Editing ARP spoofing

{{short description|Cyberattack which associates the attacker's MAC address with the IP address of another host}}

[[Image:ARP Spoofing.svg|right|thumb|300px|A successful ARP spoofing (poisoning) attack allows an attacker to alter [[routing]] on a network, effectively allowing for a man-in-the-middle attack.]]

In [[computer network]]ing, '''ARP spoofing''' (also '''ARP cache poisoning''' or '''ARP poison routing''') is a technique by which an attacker sends ([[Spoofing attack|spoofed]]) [[Address Resolution Protocol]] (ARP) messages onto a [[local area network]]. Generally, the aim is to associate the attacker's [[MAC address]] with the [[IP address]] of another [[Host (network)|host]], such as the [[default gateway]], causing any traffic meant for that IP address to be sent to the attacker instead.

ARP spoofing may allow an attacker to intercept [[data frame]]s on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as [[denial of service]], [[Man-in-the-middle attack|man in the middle]], or [[session hijacking]] attacks.<ref name="Ramachandran-2005-p239">{{cite book|author=Ramachandran, Vivek|author2=Nandi, Sukumar|name-list-style=amp|chapter=Detecting ARP Spoofing: An Active Technique|editor=Jajodia, Suchil|editor2=Mazumdar, Chandan|title=Information systems security: first international conference, ICISS 2005, Kolkata, India, December 19–21, 2005 : proceedings|publisher=Birkhauser|year=2005|isbn=978-3-540-30706-8|page=239|chapter-url=https://books.google.com/books?id=4LmERFxBzSUC&pg=PA239}}</ref>

The attack can only be used on networks that use ARP, and requires that the attacker has direct access to the local [[network segment]] to be attacked.<ref name="Lockhart-2007-p184">{{cite book|author=Lockhart, Andrew|title=Network security hacks|publisher=O'Reilly|year=2007|isbn=978-0-596-52763-1|page=[https://archive.org/details/networksecurityh02edunse/page/184 184]|url=https://archive.org/details/networksecurityh02edunse|url-access=registration}}</ref>

==ARP vulnerabilities==
The [[Address Resolution Protocol]] (ARP) is a widely used [[communications protocol]] for resolving [[Internet layer]] addresses into [[link layer]] addresses.

When an [[Internet Protocol]] (IP) [[datagram]] is sent from one host to another in a [[local area network]], the destination IP address must be resolved to a [[MAC address]] for transmission via the [[data link layer]]. When another host's IP address is known, and its MAC address is needed, a [[broadcast packet]] is sent out on the local network. This packet is known as an ''ARP request''. The destination machine with the IP in the ARP request then responds with an ''ARP reply'' that contains the MAC address for that IP.<ref name="Lockhart-2007-p184" />

ARP is a [[stateless protocol]]. Network hosts will automatically [[Cache (computing)|cache]] any ARP replies they receive, regardless of whether network hosts requested them. Even ARP entries that have not yet expired will be overwritten when a new ARP reply packet is received. There is no method in the ARP protocol by which a host can [[authenticate]] the peer from which the packet originated. This behavior is the vulnerability that allows ARP spoofing to occur.<ref name="Ramachandran-2005-p239" /><ref name="Lockhart-2007-p184" /><ref name="GRC">{{cite web | url = http://www.grc.com/nat/arp.htm | author = Steve Gibson | title = ARP Cache Poisoning | publisher = [[Gibson Research Corporation|GRC]] | date = 2005-12-11}}</ref>

==Attack anatomy==
The basic principle behind ARP spoofing is to exploit the lack of authentication in the ARP protocol by sending [[spoofing attack|spoofed]] ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.

