Spotting ARP Poisoning Attacks

TL;DR

ARP poisoning (or spoofing) lets attackers intercept network traffic by linking the wrong MAC address to an IP address. This guide shows you how to detect it using tools like arp, Wireshark, and dedicated security software.

Detecting ARP Poisoning Attacks

1. Understand How ARP Works
   • ARP (Address Resolution Protocol) translates IP addresses into MAC addresses on your local network.
   • When a device wants to send data, it broadcasts an ARP request asking ‘Who has this IP address?’
   • The device with that IP responds with its MAC address. Attackers exploit this process.
2. Use the arp Command

   This is your first line of defence. It shows you a table of IP-to-MAC address mappings.

   • Windows: Open Command Prompt and type

     arp -a

     .

   • Linux/macOS: Open Terminal and type

     arp -an

     . The -n flag prevents DNS lookups, showing only IP addresses.

3. Look for Anomalies in the ARP Table
   • Duplicate MAC Addresses: If you see the same MAC address listed against multiple different IP addresses, it’s a strong indicator of poisoning. This means an attacker is claiming to be multiple devices.
   • Unexpected Entries: Check for IP addresses you don’t recognise on your network.
   • Static ARP Entries: If you know certain devices have static IPs and MAC address pairings, verify those are correct.
4. Use Wireshark to Capture and Analyse Traffic

   Wireshark lets you see the raw network packets.

   • Download and install Wireshark.
   • Start a capture on your network interface (usually Ethernet or Wi-Fi).
   • Apply a filter for ‘arp’ in the filter bar at the top:

     arp

     .

   • Look for Gratuitous ARPs: These are ARP replies sent without a request. Attackers often send these to flood the network with false information.
   • Examine Source IPs and MACs: Check if the source IP address in an ARP reply matches the expected sender.
5. Dedicated Security Tools (Optional)

   Several tools can automate ARP poisoning detection:

   • Arpwatch: Monitors your network for changes in the ARP table and alerts you to suspicious activity. (Linux).
   • Anti-ARP Spoofing Software: Some firewalls or security suites include features specifically designed to detect and prevent ARP poisoning.
6. Clear Your ARP Cache Regularly

   This removes old, potentially poisoned entries.

   • Windows:

     arp -d *

     . You’ll need administrator privileges.

   • Linux/macOS:

     sudo arp -d all

     .