ARP has no authentication or integrity validation. Any host can reply to any ARP request.
The Address Resolution Protocol (ARP) has been a longstanding utility exploited by attackers to launch man-in-the-middle and denial-of-service attacks, among others. Given this prevalence, ARP forms a focal point when we undertake traffic analysis, often being the first protocol we scrutinize.
Red flags for ARP scanning (filter by arp.opcode) :
-
Broadcast ARP requests sent to sequential IP addresses (.1,.2,.3,...) -
Broadcast ARP requests sent to non-existent hosts -
Potentially, an unusual volume of ARP traffic originating from a malicious or compromised host
Detection
-
Filter only for
ARPin Wireshark -
Filter by
opcode:Opcode == 1: This represents all types of ARP RequestsOpcode == 2: This signifies all types of ARP Replies
-
Hunt for: address duplication / warning message (one IP mapped to two different MACs)
-
Filter for duplicates:
arp.duplicate-address-detected && arp.opcode == 2
arp.duplicate-address-detected && arp.src.proto_ipv4 == TARGET_IP
- Filter for triaging suspicious MACs:
eth.addr == TARGET_MAC_1 or eth.addr == TARGET_MAC_2
- Filter suspicious MAC for flooding with ARP requests:
eth.src == TARGET_MAC && arp.opcode == 1
- Hunt for "gratuitous" ARP (many replies without request, where
SENDER_IP == TARGET_IP)
arp.isgratuitous == 1
- Continuous ARP replies to keep poisoning alive
arp.opcode == 2 && eth.src == TARGET_MAC
- Check ARP table on victim
arp -a | grep "TARGET_MAC"
Attack
| Step | Description |
|---|---|
1 | Consider a network with three machines: the victim's computer, the router, and the attacker's machine. |
2 | The attacker initiates their ARP cache poisoning scheme by dispatching counterfeit ARP messages to both the victim's computer and the router. |
3 | The message to the victim's computer asserts that the gateway's (router's) IP address corresponds to the physical address of the attacker's machine. |
4 | Conversely, the message to the router claims that the IP address of the victim's machine maps to the physical address of the attacker's machine. |
5 | On successfully executing these requests, the attacker may manage to corrupt the ARP cache on both the victim's machine and the router, causing all data to be misdirected to the attacker's machine. |
6 | If the attacker configures traffic forwarding, they can escalate the situation from a denial-of-service to a man-in-the-middle attack. |
7 | By examining other layers of our network model, we might discover additional attacks. The attacker could conduct DNS spoofing to redirect web requests to a bogus site or perform SSL stripping to attempt the interception of sensitive data in transit. |
Defense
-
Static ARP Entries: By disallowing easy rewrites and poisoning of the ARP cache, we can stymie these attacks. This, however, necessitates increased maintenance and oversight in our network environment. -
Switch and Router Port Security: Implementing network profile controls and other measures can ensure that only authorized devices can connect to specific ports on our network devices, effectively blocking machines attempting ARP spoofing/poisoning.
-
Dynamic ARP Inspection - Enterprise switches can validate ARP requests, cross-check with DHCP snooping database and drop invalid ARP replies.
-
DHCP Snooping - Builds IP ↔ MAC binding table. Used by DAI to prevent spoofing.
-
802.1X Authentication - Prevents rogue device joining LAN in the first place.
-
Tracing and Identification: First and foremost, the attacker's machine is a physical entity located somewhere. If we manage to locate it, we could potentially halt its activities. On occasions, we might discover that the machine orchestrating the attack is itself compromised and under remote control.
-
Containment: To stymie any further exfiltration of information by the attacker, we might contemplate disconnecting or isolating the impacted area at the switch or router level. This action could effectively terminate a DoS or MITM attack at its source.