First let’s understand what is ARP.
ARP is how network devices associate MAC addresses with IP Addresses so that devices on the local network can find each other. ARP is basically a form of networking protocol to do a roll call. ARP consists of merely four basic message types:
- An ARP Request. Computer A asks the network, “Who has this IP address?”
- An ARP Reply. Computer B tells Computer A, “I have that IP. My MAC address is [whatever it is].”
- A Reverse ARP Request (RARP). Computer A asks, “Who has this MAC address?”
- A RARP Reply. Computer B tells Computer A, “I have that MAC. My IP address is [whatever it is]”
All network devices have an ARP table, a short-term memory of all the IP addresses and MAC addresses the device has already matched together. The ARP table ensures that the device doesn’t have to repeat ARP Requests for devices it has already communicated with.
What is ARP Poisoning Attack?
ARP or Address Resolution Protocol poisoning attack is a type of attack where the MAC or Media Access Control address is changed by the attacker. Also known as ARP spoofing attack, it is effective against both wired and wireless local networks.
ARP spoofing or ARP poisoning is the cornerstone of all switch hacks. Hackers love this attack because it’s simple and it works 9 out of 10 times. ARP spoofing gives unauthorized users access to data in a switched network by poisoning the ARP cache of an end node. ARP poisoning attacks are characterized by loss of data from the compromised computers and inaccessible services, such as Internet.
A MAC address is a unique identifier for network nodes, such as computers, printers, and other devices on a LAN. MAC addresses are associated to network adapter that connects devices to networks. The MAC address is critical to locating networked hardware devices because it ensures that data packets go to the correct place. ARP tables, or cache, are used to correlate network devices’ IP addresses to their MAC addresses.
Howw to Stop ARP Attack
ARP poisoning happens when an attacker is able to compromise the ARP table and changes the MAC address so that the IP address points to another machine.
If the attacker makes the compromised device’s IP address point to his own MAC address then he would be able to steal the information, or simply eavesdrop and forward on communications meant for the victim. Additionally, if the attacker changed the MAC address of the device that is used to connect the network to Internet then he could effectively disable access to the web and other external networks.
Man in the Middle attack is an attack where a pirate put its machine in the logical way between two machines speaking together. Once in this position, the pirate can launch a lot of different very dangerous attacks because he/she is in the way between to two normal machines.
ARP poisoning is tough to stop. That’s why it should be the first attack you learn to defend against. It’s a “must config” feature.
How to Stop ARP Poisoning in Mac
ArpGuard protects your Mac by keeping an eye on your Internet network. Even though Mac OS X is already well protected, is vulnerable to a Man in The Middle attack, which can compromise your passwords, bank account information, credit card information and even gain unauthorized access to your Mac. This type of attack is increasingly more popular and if you had ever connected to a public network or even a private one you might already been compromised. Web sites that you browse are not always secure and can compromise sensitive information.
After you will install ArpGuard and click the Start ArpGuard button, the application will minimize and will start watching for any hackers that might compromise your network. ArpGuard will detect any suspicious activity.
How to Stop ARP Poisoning in Windows
EtterCap is a popular tool to stop ARP poisoning in Windows. Ettercap is able to perform attacks against the ARP protocol by positioning itself as “man in the middle” and, once positioned as this, it is able to:
- infect, replace, delete data in a connection
- discover passwords for protocols such as FTP, HTTP, POP, SSH1, etc …
- provide fake SSL certificates in HTTPS sections to the victims.