An attacker using ARP spoofing will disguise as a host to the transmission of data on the network between the users.<ref name=":0">{{cite journal|last1=Moon|first1=Daesung|last2=Lee|first2=Jae Dong|last3=Jeong|first3=Young-Sik|last4=Park|first4=Jong Hyuk|date=2014-12-19|title=RTNSS: a routing trace-based network security system for preventing ARP spoofing attacks|url=http://dx.doi.org/10.1007/s11227-014-1353-0|journal=The Journal of Supercomputing|volume=72|issue=5|pages=1740–1756|doi=10.1007/s11227-014-1353-0|s2cid=18861134|issn=0920-8542|access-date=2021-01-23|archive-date=2021-01-23|archive-url=https://web.archive.org/web/20210123000940/https://link.springer.com/article/10.1007/s11227-014-1353-0|url-status=live|url-access=subscription}}</ref> Then users would not know that the attacker is not the real host on the network.<ref name=":0" />

Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target [[host (network)|host]], so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default destination to avoid discovery, modify the data before forwarding it ([[man-in-the-middle attack]]), or launch a [[denial-of-service attack]] by causing some or all of the packets on the network to be dropped.

==Defenses==

===Static ARP entries===
The simplest form of certification is the use of static, read-only entries for critical services in the [[ARP cache]] of a host. IP address-to-MAC address mappings in the local ARP cache may be statically entered. Hosts don't need to transmit ARP requests where such entries exist.<ref name="Lockhart-2007-p186">{{cite book|author=Lockhart, Andrew|title=Network security hacks|publisher=O'Reilly|year=2007|isbn=978-0-596-52763-1|page=[https://archive.org/details/networksecurityh02edunse/page/186 186]|url=https://archive.org/details/networksecurityh02edunse|url-access=registration}}</ref> While static entries provide some security against spoofing, they result in maintenance efforts as address mappings for all systems in the network must be generated and distributed. This does not scale on a large network since the mapping has to be set for each pair of machines resulting in ''n''<sup>2</sup>-''n'' ARP entries that have to be configured when ''n'' machines are present; On each machine there must be an ARP entry for every other machine on the network; ''n-1'' ARP entries on each of the ''n'' machines.

===Detection and prevention software===
Software that detects ARP spoofing generally relies on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are then blocked. These techniques may be integrated with the [[DHCP server]] so that both [[Dynamic IP|dynamic]] and [[static IP]] addresses are certified. This capability may be implemented in individual hosts or may be integrated into [[Ethernet switch]]es or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach, a device listens for ARP replies on a network, and sends a notification via [[email]] when an ARP entry changes.<ref>{{cite web |url=https://www.researchgate.net/publication/282568321 |title=A Security Approach to Prevent ARP Poisoning and Defensive tools |website=ResearchGate|language=en|access-date=2019-03-22 |archive-date=2019-05-03|archive-url=https://web.archive.org/web/20190503221834/https://www.researchgate.net/publication/282568321_A_Security_Approach_to_Prevent_ARP_Poisoning_and_Defensive_tools|url-status=live}}</ref>

AntiARP<ref>[http://www.antiarp.com/english.html AntiARP] {{webarchive |url=https://web.archive.org/web/20110606051646/http://www.antiarp.com/english.html |date=June 6, 2011 }}</ref> also provides Windows-based spoofing prevention at the kernel level. ArpStar is a Linux module for kernel 2.6 and Linksys routers that drops invalid packets that violate mapping, and contains an option to repoison or heal.

Some virtualized environments such as [[Kernel-based Virtual Machine|KVM]] also provide security mechanisms to prevent MAC spoofing between guests running on the same host.<ref>{{cite web |url=https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/ |title=Daniel P. Berrangé » Blog Archive » Guest MAC spoofing denial of service and preventing it with libvirt and KVM |access-date=2019-08-09 |archive-date=2019-08-09 |archive-url=https://web.archive.org/web/20190809113318/https://www.berrange.com/posts/2011/10/03/guest-mac-spoofing-denial-of-service-and-preventing-it-with-libvirt-and-kvm/ |url-status=live }}</ref>

