Contact Me @ +91-9041922099

Mail me at

Monday, March 14, 2011

How to detect and block an ARP spoofing/poisoning attack on a LAN


ARP poisoning attacks are the most dangerous MITM attacks when working on a LAN. The most hazardous thing about this attack is that they go unnoticed for a very long time or in some cases they would never be detected if not checked for. No naive internet user is gonna check if he is being poisoned. This would go undetected in a trusted environment like an office or at college. Well then it is the responsibility of the admins to protect their clients from attack.

Detecting an ARP Spoofing attack

Well detecting an ARP attack is fairly easy assuming that the malware responds to standard ARP requests. Here's how you go about detecting a possible attack.

1. Start a network capture using a tool such as tcpdump or Wireshark.
2. Generate some traffic on your machine and then stop the capture.
3. Now analyze the traffic. You don't have to be an expert to do this. Check if you are getting ARP requests or responses from multiple addresses.

If you are getting ARP traffic from sources other than your default gateway there is possibly an eavesdropper. This eavesdropper could also modify what you recieve. A very good application of MITM is 'login credentials stealing', especially from SSL secured websites. Tools such as Ettercap and Cain & Abel can make this possible even for a script kiddie.

This was about detecting an MITM, but there is no manual way to block an MITM, other than bashing up the intruder sitting at the poisoning host machine.

Blocking an ARP Spoofing Attack:

ArpON (Arp handler inspectiON) is a portable handler daemon that make Arp secure in order to avoid Arp Spoofing/Poisoning & co.

This is possible using two kinds of anti Arp Poisoning techniques, the first is based on SARPI or "Static Arp Inspection", the second on DARPI or "Dynamic Arp Inspection" approach.

Keep in mind other common tools fighting ARP poisoning usually limit their activity only to point out the problem instead of blocking it, ArpON does it using SARPI and DARPI policies. Finally you can use ArpON to pentest some switched/hubbed LAN with/without DHCP protocol, in fact you can disable the daemon in order to use the tools to poison the ARP Cache.

Platform Support: Linux, Mac OS X, FreeBSD, NetBSD, OpenBSD

0 Visitor Reactions & Comments:

Design by Amarjit Singh | Idea From Blogging Tutorials - Premium Themes | Best Buy Coupons