Stop ARP Poisoning & Port Forward Attacks

G5 Cyber Security

5 months ago

TL;DR

ARP poisoning lets attackers redirect network traffic, often combined with port forwarding to steal data or control devices. This guide shows you how to detect and block these attacks using static ARP entries, monitoring tools, and secure configurations.

Understanding the Threat

ARP (Address Resolution Protocol) translates IP addresses into MAC addresses on your local network. ARP poisoning tricks devices into associating the wrong MAC address with a legitimate IP address – usually the gateway’s. Port forwarding then sends traffic intended for your network to an attacker’s machine.

Solution: Blocking ARP Poisoning & Securing Your Network

Static ARP Entries: The most effective defence is telling your devices *exactly* which MAC address belongs to key IPs.

Find the correct MAC address of your gateway (router). You can usually find this in your router’s admin interface or by running a command on another trusted device:
```
arp -a
```
On each important computer, add a static ARP entry. The exact method varies depending on your operating system.
- Windows: Open Command Prompt as administrator and use:
```
arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF
```
  (Replace 192.168.1.1 with your gateway’s IP, and AA:BB:CC:DD:EE:FF with its MAC address.)
- Linux/macOS: Use the command:
```
sudo arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF
```
  (Again, replace with your gateway’s IP and MAC address.)

ARP Monitoring Tools: Regularly check for ARP inconsistencies.

arpwatch: A popular tool that logs ARP traffic changes. Install it on a trusted machine.
```
sudo apt install arpwatch
```
(This is an example for Debian/Ubuntu. Use your distribution’s package manager.)
Wireshark: A network protocol analyser. Capture ARP traffic and look for duplicate IP addresses associated with different MAC addresses.

Router Security Settings: Configure your router to improve cyber security.

Disable Port Forwarding (if not needed): The less port forwarding you have, the smaller the attack surface. If you *must* use it:
- Only forward ports for specific services and devices.
- Use strong passwords on your router admin interface.
- Enable UPnP only if absolutely necessary (it can create security holes).
MAC Address Filtering: Allow only known MAC addresses to connect to your network. This is more difficult to manage but adds another layer of protection.

Network Segmentation: Separate different parts of your network (e.g., guest Wi-Fi, IoT devices) to limit the impact of an attack.

Create separate VLANs if your router supports them.
Use a firewall to control traffic between segments.

Keep Software Updated: Regularly update your operating systems, routers, and security software. Patches often fix vulnerabilities that attackers exploit.

Enable automatic updates where possible.
Check for firmware updates on your router’s website.

Regularly Review Logs: Check your router’s logs, firewall logs and ARP monitoring tool output for suspicious activity. Look for unexpected MAC addresses or traffic patterns.

By implementing these steps, you significantly reduce the risk of successful ARP poisoning and port forwarding attacks.