ARP (Address Resolution Protocol) spoofing is many times initial phase of Man-In-The-Middle (MITM) attack that allows an attacker to intercept and modify network traffic by poisoning the ARP cache on a target device. ARP is a protocol used to map an IP address to a physical address (MAC address) on a local network. In an ARP spoofing attack, the attacker sends fake ARP messages to a target device, associating their own MAC address with the IP address of a legitimate device on the network. This allows the attacker to intercept and modify network traffic that is intended for the legitimate device.
ARP spoofing attacks are often used in combination with other types of attacks, such as DNS spoofing, SSL stripping, and more. These attacks can be used to steal sensitive information, launch phishing attacks.
Video below demonstrates detection of ARP poisoning using an Android app.
How Does It Work?
- Address Resolution Protocol (ARP): In a computer network, devices use ARP to find out the physical address (MAC address) of another device based on its IP address. It’s like asking, “Who has this phone number?” and getting the answer, “I do, and here’s my address.”
- The Attack: In ARP spoofing, a malicious person (the attacker) sends fake ARP messages to your network. These messages trick your devices into thinking the attacker’s device is the one they want to communicate with.
- The Result: Your device sends data to the attacker’s device instead of the intended recipient.
Detect ARP Spoofing with smartphone
ARP Guard (WiFi Security) is a free Android app designed to protect users against ARP spoofing. The app monitors the MAC address of Gateway silently in the background. If and incident occurs, it will notify the user with notification pop-up.
The app successfully identified an attack with MAC address of the forged Gateway.
Here’s how it works
- Detection and Notification: The app continuously monitors your network for suspicious ARP activity. If an attack is detected, it notifies you immediately through vibrations, sounds, and notifications.
- Three Modes of Protection:
- Warning Mode: Alerts you about potential attacks.
- Invulnerability Mode: Uses a static gateway address to make your device immune to ARP spoofing (requires root access).
- Recovery Mode: Helps restore your network settings after an attack.
- Auto WiFi Off: In non-root mode, the app can automatically turn off WiFi when an attack is detected, preventing further damage.
Identify attack manually
All the mentioned attacks are based on ARP poisoning and spoofing. Identifying these attacks isn’t very difficult. There are two ways how to recognize them: automatically using detention tools or manually. Starting with automatic detection, the easiest method to classify such attack on your computer and network is by having a desktop security software that can detect ARP poisoning and blocks it.
Manual analysis can be done via command line or Termux app using arp -a command on both desktop and Android devices. In Figure 4. you can see the result of command before and after ARP poisoning started. From the output you can tell that two same MAC addresses represent two different IP addresses on the network, which is a strong signal of probable ongoing ARP poisoning attack.
Additional Tips to Prevent ARP Spoofing
While ARP Guard provides protection, here are some additional tips to enhance your network security:
- Use Static ARP Entries: Configure static ARP entries on your devices to prevent them from accepting unsolicited ARP replies.
- Enable Packet Filtering: Use packet filtering rules on your router to block ARP packets from untrusted sources.
- Network Segmentation: Segment your network into smaller, isolated sections to limit the spread of an attack.
- Regular Monitoring: Regularly monitor your network traffic for unusual patterns that might indicate an ARP spoofing attempt.
By combining the use of ARP Guard with these preventive measures, you can significantly reduce the risk of ARP spoofing attacks and protect your network from malicious actors.
Where to use it?
Public or not trustworthy Wi-Fi networks.
Conclusion
Using an Android app like ARP Guard (WiFi Security) is a practical and effective way to protect your smartphone from ARP poisoning attacks. This app provides real-time monitoring and alerts, helping you detect and respond to suspicious network activity promptly.
In addition to using ARP Guard, it’s essential to follow best practices such as keeping your device updated, using strong passwords, and being cautious when connecting to public Wi-Fi networks. Combining these measures will significantly enhance your overall network security and protect you from potential cyber threats.