Stop ARP Spoofing on Your Network

TL;DR

Devices on your network can’t communicate because someone is tricking them with fake information about who’s connected. This guide shows you how to find the attacker and block them, using tools built into Windows, macOS, and Linux.

What is ARP Spoofing?

ARP (Address Resolution Protocol) translates IP addresses (like 192.168.1.10) into MAC addresses (unique hardware IDs). ARP spoofing happens when someone sends false ARP messages, telling devices the wrong MAC address belongs to a specific IP. This lets them intercept network traffic.

How to Detect and Stop ARP Spoofing

1. Understand the Symptoms: If you notice intermittent connectivity issues, can’t access certain devices on your local network (even though they appear online), or see strange error messages, ARP spoofing could be happening.
2. Identify the Attacker – Windows:
   • Open Command Prompt as an administrator.
   • Run the following command to display the ARP table:

     arp -a

   • Look for duplicate IP addresses with different MAC addresses. This is a strong indicator of spoofing. Note down both IP and MAC addresses.
   • To find which device owns a specific MAC address, use:

     getmac /v | findstr "MAC Address"

3. Identify the Attacker – macOS:
   • Open Terminal.
   • Run this command to display the ARP table:

     arp -an

   • Similar to Windows, look for duplicate IP addresses with different MAC addresses.
   • To find which device owns a specific MAC address, use:

     arp -a | awk '{print $4}' | sort | uniq -c | sort -nr

     This will show you the number of times each MAC address appears in the table; unusual counts suggest problems.

4. Identify the Attacker – Linux:
   • Open a terminal.
   • Run this command to display the ARP table:

     arp -a

   • Look for duplicate IP addresses with different MAC addresses.
   • To find which device owns a specific MAC address, use:

     ip neigh show | grep "lladdr"

     This will display the MAC addresses associated with each IP address on your network.

5. Block the Attacker: Once you’ve identified the attacker’s MAC address, block it at the router level.
   • Router Interface: Log into your router’s web interface (usually by typing its IP address – often 192.168.1.1 or 192.168.0.1 – into a web browser).
   • MAC Address Filtering: Look for settings like “MAC Address Filtering”, “Access Control”, or similar. The exact location varies by router manufacturer.
   • Add the MAC address: Add the attacker’s MAC address to the blocked list. This prevents that device from connecting to your network. Be careful not to block legitimate devices!
6. Static ARP Entries (Advanced): For a more permanent solution, you can create static ARP entries on critical devices.
   • Windows: Use the

     arp -s <IP address> <MAC address>

     command. For example:

     arp -s 192.168.1.10 AA:BB:CC:DD:EE:FF

   • macOS/Linux: Edit the ARP cache file (requires root privileges). This is more complex and varies by distribution; search online for specific instructions for your system.
7. Use cyber security Tools: Consider using tools like Wireshark to capture network traffic and analyze ARP packets for suspicious activity. There are also dedicated ARP spoofing detection programs available.

Important Note: If you suspect a serious attack, consider changing your router’s password and firmware version. Regularly updating your router’s security is vital.