Prevent ARP Poisoning on a Switch

G5 Cyber Security

2 months ago

TL;DR

To make it harder for attackers to detect your devices on a switched network (like through ARP poisoning), you can use static ARP entries. This tells your computer exactly where to find other devices, instead of relying on the switch’s broadcasts. It’s not perfect security, but adds a layer of protection.

How it Works

Normally, when your computer wants to talk to another device on the network, it sends out an ARP (Address Resolution Protocol) request asking ‘who has this IP address?’. The switch learns which MAC addresses are connected to which ports. Attackers can exploit this by sending fake ARP replies, redirecting traffic through their machine.

Steps to Cache ARP Entries

Find the Target’s MAC Address: You need to know the MAC address of each device you want to protect against detection. There are several ways to do this:
- Using arp -a (Windows): Open Command Prompt and type
```
arp -a
```
  . Look for the IP address of the target device and note its corresponding MAC address.
- Using ip neigh or arping (Linux/macOS): Open a terminal and use either command:
  - ```
  ip neigh
```
  – Shows the ARP cache.
- ```
arping 
```
    – Sends an ARP request to get the MAC address. You might need sudo before this command.
Add Static ARP Entries (Windows):
1. Open Command Prompt as Administrator.
2. Use the arp -s command:
```
arp -s  
```
  For example:
```
arp -s 192.168.1.10 00:1A:2B:3C:4D:5E
```
3. Verify the entry is added with
```
arp -a
```
  . It should now show your manually entered MAC address for that IP.
Add Static ARP Entries (Linux/macOS):
1. Open a terminal as root or using sudo.
2. Edit the /etc/hosts file:
```
sudo nano /etc/hosts
```
  (or use your preferred text editor)
3. Add a line in this format:
```
 
```
  . This doesn’t directly add an ARP entry, but it can help prevent DNS-based attacks.
4. Edit the routing table to create a static route:
```
sudo ip route add /32 via  dev 
```
  Replace placeholders with your actual values.
5. Clear the ARP cache (optional, but recommended):
```
sudo ip -s -d neigh flush all
```
  or
```
sudo arp -d 
```
Repeat for Each Device: Add a static ARP entry for every device you want to protect.

Important Considerations

Dynamic IPs: If the target devices have dynamic IP addresses (assigned by DHCP), their IP address might change, and your static ARP entries will become invalid. You’ll need to update them whenever the IP changes.
Network Changes: Any significant network changes could also invalidate these entries.
Not a Complete Solution: Static ARP entries are not foolproof. More sophisticated attacks can still bypass this protection. It’s best used in combination with other security measures like firewalls and intrusion detection systems.
cyber security is complex, so consider professional help if you’re unsure.