Additionally some Ethernet adapters provide MAC and VLAN anti-spoofing features.<ref>{{cite web |url=https://downloadmirror.intel.com/26556/eng/README.txt |title=Archived copy |access-date=2019-08-09 |archive-date=2019-09-03 |archive-url=https://web.archive.org/web/20190903084638/https://downloadmirror.intel.com/26556/eng/README.txt |url-status=live }}</ref>

[[OpenBSD]] watches passively for hosts impersonating the local host and notifies in case of any attempt to overwrite a permanent entry.<ref>{{cite web |url=https://man.openbsd.org/arp.4 |title=Arp(4) - OpenBSD manual pages |access-date=2019-08-09 |archive-date=2019-08-09 |archive-url=https://web.archive.org/web/20190809120053/https://man.openbsd.org/arp.4 |url-status=live }}</ref>

===OS security===
Operating systems react differently. Linux ignores unsolicited replies, but, on the other hand, uses responses to requests from other machines to update its cache. Solaris accepts updates on entries only after a timeout. In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount.<ref>{{cite web |url=https://technet.microsoft.com/en-us/library/cc940021.aspx |title=Address Resolution Protocol<!-- Bot generated title --> |date=18 July 2012 |access-date=2017-08-26 |archive-date=2021-01-23 |archive-url=https://web.archive.org/web/20210123000849/https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc940021(v=technet.10)?redirectedfrom=MSDN |url-status=live }}</ref>

==Legitimate usage==
{{see also|Proxy ARP}}
The techniques that are used in ARP spoofing can also be used to implement redundancy of network services. For example, some software allows a backup server to issue a [[Address Resolution Protocol#ARP announcements|gratuitous ARP request]] in order to take over for a defective server and transparently offer redundancy.<ref>{{cite web | url = https://man.openbsd.org/carp.4 | title = OpenBSD manpage for CARP (4) | access-date = 2018-02-04 | archive-date = 2018-02-05 | archive-url = https://web.archive.org/web/20180205000848/https://man.openbsd.org/carp.4 | url-status = live }}, retrieved 2018-02-04</ref><ref>{{cite web | url = http://www.ultramonkey.org/3/ip_address_takeover.html | title = Ultra Monkey: IP Address Takeover | author = Simon Horman | access-date = 2013-01-04 | archive-date = 2012-11-18 | archive-url = https://web.archive.org/web/20121118031514/http://www.ultramonkey.org/3/ip_address_takeover.html | url-status = live }}, retrieved 2013-01-04</ref> Circle<ref>{{cite magazine | url = https://www.wired.com/2015/11/circle-with-disney-locks-down-kids-devices-from-afar | title = Circle with Disney Locks Down Kids Devices from Afar | magazine = Wired | access-date = 2016-10-12 | archive-date = 2016-10-12 | archive-url = https://web.archive.org/web/20161012230841/https://www.wired.com/2015/11/circle-with-disney-locks-down-kids-devices-from-afar | url-status = live | last1 = Barrett | first1 = Brian }}, retrieved 2016-10-12</ref> and CUJO are two companies that have commercialized products centered around this strategy.

ARP spoofing is often used by developers to debug IP traffic between two hosts when a switch is in use: if host A and host B are communicating through an Ethernet switch, their traffic would normally be invisible to a third monitoring host M.  The developer configures A to have M's MAC address for B, and B to have M's MAC address for A; and also configures M to forward packets.  M can now monitor the traffic, exactly as in a man-in-the-middle attack.

