ARP Poisoning and Detection

Many people don’t really know about the ARP or the Address Resolution Protocol. This protocol is a common protocol used in local area networks.

To define it, the Address Resolution Protocol (ARP) is a telecommunications protocol used for resolution of network layer addresses into link layer addresses, a critical function in multiple-access networks (from wikipedia). IPV4 and IPV6 has oftentimes this functionality implemented by default.

It is possible to hijack this protocol. This is called ARP Spoofing. This may allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic altogether. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host.

Another term for ARP Spoofing is called ARP Poisoning. Below is a diagram that describes what ARP poisoning does to a network:

Although there are legitimate uses for ARP spoofing (like in hotels where unregistered machines redirect the host to a signup page), some malicious elements may use this protocol to initiate man in the middle attacks, or DOS (denial of service) attacks.

How to Detect ARP Poisoning

There is a way to detect ARP spoofing. For Windows, you can use Wireshark.

Here are two pictures of wireshark capturing the ARP requests. The first is a screenshot of normal network flow (ARP is filtered in):

Once the ARP spoofing sets in, this below happens:

Since we see duplicate IPs in the system, and if we know the router’s MAC address, we know that this source is the one doing the ARP poisoning.


Leave a Reply

Your email address will not be published. Required fields are marked *