What is an ARP Spoofing and Cache Poisoning Attack?

Introduction

If you’re familiar with the Masked Singer, you get the concept of someone disguising themselves to appear like something they are not. Then they surprise you in the end when the mask comes off and you learn who the celebrity is. A similar thing happens in an ARP spoofing attack only the surprise is that there’s a threat actor leveraging their disguise to launch damaging attacks – not wow you with their singing voice.

In this blog, we’ll take an in-depth look at ARP spoofing and ARP cache poisoning attacks, including how they work, the different types of attacks, and their impact. We’ll also explain how to detect an attack and the different ways you can protect against ARP spoofing to prevent threat actors from using the technique to create chaos in your network and worse – steal data, infect you with malware, or bring down the network entirely.

What is the ARP protocol?

Before digging into ARP spoofing, it’s important to understand the ARP protocol, the role it plays in network communication, and its weaknesses that enable an attack.

ARP stands for Address Resolution Protocol and it exists to support the layered approach in the OSI model that facilitates connections between different components on network and for data to flow. ARP connects an Internet Protocol (IP) address to a physical machine via a Media Access Control (MAC) address.  

Hosts maintain an ARP cache, a mapping table between IP and MAC addresses. If Host A doesn’t have the MAC address for Host B, it sends out an ARP request packet asking other machines on the network for the matching MAC address. This becomes a weakness that threat actors take advantage of to launch ARP spoofing or cache poisoning attacks.

ARP only works with the older IPv4 standard, not the newer IPv6 standard which uses a different protocol called Network Discovery Protocol (NDP). NDP is more secure and has layers of defenses in place to verify host identities. But since IPv4 is still used by more than half of Internet users as of December 2023, ARP spoofing remains a concern.

What is ARP spoofing?

ARP spoofing happens when an attacker responds to an ARP request packet with the MAC address of their own device. This allows them to appear to be someone else to all the other devices on the network and intercept IP traffic and data meant for a legitimate computer or server on the network. The requesting host stores that spoofed address in its ARP cache and continues to use it, unwittingly sharing information that was never intended to land in the hands of a threat actor.

ARP cache poisoning can be confused with ARP spoofing. ARP cache poisoning refers to the contamination of the ARP cache, whereas ARP spoofing is the act of an attacker impersonating a machine’s address. In either case, the ramifications may include everything from creating chaos on the network to data theft, session hijacking, man-in-the-middle attacks, and DDoS attacks.

A step-by-step guide to how ARP spoofing attacks work

ARP spoofing can enable malicious parties to intercept, modify, or even stop data in-transit. These attacks typically include the following five steps:

1. The attacker opens an ARP spoofing tool and sets the tool’s IP address to be consistent with the IP subnet of a target.
2. The attacker uses the ARP spoofing tool to scan for the IP and MAC addresses of hosts in the target’s subnet.
3. The attacker chooses its target and begins sending ARP packets across the network that contain the attacker’s MAC address paired with the target’s IP address.
4. The scope of the attack starts to spread as other hosts on the network cache the spoofed ARP packets, and data that those hosts send to the victim start going to the attacker instead.
5. At this point, the impact of the attack can magnify as an attacker can steal more and more data or launch a more sophisticated follow-on attack.

Why hackers use ARP spoofing

ARP spoofing is particularly dangerous because it is used as a platform to launch other, more disruptive attacks and cause additional damage. For example:

• If the attacker obtains a session ID, they can gain access to accounts the user is currently logged into.
• The attacker can use the MAC address of the server to launch a DDoS attack. By repeating this for a large quantity of IP addresses, the victim will be overwhelmed with traffic.
• The attacker can intercept and modify traffic, including sending malicious files or links to malicious websites to the victim’s machine.
• The attacker can sniff packets and steal data, unless communications are encrypted via TLS and HTTPS.

Types of ARP poisoning attacks

There are two ways an ARP poisoning attack can occur:

1. The attacker can wait to see ARP requests for a particular target and issue a response. This approach is more subtle but also far less reaching.
2. The attacker can send out an unsolicited broadcast message also called a “gratuitous ARP.” This approach is more noticeable and immediate and impacts more victims.

