ARP poisoning & MITM Attack

Thilini Weerasinghe
5 min readMay 23, 2021

--

Source: https://www.logsign.com/

MITM stands for Man In The Middle and it is most popular hacking techniques that intend to exploit the real time transferring data. ARP poisoning means Address Resolution Protocol poisoning. These are two techniques that used to attack the web applications. In this article it will describes the general ARP process, ARP provision, MITM attacks and things we can do to avoid these attacks.

Address Resolution Protocol (ARP)

In web applications and other computer programs it uses the logical address for sending or receiving message. However real communication process is done using the physical address(MAC) of the sender and receiver. So this is the place that ARP gives support to convert IP address into the MAC address. The following figure shows the function of ARP.

ARP process (source: practicalnetworking)

In a computer network there are lots of computer devices connected with one network and then a one device wants to uniquely communicate with another device and at that time it wants to know about the MAC address of that particular computer device. Therefore it sends ARP request containing the IP address and then the device who has that IP address reply with its MAC address as a ARP response. After completion of that response, it stored the details in the ARP cache. Therefore it doesn’t send the same message again and again.

To view the ARP cache for the particular network, you can use the command arp -a in Command Line Interface(CLI).

Sample ARP cache output

ARP Poisoning

ARP poisoning also known as ARP spoofing, ARP poison routing and ARP cache poisoning is a concept that attacker used to launch their attacks via the internet. ARP is not well trusted protocol that ensure the high security and attackers have taken the advantage of that. These attacks can access to the victim’s sensitive data without their knowledge. ARP poisoning is the process that attacker send its MAC address instead of physical address of the real destination. After getting that false MAC address it saves in the ARP cache and victims begins its communication with the attacker MAC address. Then the attacker can handle all the traffic of the network, modify it or intercept it. This is used to session hijacking and DNS spoofing.

ARP poisoning process (Source: https://www.networkacademy.io)

MitM is a attck that based on the ARP poisoning concept.

Man in the Middle(MitM) Attack

See the following figure first and you get the clear understanding about the MitM process.

Man In The Middle attack (Source: https://www.networkacademy.io)

In the MitM process communication is happened as normal process and victim doesn’t know that message is going through the third party person who is in the middle of the communication path. It has several objectives. One thing is that Man in the Middle of the two parties can access to the message transfer between two parties and he can modified them or sometimes they can get the sensitive data in transferring . If the original message wasn’t modified and attacker only listen the important facts then it is difficult to identify the MitM attacks.

How to avoid from these attacks

Now you can realize that encryption is not a suitable actions for preventing from the above mentioned attacks. What it can does is only reduce the impact of the attacks. MitM attacks are launching to get the user credentials and if we send them as encrypted text then attacker won’t able to capture those things. To detect such kind of attacks we can always checks our ARP cache using the arp -a command and some toolkit like arpwatch and X-ARP are providing continuous monitoring of the network and it it is alerted when something happened.

🔴 Static ARP tables : It is a method that statistically maps the MAC address to the right IP address and keeping a table of them. If you want to add another node you have to manually add those information to the table. Though it can prevents from ARP provisioning issues it can cause for administrative burden. Another thing is keeping a static table and manually managing that table is very complex for a large organizations. However the situation is very crucial, then you can keep separate static table for each network segment.

🔴Physical security: Properly management of the physical access to the organization place make more security over the ARP attacks. Because ARP messages won’t be able to bound beyond the boundaries of LAN. I case of that attacker should have controlling machine in the specific area or he has to come approximately to the LAN area. Otherwise they won’t able to launch such kind of attacks.

🔴Switch security: Managing Ethernet switches sport enable to avoid from ARP poisoning attacks. As an example Dynamic ARP Inspection(DAI) evaluates the validity of each ARP message and drop packets that appear suspicious or malicious situation. It has capability to configure limited rate for transferring ARP messages and it helps to avoid from DoS attacks.

🔴Network isolation: ARP messages hasn’t capability to travel beyond the local subnet. It means well arranged network segments can reduce the overall impact as they won’t able to send poisoning attacks from another subnet. As a tricks organization can keep their valuable resources in a dedicated isolated network segment to avoid from the ARP poisoning attacks.

I think now you have clear understandings about the ARP process, ARP poisoning and what does it means MitM attacks and how to prevent from such kind of threats.

Stay Safe & Learn New Things!!! 😄

--

--

Thilini Weerasinghe
Thilini Weerasinghe

Written by Thilini Weerasinghe

Currently working as an Associate Software Engineer at Virtusa. Has completed degree in B.Sc (Hons) Computing & Information Systems. After all I am a Human...

No responses yet