Did you know that the address resolution protocol (ARP) can be used to attack your network, to sniff out your data, to glean passwords, even to take your network offline? Well, it can. How it can do this is too involved for discussion here. But there are things you can do to stop this from happening. This tip, excerpted from
hile stopping ARP attacks is impossible due to the inherent part it plays in data transfer, spoofed ARP requests are very easy to detect. Although there are many tools and programs available that attempt to warn administrators of ARP attacks, they all basically work the same way.
One program that does this is arpwatch. This program basically monitors all ARP/IP address pairing and alerts its user when changes occur. It does this by listening on the network, much like a sniffer, and comparing all captured replies against a database. Other programs take a snapshot of all related IP/MAC addresses, and periodically request updates from networked computers. However, these methods often result in numerous false alarms due to DCHP networks, which dynamically assign IP addresses. (Editor's note: You can download a program called an Improved ARP Sniffer from cert.uni-stuttgart.de/archive/bugtraq/2000/06/msg00417.html. Also, you can read a good article on sniffers at cert.uni-stuttgart.de/archive/bugtraq/2000/06/msg00417.html.)
The only real solution for avoiding ARP attacks is to encrypt all data passing over the network. Although this is a possibility, it is not commonly employed due to the processing overhead and complexity of setup.
To read the entire article from which this tip comes, click over to InformIT. You have to register there, but it doesn't cost you anything.
This was first published in October 2002