How To Prevent ARP Spoofing

“You can fool some of the people all of the time, and all of the people some of the time,

but you can not fool all of the people all of the time.”

-Abraham Lincoln

What is ARP spoofing, and why do I care? If you’re old enough, you might remember the TV show “To Tell The Truth.”  The show features a panel of four celebrities attempting to correctly identify a described contestant who has an unusual occupation or experience. This central character is accompanied by two impostors who pretend to be the central character. The celebrity panelists question the three contestants; the impostors are allowed to lie but the central character is sworn “to tell the truth”. After questioning, the panel attempts to identify which of the three challengers is telling the truth and is thus the central character.

Your computer is like one of the celebrities in “To Tell The Truth”.  To communicate on your home network, your computer needs to know how to talk to your wireless router.  So, it broadcasts a question on your network: “Hey, router: Where you you?”.  In computerese, the question looks like: “Who has IP address 192.168.1.1.  Tell 192.168.1.11”.  In Wireshark, it looks like this:

arpspoof1

After your computer broadcasts the question, it listens for an answer.  Normally, your wireless router will answer “Here I am!!”.  In computerese, the answer looks like “192.168.1.1 is at 28:c6:8e:a4:3c:71”.

In a way, this is a little bit like “To Tell The Truth”.  Pretend you are one of the celebrities.  There is a mystery guest, and two imposters.  The mystery guest is Abe Lincoln, and both imposters are dressed up to look like Abe Lincoln.  They all have beards, and a tall stove-pipe hat.  Their voices are all the same.  How would you tell the real Abe Lincoln from the imposters?  You would ask probing questions, right?

For your computer, it is actually harder to tell.  Your computer can’t see the contestants.  It can’t ask any probing questions.  The only thing your computer can ask is: Which one of you is Abe Lincoln? Now, under normal circumstances, only the real Abe Lincoln will answer “I am the real Abe Lincoln”.  And, you would begin a conversation with one of the greatest presidents the USA has ever had.

However, if there is a hacker on your network, they can also answer “I am the real Abe Lincoln”.  The unfortunate part is that your computer can’t verify identities, so it just has to assume that the conversation it is beginning to have is with the real Abe Lincoln. That is what ARP spoofing is all about.  It is getting your computer to talk to the hackers computer, instead of to your wireless router.

Suppose you now browse to your bank’s website.  The hacker can forward your browser traffic to the bank’s website, and become a “Man In The Middle”, someone between you and your bank.  This sort of attack is called a “Man In The Middle” attack.  Using a program called SSL Strip, the hacker can intercept and decode your SSL traffic, then forward your browser requests to your REAL bank.  Or, if you are shopping, the hacker can send it to Amazon.com, etc.  (SSL Strip doesn’t actually decode the SSL traffic, but the net effect is the same.) Once the hacker intercepts your credit card number or bank account information, you’re in real trouble.

What can you do to prevent this? The SSL Strip program starts with an ARP spoofing attack, so let’s make ARP spoofing harder.  How do we do that? There is a good webpage that talks about his very thing: “HOWTO : Protect you from being ARP spoofing.”  It also has links to videos that show how to do these attacks (lovely).  The author, Samiux, has some good pointers for avoiding ARP spoofing.  For Windows and Linux, he points you to “XArp – Advanced ARP Spoofing Detection.”

The author of XArp is Dr. Christoph P. Mayer.  His presentation “Securing ARP: An overview of threats, approaches, and solutions” is the most thorough analysis I have seen related to ARP spoofing.  Dr. Mayer has a very comprehensive description of what ARP spoofing is, the various types of ARP spoofing, a large number of possible techniques to combat it, strengths and weaknesses of the individual techniques, and a suggestion that you obtain his program XArp.  On his website, you can download a free version of XArp (fewer features) or you can buy XArp Professional (more features).

Another research paper on this topic is:  “Securing Wireless Networks from ARP Cache Poisoning,” by Roney Philip, San Jose State University.  Roney actually writes wireless router firmware to protect against ARP spoofing.

Cicso has a very good paper, “ARP Poisoning Attack and Mitigation Techniques,” that describes two security features of the Cisco Catalyst 6500 Series Switches: DHCP Snooping and Dynamic ARP Inspection (DAI).  I don’t know if you have to turn them on or if they are automatically enabled.

Symantec Endpoint Protection, an enterprise-class security suite, has an option to protect against ARP spoofing, but you have to turn it on:

arpspoof2

What to do:

1)      Make sure your wireless router is configured to support WPA2-AES, and that you have a very strong password.

2)      Review the webpage “HOWTO : Protect you from being ARP spoofing” for programs you can install that will help protect against ARP spoofing.

3)      If you’re connected to a public wireless network, don’t do any online banking, or make any online purchases.  The public network you are connecting to might be a hackers laptop.

4)      At your office, refer your network administrators to this page.  They probably already know all this (and more), but it will serve as a gentle reminder that protection doesn’t do you any good if you don’t turn it on.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>