Stop ARP Spoofing Blocking Internet

TL;DR

ARP spoofing is a sneaky attack where someone pretends to be other devices on your network, potentially blocking your internet access. This guide shows you how to identify and stop it using static ARP entries and tools like `arpwatch`.

What’s happening?

ARP (Address Resolution Protocol) translates IP addresses into MAC addresses – the unique identifiers of devices on your network. ARP spoofing tricks your computer into associating the wrong MAC address with an IP address, usually the gateway (your router). This means your internet traffic gets sent to the attacker instead.

How to Identify ARP Spoofing

1. Check Your ARP Table: Use the `arp -a` command. On Windows, open Command Prompt and type this. On Linux/macOS, use Terminal.

   arp -a

   • Look for multiple entries with the same IP address but different MAC addresses. This is a strong indicator of spoofing.
   • Pay attention to your gateway’s MAC address. If it’s changed unexpectedly, something is wrong.
2. Use Network Monitoring Tools: Tools like Wireshark can capture network traffic and show you ARP requests and replies. This requires some technical knowledge but provides detailed information.
3. Consider `arpwatch` (Linux): This tool passively monitors Ethernet activity and logs any changes to the ARP table. It’s excellent for detecting suspicious activity.

Stopping ARP Spoofing

1. Static ARP Entries: The most reliable solution is to create static ARP entries for critical devices, like your router (gateway). This tells your computer to always trust the specified MAC address for that IP address.
• Windows:
  1. Open Command Prompt as Administrator.
  2. Use the arp -s command:

     arp -s [IP Address] [MAC Address]

     For example, to set a static entry for your gateway (192.168.1.1) with MAC address AA:BB:CC:DD:EE:FF:

     arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF

  3. Verify the entry with `arp -a` again.
• Linux/macOS:
  1. Open Terminal.
  2. Use the sudo arp -s command:

     sudo arp -s [IP Address] [MAC Address]

     For example:

     sudo arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF

  3. You may need to edit your network configuration file (e.g., `/etc/network/interfaces` on Debian/Ubuntu) to make the entry permanent after a reboot.
2. Enable ARP Inspection on Your Router: Many modern routers have ARP inspection features that can detect and block spoofing attempts. Check your router’s documentation for instructions.
3. Use Network Security Software: Some antivirus or internet security suites include ARP spoofing protection.
4. Install `arpwatch` (Linux):
   1. Install the package using your distribution’s package manager:

      sudo apt install arpwatch

      (Debian/Ubuntu)
      or

      sudo yum install arpwatch

      (CentOS/RHEL)

   2. Configure `/etc/arpwatch.conf` to set the interface to monitor and an email address for alerts.
   3. Start the service:

      sudo systemctl start arpwatch

   4. Check logs in `/var/log/arpwatch.log` for suspicious activity.
5. Firewall Rules: While more complex, you can create firewall rules to restrict ARP traffic based on source and destination MAC addresses.

Important Notes

• Always get the correct MAC address of your gateway before setting a static entry. Check your router’s configuration page.
• Static ARP entries are a good solution for devices you trust, but they can be bypassed if an attacker gains physical access to your network.
• ARP spoofing is often part of a larger attack. Consider other security measures like strong passwords and keeping your software updated.