In both approaches, the corrupted ARP caches on victim machines can be used to spread attacks such as the following:

Man-in-the-Middle (MiTM) Attacks. The attacker sends out falsified ARP responses for a given IP Address, typically the default gateway for a particular subnet. This causes victim machines to populate their ARP cache with the MAC address of the attacker’s machine, instead of the local router’s MAC address. Victim machines will then incorrectly forward network traffic to the attacker. However, to the victim, everything may appear normal. 

DDoS Attack. A DDoS attack is aimed at denying victims access to network resources. In the case of ARP, an attacker might send out ARP Response messages with hundreds or even thousands of falsified IP addresses, making it challenging to track the origin and overwhelming the target’s infrastructure.

Session Hijacking. Session Hijacking attacks are similar in nature to Man-in-the-Middle attacks, except that the attacker doesn’t directly forward traffic from the victim machine to its intended destination. Instead, the attacker will capture a session ID from the victim and use it to assume the victim’s identity. This could be used, for instance, to access a target user’s social media or online banking account if they happen to be logged in.

How to detect ARP spoofing or ARP cache poisoning

It’s possible to detect an ARP spoofing attack by using the “arp -a” command from a terminal or command line to display the ARP table. If the table contains two different IP addresses with the same MAC (or physical) address, then that probably means that an ARP attack is underway.

There are also specific tools that continuously monitor the network and can alert an administrator to signs of an ARP spoofing or ARP cache poisoning attack. If you’re dealing with a large network a tool like this can spare you the tedium and save you hours of time manually reviewing hundreds or even thousands of ARP tables. However, these tools can overwhelm administrators with unwanted alerts and false positives.

How to protect against ARP spoofing or ARP cache poisoning

As the saying goes, “an ounce of prevention is worth a pound of cure” and that’s particularly true when it comes to ARP spoofing and ARP poisoning attacks.

To protect against these attacks, a combination of best practices and technology can help, including:

• Use Packet Filtering. Packet filters inspect packets as they traverse the network and are useful in filtering out and blocking packets with conflicting source address information so they can’t reach other devices.
• Deploy VPNs. VPNs encrypt all your network traffic and therefore make the traffic worthless for an ARP spoofing attacker. But depending on the size of your network, VPNs can become impractical and negatively impact network performance because you need a VPN connection between every computer and server.
• Employ robust DDoS protection. DDoS attacks come in various shapes and sizes and overwhelm a target server or network by flooding it with an excessive volume of requests. ARP spoofing and ARP poisoning attacks fit this definition, leveraging irregular request patterns. Comprehensive DDoS protection solutions protect against the gamut of DDoS attacks, including ARP spoofing attacks, as well as additional threats including data theft and other types of attacks that impact service availability.
• Define static ARPs. The ARP protocol lets you define a static ARP entry for an IP address. For example, if a computer always connects to the same router, you can define a static ARP entry for the router and eliminate ARP responses for that address.
• Use cryptographic network protocols. Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols help thwart ARP spoofing attacks by encrypting data prior to transmission and authenticating data when it is received.
• Avoid trust relationships. Trust relationships that rely on IP addresses for authentication make it easy for attackers to carry out ARP spoofing attacks.
• Run Red/Purple team testing. Once you have defensive measures in place, check to see if they are working. You can use Red/Purple team testing exercises to simulate a ARP spoofing attack and give you an opportunity to address any weak points you discover.

Conclusion

ARP spoofing attacks are based on the elements of disguise and manipulation. The threat actor appears to be someone else to all the other devices on the network and intercepts IP traffic and data meant for a legitimate computer or server on the network. ARP spoofing attacks can be subtle or more noticeable. Either way, they can present significant risk.

Fortunately, the IPv6 standard uses NDP which is more secure and has layers of defenses in place to verify host identities, which makes it immune to ARP spoofing and ARP cache poisoning. But since IPv6 is used by fewer than half of devices, these attacks will remain a concern for the foreseeable future.

To defend against ARP spoofing and ARP cache poisoning attacks, organizations can use a combination of best practices and technology, including packet filtering, deploying VPNs, defining static ARPs, using cryptographic network protocols, avoiding trust relationships, and using a DDoS protection solution.

DDoS protection provides uninterrupted service availability even in the midst of a DDoS attack and can protect you from ARP spoofing attacks as well as other types of DDoS attacks and the follow-on malicious activity that can also threaten your operations.