Stop ARP Spoofing: Wireshark Detection & Fixes

TL;DR

You’ve spotted suspicious activity in Wireshark that *might* be ARP spoofing. This guide explains how to confirm it and what you can do to protect your network. It’s a common attack where someone tries to trick devices into sending data to the wrong place, potentially letting an attacker steal information or disrupt things.

What is ARP Spoofing?

ARP (Address Resolution Protocol) translates IP addresses (like 192.168.1.10) into MAC addresses (unique hardware IDs). ARP spoofing involves sending fake ARP messages to associate the attacker’s MAC address with a legitimate IP address, causing network traffic intended for that IP to be sent to the attacker instead.

Confirming ARP Spoofing in Wireshark

1. Filter your capture: In Wireshark, use the filter `arp` to focus on ARP packets.
2. Look for inconsistencies: Pay attention to these things:
   • Duplicate IP addresses with different MACs: If you see the same IP address listed multiple times but associated with *different* MAC addresses, that’s a big red flag.
   • Gratuitous ARP replies: An unusual number of ARP replies when no requests have been sent is suspicious. Legitimate devices usually only reply to requests.
   • Sender IP/MAC mismatch: Check if the ‘Source IP’ and ‘Source MAC’ make sense for the network.
3. Examine ARP table (command line): Use your operating system’s command-line tool to view the current ARP table:

   arp -a

   Look for entries that don’t match known devices on your network.

Fixing and Preventing ARP Spoofing

1. Static ARP Entries (Advanced): Manually configure static ARP entries for critical devices. This is a bit fiddly but prevents dynamic changes.
   • Windows: Use `arp -s ` in an elevated command prompt.
   • Linux/macOS: Edit the `/etc/arp` file (requires root privileges). Example entry: 192.168.1.1 00:11:22:33:44:55

   Warning: Incorrect static entries can break network connectivity.

2. Port Security (Switches): If you control the network switches, enable port security. This limits which MAC addresses are allowed to connect to each port.
   • Configure the switch to only allow the MAC address of the device that should be connected to each port.
   • Set the switch to shut down a port if an unknown MAC address is detected.
3. DHCP Snooping (Switches): Enable DHCP snooping on your switches. This helps prevent rogue DHCP servers and can mitigate ARP spoofing.
   • It builds a database of trusted IP-MAC address bindings based on legitimate DHCP leases.
4. Use Static IPs: Assign static IP addresses to important devices instead of relying on DHCP. This makes it harder for attackers to manipulate ARP tables.
5. Network Monitoring Tools: Implement a network monitoring solution that actively detects and alerts you to ARP spoofing attempts. Many intrusion detection systems (IDS) include this functionality.
6. Firewall Rules: Some firewalls can filter ARP traffic based on specific criteria, but this is less common.
7. Wireless Security: If using Wi-Fi, ensure you’re using strong encryption (WPA3 if possible) and a robust password. ARP spoofing is easier on insecure wireless networks.

Important Considerations

• ARP spoofing attacks are often local to your network segment.
• Regularly check your ARP tables for anomalies.
• Keep your switch firmware up-to-date to benefit from the latest security features and bug fixes.