Blog | G5 Cyber Security

Stopping ARP Spoofing Attacks

G5 Cyber Security

TL;DR

ARP spoofing (also known as ARP poisoning) can let attackers intercept network traffic on your corporate network. This guide explains how to detect and prevent it using static ARP entries, port security, DHCP snooping, and intrusion detection systems.

What is ARP Spoofing?

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses. Attackers use ARP spoofing to associate their MAC address with the IP address of legitimate devices – like your gateway or other computers. This means network traffic intended for those devices gets sent to the attacker instead, allowing them to eavesdrop or modify data.

How to Detect and Prevent ARP Spoofing

  1. Understand Your Network
    • Know your critical IP addresses (gateway, servers, important workstations).
    • Document the corresponding MAC addresses. This is essential for static ARP entries.
  2. Static ARP Entries

    Manually configure devices to trust specific IP-MAC address pairings. This prevents attackers from changing these associations.

    • Windows: Use the arp -s command in Command Prompt (run as administrator). 
      arp -s 192.168.1.1 AA-BB-CC-DD-EE-FF

      (Replace 192.168.1.1 with the gateway IP and AA-BB-CC-DD-EE-FF with its MAC address.)

    • Linux: Edit the /etc/arp file as root. 
      sudo nano /etc/arp

      Add a line like this:

      192.168.1.1 AA-BB-CC-DD-EE-FF
  3. Port Security (Switches)

    Restrict which MAC addresses can connect to specific switch ports.

    • Configure each port to only allow the MAC address of the connected device.
    • Set the port to ‘shutdown’ if an unknown MAC address tries to connect. This immediately blocks the attacker.
    • Use a command like this (Cisco example): 
      interface GigabitEthernet0/1
switchport mode access
switchport port-security mac-address 1234.5678.9abc
switchport port-security violation shutdown
  4. DHCP Snooping (Switches)

    Prevents rogue DHCP servers from distributing incorrect IP addresses and gateway information.

    • Enable DHCP snooping globally on the switch. 
      ip dhcp snooping
    • Identify trusted ports connected to legitimate DHCP servers. 
      interface GigabitEthernet0/2
ip dhcp snooping trust
  5. Dynamic ARP Inspection (DAI)

    Validates ARP packets and filters out malicious ones. Requires DHCP snooping to be enabled.

    • Enable DAI globally on the switch. 
      ip arp inspection vlan 10

      (Replace 10 with your VLAN ID.)

  6. Intrusion Detection/Prevention Systems (IDS/IPS)

    Monitor network traffic for suspicious ARP activity.

    • Configure IDS/IPS rules to detect multiple ARP requests from the same IP address within a short timeframe.
    • Set up alerts and automatic blocking of offending devices.
  7. Regular Network Scanning

    Use network scanning tools to identify any unexpected MAC addresses or changes in IP-MAC mappings.

Exit mobile version