.
   • Enable DAI globally with `arp inspection vlan 10,20`.
   • Configure trusted interfaces using `arp inspection trust interface GigabitEthernet0/1`.
4. 802.1X Authentication: Use strong authentication methods like RADIUS for network access.
5. Regular Security Audits: Conduct regular security audits to identify and address vulnerabilities.

Important Considerations

• ARP poisoning is often a symptom of a larger problem. Investigate any suspicious activity thoroughly.
• These steps aren’t foolproof, but they significantly increase the difficulty for attackers.