Tip

ARP spoofing detection

Seth Fogie and Cyrus Peikari

Did you know that the address resolution protocol (ARP) can be used to attack your network, to sniff out your data, to glean passwords, even to take your network offline? Well, it can. How it can do this is too involved for discussion here. But there are things you can do to stop this from happening. This tip, excerpted from

    Requires Free Membership to View

InformIT, discusses the first step in defeating ARP poison, detecting the problem. The entire article on InformIT explains how ARP attacks work as well.

hile stopping ARP attacks is impossible due to the inherent part it plays in data transfer, spoofed ARP requests are very easy to detect. Although there are many tools and programs available that attempt to warn administrators of ARP attacks, they all basically work the same way.

One program that does this is arpwatch. This program basically monitors all ARP/IP address pairing and alerts its user when changes occur. It does this by listening on the network, much like a sniffer, and comparing all captured replies against a database. Other programs take a snapshot of all related IP/MAC addresses, and periodically request updates from networked computers. However, these methods often result in numerous false alarms due to DCHP networks, which dynamically assign IP addresses. (Editor's note: You can download a program called an Improved ARP Sniffer from cert.uni-stuttgart.de/archive/bugtraq/2000/06/msg00417.html. Also, you can read a good article on sniffers at cert.uni-stuttgart.de/archive/bugtraq/2000/06/msg00417.html.)

The only real solution for avoiding ARP attacks is to encrypt all data passing over the network. Although this is a possibility, it is not commonly employed due to the processing overhead and complexity of setup.


To read the entire article from which this tip comes, click over to InformIT. You have to register there, but it doesn't cost you anything.


This was first published in October 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.