Blog | G5 Cyber Security

Stop ARP Poisoning: Wired & Wireless Networks

G5 Cyber Security

TL;DR

ARP poisoning lets attackers intercept network traffic by faking MAC addresses. This guide shows you how to detect and prevent it on a network with both wired and wireless connections, using static ARP entries, port security, and monitoring tools.

Detecting & Preventing ARP Poisoning

  1. Understand the Threat
    • ARP (Address Resolution Protocol) maps IP addresses to MAC addresses.
    • Poisoning involves sending fake ARP messages, tricking devices into using the attacker’s MAC address for legitimate IPs.
    • This allows the attacker to ‘sniff’ network traffic.
  2. Static ARP Entries (For Critical Devices)

    Manually configure static ARP entries on devices where you need guaranteed correct mappings. This bypasses dynamic ARP resolution.

    • Windows: Open Command Prompt as administrator and use arp -s <IP address> <MAC address>
    • Linux/macOS: Edit the /etc/arp file (requires root privileges). Add a line like this: <IP address> <MAC address> permanent. Then run sudo arp -a to verify.
  3. Port Security (Switches)

    Configure port security on your wired network switches to limit which MAC addresses can connect to each port.

    • Most managed switches have a ‘port security’ feature.
    • Set the switch port to allow only one or a limited number of MAC addresses. This prevents an attacker from easily plugging in and spoofing.
    • Configure the action to be ‘shutdown’ if an unknown MAC address is detected on the port.
  4. DHCP Snooping (Switches)

    Enable DHCP snooping on your switches. This helps prevent rogue DHCP servers and ensures devices receive correct IP addresses, reducing the chance of ARP spoofing based on incorrect information.

  5. Dynamic ARP Inspection (DAI) (Switches)

    DAI validates ARP packets against a trusted database (like your DHCP snooping table). Invalid packets are dropped. Requires DAI-capable switches and proper configuration.

  6. Wireless Network Security
    • Strong Password: Use a strong, unique password for your Wi-Fi network (WPA3 is best).
    • MAC Address Filtering: Allow only known MAC addresses to connect. This isn’t foolproof but adds another layer of security.
    • Guest Network: Isolate guest traffic on a separate network.
  7. ARP Monitoring Tools

    Use tools to detect ARP anomalies.

    • Wireshark: A powerful packet analyser. Filter for ARP packets and look for suspicious entries (multiple MAC addresses associated with the same IP).
    • Arpspoof Detector: A Linux tool specifically designed to detect ARP spoofing attacks. Install using your distribution’s package manager (e.g., sudo apt install arpspoof-detector on Debian/Ubuntu). Run it periodically: 
      arpspoof-detector <interface>
    • Security Information and Event Management (SIEM) systems: If you have a SIEM, configure alerts for ARP anomalies.
  8. Regular Network Scans

    Periodically scan your network for vulnerabilities and rogue devices.

Exit mobile version