==Tools==

===Defense===
{| style="text-align: center;" class="wikitable sortable"
|- style="background: #ececec;"
! Name
! OS
! GUI
! Free
! Protection
! Per interface
! Active/passive
! Notes
|-
| Agnitum Outpost Firewall
| Windows || {{yes}} || {{no}} || {{yes}} || {{no}} || passive ||
|- 
| AntiARP
| Windows || {{yes}} ||{{no}} ||{{yes}}||{{no}}|| active+passive ||
|-
| Antidote<ref>{{cite web |url=http://antidote.sourceforge.net/ |title=Antidote |access-date=2014-04-07 |archive-date=2012-03-13 |archive-url=https://web.archive.org/web/20120313121350/http://antidote.sourceforge.net/ |url-status=live }}</ref> 
| Linux || {{no}} || {{yes}} || {{no}} || {{dunno}} || passive || Linux daemon, monitors mappings, unusually large number of ARP packets.
|-
| Arp_Antidote<ref>{{cite web |url=http://burbon04.gmxhome.de/linux/ARPSpoofing.html |title=Arp_Antidote |access-date=2011-08-02 |archive-date=2012-01-14 |archive-url=https://web.archive.org/web/20120114185136/http://burbon04.gmxhome.de/linux/ARPSpoofing.html |url-status=dead }}</ref>
| Linux || {{no}} || {{yes}} || {{no}} || {{dunno}} || passive || Linux Kernel Patch for 2.4.18 – 2.4.20, watches mappings, can define action to take when.
|-
| Arpalert
| Linux || {{no}} ||{{yes}}||{{no}}||{{yes}}||passive || Predefined list of allowed MAC addresses, alert if MAC that is not in list.
|-
| [[ArpON]]
| Linux||{{no}} ||{{yes}}||{{yes}}|| {{yes}} || active+passive || Portable handler daemon for securing ARP against spoofing, cache poisoning or poison routing attacks in static, dynamic and hybrid networks.
|-
| [[ArpGuard]]
| Mac||{{yes}} ||{{no}}||{{yes}}|| {{yes}} || active+passive ||
|-
| ArpStar
| Linux ||{{no}} ||{{yes}}||{{yes}}||{{dunno}}||passive ||
|-
|[[Arpwatch]]
| Linux ||{{no}} ||{{yes}}||{{no}}||{{yes}}||passive || Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
|-
| ArpwatchNG
| Linux||{{no}} ||{{yes}}||{{no}}||{{no}}||passive || Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
|-
| Colasoft [[Capsa (software)|Capsa]]
| Windows||{{yes}} ||{{no}}||{{no}}||{{yes}}|| no detection, only analysis with manual inspection ||
|-
| cSploit<ref name=csploit>{{cite web |url=http://www.csploit.org/ |title=cSploit |publisher=tux_mind |access-date=2015-10-17 |archive-date=2019-03-12 |archive-url=https://web.archive.org/web/20190312042507/http://www.csploit.org/ |url-status=live }}</ref>
| Android (rooted only)|| {{yes}} || {{yes}} ||{{no}}||{{yes}}||passive ||
|-
| elmoCut<ref name=elmocut>{{cite web|url=https://github.com/elmoiv/elmocut |title=elmoCut: EyeCandy ARP Spoofer (GitHub Home Page)|website=[[GitHub]] }}</ref> || Windows || {{yes}} || {{yes}} || {{no}} || {{dunno}} || passive || EyeCandy ARP spoofer for Windows
|-
| Prelude IDS
| {{dunno}}||{{dunno}} ||{{dunno}}||{{dunno}}||{{dunno}}||{{dunno}} || ArpSpoof plugin, basic checks on addresses.
|-
|Panda Security
| Windows ||{{dunno}} ||{{dunno}} ||{{yes}} ||{{dunno}} || Active || Performs basic checks on addresses
|-
| remarp
| Linux||{{no}} ||{{yes}}||{{no}}||{{no}}||passive ||
|-
|[[Snort (software)|Snort]]
| Windows/Linux||{{no}} ||{{yes}}||{{no}}||{{yes}}||passive || Snort preprocessor Arpspoof, performs basic checks on addresses
|-
| Winarpwatch
| Windows || {{no}} || {{yes}} ||{{no}}||{{no}}||passive || Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
|-
| XArp<ref name="XArp">{{cite web |url=http://www.xarp.net/ |title=XArp |access-date=2021-01-23 |archive-date=2020-06-16 |archive-url=https://web.archive.org/web/20200616221850/http://www.xarp.net/ |url-status=live }}</ref>
| Windows, Linux || {{yes}} || {{yes}} (+pro version) ||{{yes}} (Linux, pro)||{{yes}}|| active + passive || Advanced ARP spoofing detection, active probing and passive checks. Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation. Windows and Linux, GUI-based.
|-
| Seconfig XP
| Windows 2000/XP/2003 only || {{yes}} || {{yes}} ||{{yes}}||{{no}}||only activates protection built-in some versions of Windows ||
|-
| zANTI
| Android (rooted only) || {{yes}} || {{yes}} ||{{no}}||{{dunno}}||passive ||
|-
| NetSec Framework
| Linux || {{no}} || {{yes}} ||{{no}}||{{no}}||active ||
|-
|anti-arpspoof<ref>{{usurped|1=[https://web.archive.org/web/20080831003151/http://sync-io.net/Sec/anti-arpspoof.aspx anti-arpspoof]}}</ref>
| Windows || {{yes}} || {{yes}} || {{dunno}} || {{dunno}} || {{dunno}} || 
|-
|DefendARP:<ref>{{cite web |url=http://arppoisoning.com/defense-scripts/ |title=Defense Scripts {{!}} ARP Poisoning<!-- Bot generated title --> |access-date=2013-06-08 |archive-date=2013-01-22 |archive-url=https://web.archive.org/web/20130122062207/http://arppoisoning.com/defense-scripts/ |url-status=live }}</ref> 
| {{dunno}} || {{dunno}} || {{dunno}} || {{dunno}} || {{dunno}} || {{dunno}} || A host-based ARP table monitoring and defense tool designed for use when connecting to public wifi. DefendARP detects ARP poisoning attacks, corrects the poisoned entry, and identifies the MAC and IP address of the attacker.
|-
| NetCutDefender:<ref>{{cite web |url=http://www.arcai.com/netcut-defender/ |title=Netcut defender &#124; Arcai.com |access-date=2018-02-07 |archive-date=2019-04-08 |archive-url=https://web.archive.org/web/20190408110511/http://arcai.com/netcut-defender/ |url-status=live }}</ref> 
| Windows || {{dunno}} || {{dunno}} || {{dunno}} || {{dunno}} || {{dunno}} || GUI for Windows that can protect from ARP attacks
|}

