What is ARP Poisoning?
ARP poisoning is an attack that can be performed by an adversary that is on the same subnet as the intended victim. By abusing ARP, the attacker can cause the user’s network traffic to be redirected to their own computer, potentially allowing the attacker to eavesdrop on the traffic or tamper with it before sending it on to the intended recipient.
What is ARP?
Before diving into the details of ARP cache poisoning, it’s important to know the role of ARP within a network. The purpose of the Address Resolution Protocol (ARP) is to convert IP addresses to MAC addresses.
When traffic is flowing over the Internet or other networks, an IP address is used to uniquely identify the destination computer and help the routers along the way to find the appropriate route. However, once inside a particular subnet — a set of devices directly connected to a router, hub, or switch — a hardware or MAC address is used to direct the packet to the correct network interface card (NIC).
The ARP protocol enables a router to build a lookup table that maps IP addresses to MAC addresses. When a router receives a packet with an IP address that it doesn’t have a MAC address for, it sends out a request for information. The computer that owns that IP address will reply with its MAC address, enabling the router to send the packet on to its destination.
How Does ARP Cache Poisoning Work?
While ARP is a functional protocol, it isn’t a secure one. When a router sends out an ARP request, it accepts and believes the first reply that it receives. Also, routers can accept unsolicited ARP replies where a computer updates its mapping of IP address to ARP address without the router requesting that update.
This is problematic because it creates the opportunity for an attacker to redirect a user’s traffic to their own device. By replying to an ARP request or sending out an unsolicited ARP reply, the attacker can state that their computer’s MAC address should be paired with the target’s IP address. After this happens, the router will direct any traffic intended for the victim to the attacker’s computer.
The ARP Poisoning Threat
ARP poisoning is one of the ways that an attacker can set up a Man-in-the-Middle (MitM) attack where they intercept a user’s communications for various purposes. Some of the potential impacts of these attacks include:
- Denial of Service (DoS): If all of a user’s traffic is diverted to an attacker, the attacker can refuse to forward it onward. This would result in the user not being able to communicate over the network.
- Eavesdropping: Any unencrypted traffic intended for the user can be intercepted and read by the attacker. This might reveal sensitive information, such as login credentials.
- Tampering: Network traffic that lacks digital signatures or similar integrity mechanisms can be modified by the attacker before being sent on to the intended recipient.
ARP poisoning is an attack that enables on-path attacks by tricking a router into assigning the target’s IP address to the attacker’s MAC address. Organizations can protect against this by using static ARP tables or Dynamic ARP Inspection (DAI), which validates the authenticity of ARP replies rather than blindly trusting them.