Posted by: jasonk2600 | October 3, 2009

Defending Against ARP Cache Poisoning

Almost all components of a TCP/IP based network utilize the ARP protocol to resolve IP-to-MAC addresses and maintain ARP caches.  Most any computer or network device that maintains an ARP cache is susceptible to a common attack known as ARP cache poisoning.  In short, the dynamic table of cached IP-to-MAC addresses can be overwritten by an attacker.  This is most commonly done by flooding the computer or device with incorrect ARP packets until the ARP cache is overwhelmed and only contains the new IP-to-MAC address resolution that the attacker has injected.


ARPWatch is a well known and commonly used open source tool that can be used to assist in alerting you to successful and attempted ARP cache poisoning attacks.  Below is a basic primer on how to install and setup the ARPWatch tool.  In this example, ARPWatch will be installed and configured on a host running the FreeBSD 7.x operating system.


I. Installing APRWatch

# cd /usr/ports/net-mgmt/arpwatch
# make install clean
# rehash

II. Verify that ARPWatch is Working

Verify that ARPWatch has been installed correctly and is functioning properly by running it from the console. In the example below ARPWatch will watch ARP traffic on the fxp0 network interface. Replace ‘fxp0’ in the command below to reflect your system’s network configuration.

# arpwatch -i fxp0

ARPWatch will only report IP/MAC address changes from traffic that it can see on the network interface that you have specified. Connect a new computer or network device or change the MAC address of a computer or network device on the network segment that ARPWatch is monitoring. ARPWatch will report any changes to the local syslog facility by default. Check syslog to ensure that ARPWatch is reporting any anomalies in ARP traffic.

# tail -f /var/log/messages

NOTE: The "arp" command can be used to help troubleshoot network communications issues and/or check the current ARP cache of the host that it is running on. You can display the current ARP cache table by running arp with the "-a" command line option.

# arp -a

III. Configuring ARPWatch Anomaly Notification

By default, ARPWatch will send ARP anomaly alert notifications to the root user’s e-mail. If you have not already set the root user’s email address to an email account that is checked regularly, you should do so as part of good system admin practices. To enable the ARPWatch daemon to start sending alerts at system boot, enable ARPWatch in the /etc/rc.conf system configuration file. Once ARPWatch has been enable in rc.conf start the ARPWatch daemon and verify that it has started successfully.

# echo "arpwatch_enable=YES" >> /etc/rc.conf
# /usr/local/etc/rc.d/arpwatch start
# /usr/local/etc/rc.d/arpwatch status

Finally, check the root user’s email account regularly for ARP IP-to-MAC address changes. By documenting and knowing the MAC addresses of your network assets, it will be simple to detect any unauthorized devices connecting to your network and identify any attempted ARP cache poisoning attacks.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: