ARP is vulnerable because ARP trusts everyone. There is no authentication so when a device sends out an ARP Request, the device that responds to this request is trusted to be the correct device. ARP is so trusting that even if no ARP Request was sent but the device receives an ARP Reply, it still accepts this ARP Reply and adds it to or modifies its ARP table!

This is an astounding statement when you truly think about it. An attacker can broadcast forged ARP Replies to any device on the network and that device will believe the Reply and add it to its ARP table. All of a sudden we have a few devices on the network who believe someone is somebody else and network chaos ensues.

ARP poisoning typically leads to three types of attack vectors: Denial of Service, Man in the Middle, and MAC Flooding.

ARP poisoning is done from within the network perimeter, which means it is local. An attacker has to be on the same physical segment or has to gain access to a device that resides within the network. If an ARP attack is noticed, immediately suspect an in-house attacker.

You may use the following Windows command:

arp /?

and the following Linux/Unix command:

man arp

for more information about local ARP command use.

I would suggest observing a few ARP packets with Wireshark if you’re interested in actually seeing the make-up of these packets.

To help prevent against ARP poisoning, there are a few solutions but remember that ARP is vital to effective TCP/IP network functioning and there is no definitive way to “fix” it. For small networks, you could assign static IP addresses and then setup static ARP tables using the following command:

arp -s

This technique is inefficient for large networks as the administrative time spent continuously updating ARP tables would prevent any other network administration. For large enterprise networks, configure the port security features of the routers and switches to force your switch or router to allow only one MAC address for each physical port on the switch or router. This feature prevents attackers from changing the MAC address of their machine or from trying to map more than one MAC address to their machine. It can often help prevent ARP-based Man-in-the-Middle attacks.

To aid in ARP monitoring, you could install Arpwatch. A description of Arpwatch: “Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch uses libpcap, a system-independent interface for user-level packet capture.” Sorry, Windows, you’ll have to find another solution as Arpwatch only supports all major Linux/Unix variants.

What benefit does an attacker get from ARP poisoning? It makes it easy to sniff packets from a target and collect a wide range of data. By manipulating the addresses of the switch in the network, the targeted device will think you’re that switch and send you the packets you’re looking to sniff. To avoid detection from the targeted device, it’s just a matter of redirecting those packets back to the real switch. Most of the time this is done by flooding the network with ARP Replies but that introduces suspicion to IDSs or other network monitoring devices.