Stop ARP Spoofing: Securing Your Wireless Network

TL;DR

ARP (Address Resolution Protocol) request replay attacks can let someone take over traffic on your wireless network. This guide explains why Access Points (APs) are vulnerable and how to protect yourself using static ARP entries, port security features, and monitoring tools.

Understanding the Problem

Access Points rely heavily on ARP to translate IP addresses into MAC addresses. When a device joins your network, it broadcasts an ARP request asking ‘Who has this IP address?’. The AP responds with its MAC address. The problem is that these requests aren’t strongly secured by default. An attacker can:

• Capture legitimate ARP requests.
• Replay those requests, pretending to be the original device.
• Redirect traffic through their machine (a ‘Man-in-the-Middle’ attack).

APs often trust ARP responses without enough verification, making them susceptible.

Solution: Strengthening Your Wireless Network

1. Static ARP Entries
   • For critical devices (like your router or servers), manually configure static ARP entries on the AP. This tells the AP to *always* associate a specific IP address with a specific MAC address, ignoring any other responses.
   • This prevents attackers from spoofing those addresses.
   • Example (Cisco IOS):

     configure terminal
     arpa 192.168.1.1 aa:bb:cc:dd:ee:ff
     end
     show arp

2. Port Security (MAC Address Filtering)
   • Most APs have ‘port security’ features. This lets you limit which MAC addresses are allowed to connect to each port on the switch that the AP is connected to.
   • You can configure it in one of three ways:
     • Static: Only allow explicitly defined MAC addresses.
     • Dynamic: Learn MAC addresses automatically, but prevent new ones from joining after a certain limit.
     • Sticky: Learn MAC addresses dynamically and save them to the configuration file so they persist across reboots. (Best option for most home/small office setups).
   • Example (Cisco IOS):

     interface GigabitEthernet0/1
     switchport mode access
     switchport port-security
     switchport port-security mac-address sticky
     end

3. DHCP Snooping (if your switch supports it)
   • DHCP snooping builds a database of valid IP-to-MAC address bindings. It then drops any ARP packets that don’t match this database, preventing spoofing.
   • Requires configuration on the switch connected to the AP.
4. ARP Inspection (if your switch supports it)
   • More advanced than DHCP snooping. ARP inspection actively validates ARP packets against known bindings and drops invalid ones.
   • Also requires configuration on the switch.
5. Wireless Intrusion Detection/Prevention Systems (WIDS/WIPS)
   • These systems monitor your wireless network for malicious activity, including ARP spoofing attempts. They can alert you to attacks and even automatically block them.
   • Often a paid solution but provides the best protection.
6. Regular Monitoring
   • Use tools like Wireshark or tcpdump to capture network traffic and look for suspicious ARP activity.
   • Look for duplicate IP addresses, unexpected MAC addresses, or a large number of ARP requests from the same source.
   • Example (tcpdump):

     tcpdump -i wlan0 arp

Why APs are Vulnerable

APs generally prioritize network connectivity over strict cyber security. They assume devices on the local network are trustworthy, which isn’t always true. The ARP protocol itself was designed for simplicity and speed, not strong security.