Stop ARP Spoofing: Fix Dropped Connections

TL;DR

ARP spoofing is when someone pretends to be another device on your network, causing connection problems. This guide shows you how to identify and block it using static ARP entries and tools like arpwatch.

What’s happening?

ARP (Address Resolution Protocol) translates IP addresses into MAC addresses. ARP spoofing tricks devices into thinking the wrong MAC address belongs to a specific IP, often redirecting traffic through an attacker’s machine. This can lead to dropped connections, slow speeds and even data theft.

How to Identify ARP Spoofing

1. Check your ARP table: Use the arp -a command in a terminal (Windows or Linux). Look for multiple MAC addresses associated with the same IP address. This is a strong indicator of spoofing.

   arp -a

2. Network Monitoring Tools: Tools like Wireshark can capture network traffic and show suspicious ARP requests/replies.
3. ARPWatch (Linux): arpwatch monitors your Ethernet for unusual ARP activity.
   • Install it:

     sudo apt install arpwatch

     (Debian/Ubuntu) or use your distribution’s package manager.

   • Run it:

     sudo arpwatch -i eth0

     (replace eth0 with your network interface). It will log suspicious events to a file, usually /var/log/arpwatch.log.

Blocking ARP Spoofing

1. Static ARP Entries: The most effective solution is to create static entries for important devices (router, servers). This tells your computer to always trust the specified MAC address for that IP.
   • Find the correct MAC address: Use arp -a when you *know* you have a good connection to the device.
   • Add the static entry (Windows):
     1. Open Command Prompt as Administrator.
     2. Use the command:

        arp -s <IP address> <MAC address>

        For example:

        arp -s 192.168.1.1 AA:BB:CC:DD:EE:FF

     3. Verify with arp -a.
   • Add the static entry (Linux):
     1. Edit your network configuration file (usually in /etc/network/interfaces or using NetworkManager). Add a line like:

        hwaddress <MAC address> dev <interface name>

        For example:

        hwaddress AA:BB:CC:DD:EE:FF dev eth0

     2. Restart your network service (e.g., sudo systemctl restart networking).
     3. Verify with arp -a.
2. Router Security Features: Many routers have built-in ARP inspection or dynamic ARP protection features. Enable these in your router’s settings.
3. Port Security (Switches): If you use a managed switch, enable port security to limit the MAC addresses allowed on each port.

Important Considerations

• Static ARP entries need updating if device MAC addresses change.
• ARP spoofing is often part of a larger attack. Ensure your overall cybersecurity posture is strong (firewall, antivirus, etc.).