How to protect against ARP Poisoning exploit.

-


Address Resolution Protocol (ARP) Poisoning also known as ARP Spoofing, Man-in-the-Middle Attack, ARP Flooding, etc. ARP Poisoning allows an attacker to associate his MAC address (the sole means of computer to computer communication) with the victim’s IP address. As a result, whatever traffic is sent from the victim’s end is first sent to the attacker, where he has all the control to modify the traffic, exploit it or stop it.

If you have read my previous post on ARP poisoning (Click here to read) then you will agree with me that this is a serious and silent attack that need to be prevented.
For additional understanding you might also want to read this: Address Resolution Protocol (ARP): Understanding the basics

 Without wasting much of your time, I have done a quick research to enumerate some interesting ways this terrible silent attack can be mitigated

In a network the Address Resolution Protocol (ARP) is the standard protocol for finding a system's MAC Address when only its IP Address is known. The MAC address is the unique identofier for system to system communication. Thus if in a way an attacker is able to fool the ARP table to confuse it into sending the wrong data to the wrong system then theres a big challengs ahead.

There are two possible approaches to an ARP poisononig/attacks which are:
1. Spoofing the router
2. Spoofing the system/computers.
While both can be simultanously done at the same time.

Now, in preventing this ARP poisoning we will have to deal with it both on the router and the system/computer.

Use Virtual Private Networks (VPN)
One of the best ways to protect your computer from ARP spoofing attack is by using a VPN.  A VPN will allow you to do online activities through an encrypted tunnel. Not only is the mode of transmission encrypted but also the data that goes through it.
So, even if your network is compromised by ARP spoofing, your privacy, data or conversation will remain secure because the attacker won’t be able to decrypt the encrypted data.


Manually Bind the routers IP Address with its MAC address in static mode. 
This way it would be impossible to route traffic to the attackers system/computer pretending to be the router.

How is this done
For example if the following are the details of my router:
IP Address: 192.168.1.1
MAC Address:00-19-e0-fa-5b-2b
The following steps shoud be followed to bind the IP to the MAC manually

1. Open a command prompt
2. Type arp –s 192.168.1.1 00-19-e0-fa-5b-2b on the window and press Enter.
3. Type arp –a in the command prompt to confirm that entry added was Static.


Now we have added static ARP binding entry on the router. Thus the data to router won’t be sent to wrong place. However, note that unfortunately these entries set would disappear after computer reboot and we will need to type the command once again.
A typical way round this is to put the previous ARP commands i a batch file and have it execute on system startup. That way you will always stay protected every time you restart your system.
It should be noted however, that static ARP can only prevent simple ARP attacks, and cannot be relied upon as a fail-safe ARP spoofing defense tool.

Tool to use for preventing ARP poisoning attack
So I researched for tools that could be used to prevent ARP poisoning and complied the following.
(This recearch was compiled from https://www.researchgate.net/publication/282568321_A_Security_Approach_to_Prevent_ARP_Poisoning_and_Defensive_tools)

ARP AntiSpoofer
This is a light tool that enables you to detect Address Resolution  Protocol  poisoning. It main features are:

  • Protect multiple hosts 
  • Easy to configure 
  • Auto detect spoofing 
  • User-friendly interface

XArp 
This is a security application that uses advanced practices to detect ARP based attacks. It uses advanced techniques to detect ARP attacks and thus helps you to keep your data private.

Arpalert  
This is an ARP traffic monitoring tool. Arpalert uses ARP protocol  monitoring to prevent illegal connections on the local network. If an illegitimate connection is detected, a program is launched, which is used to send an alert message to the administrator.

ARPON
This is a Portable program for securing ARP against poisoning, or routing  attacks  in static, dynamic and hybrid networks. It secures arp in order to avoid MITM attack. It also detects and blocks minor attacks to halt more complex attacks like DHCP, DNS and WEB Spoofing, Session Hijacking and SSL/TLS Hijacking etc.
It is a host-based solution that doesn’t modify ARP’s standard protocol, but somewhat sets policies by using SARPI for static networks, DARPI for dynamic networks and HARPI for  hybrid networks. Its main features are as follows:

  • It detects and blocks Man in the Middle through  ARP Spoofing/Poisoning  attacks  in  statically,  dynamically (DHCP), hybrid configured networks 
  • It detects and blocks derived attacks: DHCP  Spoofing, DNS Spoofing WEB Spoofing, Session Hijacking, SSL/TLS Hijacking & co 
  • It Doesn’t  affect  the  communication  efficiency  of  ARP protocol 
  • It  manages  the  network  interface  into  unplug,  boot, hibernation and suspension OS features 
  • It works in user-space for OS portability reasons 
  • It is easily configurable via command line switches, provided that you have root permissions 
  • It is tested  against  Ettercap,  Cain  &  Abel,  dsniff and  other tools  
  • It replaces utilities such as arp, arping, arpscan 
  • Easily configurable via command line switches, provided that you have root permissions. 

If you want to read more on this you can download the full text publication on:
https://www.researchgate.net/publication/282568321_A_Security_Approach_to_Prevent_ARP_Poisoning_and_Defensive_tools

I hope you found this post informative. Ant questions or comments, please put in a word and let me know.


Comments

Post a Comment

Popular posts from this blog

Auditing Virtualization

-
Image
Virtualization is the process of creating virtual, representation of an entity, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses by reducing hardware footprint while boosting efficiency and agility for all size businesses. However good as it is, virtualization can create a single point of failure if poor implementation introduced a security flaw to the system. In this post I will be sharing with you how to audit virtualization.
Read more

How to Identify if the capacity of your FLASH storage device is genuine or counterfeit

-
Image
Have you at some time purchased a flash drive  or memory card that always stored corrupt data? You paid for a 64gig memory card and all you stored in it is simply just got corrupted. I have been a victim several times even with reputable retailers. These counterfeit flash storages are low capacity in nature, devices that have been maliciously altered so that they appear to have much more capacity than its original. An example is the 64 gig memory card I purchased which ended up having actual capacity of 2gig. So I actually paid for 2gig. Now I didn't get to know this on time because I actually copied a video file inside it as a test which checked out fine. The video file size was 1.5gb. I was able to play the video with no issue of corruption. Thus I "Assumed" the flash was genuine. Boy was I wrong. Later in the week I decided to do a major backup of my mobile phone since I was purchasing another one. After the backup, I formatted ...
Read more

Address Resolution Protocol (ARP): Understanding the basics

-
Image
Address resolution Protocol or ARP for short is basically used to resolve an IP address to a MAC address. A MAC address is a unique identifier for any device. And since we are talking networking today, The mac address we will be concentration on is that of a network device. Its important to note that, no two device can have the same mac address. Whenever a network device needs to communicate with another network device in a Local Area Network, it needs the MAC address of that device. This is where ARP comes to play. Lets take a look at the scenario bellow to clearly understand this concept: 1. There are 2 computers say A and B on the network. 2. They have both been assigned an IP address as seen below:        A: 192.168.0.1        B: 192.168.0.2 3. Computer A needs to communicate with computer B. 4. It looks at a list for the IP address to see if it has a corresponding MAC address. This list is called an ARP Cache. 5. If the en...
Read more