Stop ARP Spoofing: LAN Security

TL;DR

ARP spoofing lets attackers intercept network traffic on your local network (LAN). This guide shows you how to detect and prevent it using static ARP entries, port security on switches, and monitoring tools. It’s aimed at home users and small businesses.

What is ARP Spoofing?

ARP (Address Resolution Protocol) translates IP addresses into MAC addresses. Attackers use ARP spoofing to associate their MAC address with the IP address of another device, like your router. This means network traffic intended for that device gets sent to the attacker instead.

How to Protect Your LAN

1. Understand Static ARP Entries
   • Normally, devices learn MAC addresses dynamically using ARP requests.
   • Static ARP entries manually link an IP address to a specific MAC address. This prevents attackers from changing the association.
2. Create Static ARP Entries (Windows)

   You’ll need the IP and MAC addresses of important devices like your router.

   1. Open Command Prompt as an administrator.
   2. Use the arp -s command:

      arp -s 192.168.1.1 aa:bb:cc:dd:ee:ff

      (Replace 192.168.1.1 with your router’s IP and aa:bb:cc:dd:ee:ff with its MAC address.)

   3. Verify the entry:

      arp -a

3. Create Static ARP Entries (Linux/macOS)

   You’ll need root or administrator privileges.

   1. Edit the network configuration file. This varies by distribution, but often it’s in /etc/network/interfaces (Debian/Ubuntu) or using Network Manager GUI tools.
   2. Add a line like this:

      static arp 192.168.1.1 aa:bb:cc:dd:ee:ff

      (Replace 192.168.1.1 with your router’s IP and aa:bb:cc:dd:ee:ff with its MAC address.)

   3. Restart the network service:

      sudo systemctl restart networking

      (or equivalent command for your distribution).

4. Port Security on Switches

   If you use a managed switch, port security is very effective.

   • Configure each port to only allow traffic from specific MAC addresses.
   • Set the port to ‘sticky’ mode so it learns and remembers allowed MAC addresses automatically (but still requires initial configuration).
   • Consider setting a violation action like shutting down the port when an unknown MAC address is detected.
5. ARP Inspection

   Some switches support Dynamic ARP Inspection (DAI), which validates ARP packets and drops malicious ones.

   • Enable DAI on your switch if supported.
   • Configure trusted ports (ports connected to legitimate devices like routers).
6. Use Monitoring Tools
   1. Wireshark: A powerful network packet analyser. You can capture traffic and look for suspicious ARP replies.
      • Filter by arp to see ARP packets.
      • Look for multiple devices claiming the same IP address.
   2. ARPWatch: A tool that monitors your network for changes in the ARP table and alerts you to potential spoofing.

      arpwatch -i eth0

      (Replace eth0 with your network interface.)

7. Keep Firmware Updated

   Ensure your router and switch firmware are up to date. Updates often include cyber security patches.