===Spoofing===
Some of the tools that can be used to carry out ARP spoofing attacks:
<!-- please NOTABLE tools only (i.e., with Wikipedia articles), DO NOT use as a general repository, see [[WP:EL]] & [[WP:LINKFARM]], NO red links -->

*[[Dsniff]]
*[[Ettercap (computing)|Ettercap]]
*[[arping]]<ref name=l0t3k>{{cite web|url=http://www.l0t3k.org/security/tools/arp/ |title=ARP Vulnerabilities: The Complete Documentation |publisher=l0T3K |access-date=2011-05-03 |url-status=dead |archive-url=https://web.archive.org/web/20110305160956/http://www.l0t3k.org/security/tools/arp/ |archive-date=2011-03-05 }}</ref>
*[[Cain and Abel (software)|Cain and Abel]]

==See also==
* [[Cache poisoning]]
* [[DNS spoofing]]
* [[IP address spoofing]]
* [[MAC spoofing]]
* [[Proxy ARP]]

==References==
{{Reflist}}

==External links==
<!--- Please add ARP spoofing software to [[#Defense]] and [[#Spoofing]] sections not to this section--->
*{{cite web | url = http://coderseye.com/how-to-clear-arp-cache-on-linux-or-unix/ | author = Stephanie Reigns | title = Clearing your ARP cache on Linux | publisher = Coders Eye | date = 2014-10-07 | access-date = 2018-03-05 | archive-date = 2019-04-08 | archive-url = https://web.archive.org/web/20190408110518/https://coderseye.com/how-to-clear-arp-cache-on-linux-or-unix/ | url-status = dead }}

{{DEFAULTSORT:Arp Spoofing}}
[[Category:Ethernet]]
[[Category:Types of cyberattacks]]
[[Category:Hacking (computer security)]]