ARP Spoofing Attack Principles and Defense

ARP Spoofing Attack Principles and Defense

1. ARP Protocol Fundamentals
ARP (Address Resolution Protocol) is used to resolve network layer IP addresses into data link layer MAC addresses. When host A needs to communicate with host B within the same local area network (LAN), A broadcasts an ARP request packet asking, "Whose IP is B's IP?" Host B, upon receiving it, replies with an ARP response packet containing its own MAC address.

Key Features:

  • The ARP protocol lacks an authentication mechanism; devices trust received ARP responses by default.
  • The ARP cache table has a dynamic update mechanism where new responses overwrite old records.

2. ARP Spoofing Attack Principles
Attackers deceive target devices into incorrectly associating their MAC addresses with the IP addresses of other legitimate devices by forging ARP response packets. This is typically carried out in two forms:

(1) Host Spoofing

  • Attacker C sends a forged ARP response packet to host A, claiming "IP_B's MAC is MAC_C";
  • Simultaneously, sends a forged ARP response packet to host B, claiming "IP_A's MAC is MAC_C";
  • Result: All communication traffic between A and B passes through C as a relay, allowing C to eavesdrop on or tamper with the data.

(2) Gateway Spoofing

  • Attacker C sends forged ARP responses to all hosts within the LAN, claiming "The gateway's IP corresponds to MAC_C";
  • After hosts update their ARP caches, they will send all data packets intended for the gateway to C, resulting in the hijacking of all network traffic.

3. Detailed Attack Steps
Taking gateway spoofing as an example:

  1. Scan the Local Area Network: The attacker uses tools (such as nmap) to scan the network segment and obtain active host IPs and the gateway IP.
  2. Continuously Send Forged ARP Responses: Uses tools (such as arpspoof) to cyclically send ARP response packets to target hosts, spoofing the gateway's MAC address as the attacker's MAC.
  3. Enable IP Forwarding: To avoid raising suspicion due to network interruption, the attacker needs to enable the system's IP forwarding function (in Linux: echo 1 > /proc/sys/net/ipv4/ip_forward) to properly forward hijacked traffic to the gateway.
  4. Eavesdrop or Tamper: Analyzes traffic using packet capture tools (such as Wireshark) or uses man-in-the-middle attack tools (such as Ettercap) to inject malicious code.

4. Defense Measures
(1) Static ARP Binding

  • Manually bind the gateway IP to its MAC address on the host (e.g., arp -s Gateway_IP Gateway_MAC);
  • Drawback: High maintenance cost, not suitable for large-scale networks.

(2) Network Layer Defense

  • Switch Security Features: Enable Port Security to limit the number of MAC addresses, or use DHCP Snooping + Dynamic ARP Inspection (DAI) to automatically intercept abnormal ARP packets.
  • Network Segmentation: Reduce broadcast domain scope through VLANs to limit attack propagation.

(3) Encrypted Communication

  • Use encrypted protocols such as HTTPS, SSH, VPN, etc. Even if traffic is hijacked, attackers cannot decrypt the content.

(4) ARP Firewall

  • Install ARP firewall software on hosts to actively detect and prevent abnormal ARP packets from updating the cache.

5. Summary
ARP spoofing exploits the lack of authentication in the protocol to carry out man-in-the-middle attacks by forging MAC address associations. Defense requires a combination of host configuration, network device security policies, and encryption technologies to form a multi-layered protection system.