ARP spoofing detection

This tip addresses how to detect ARP spoofing.

Did you know that the address resolution protocol (ARP) can be used to attack your network, to sniff out your data,

to glean passwords, even to take your network offline? Well, it can. How it can do this is too involved for discussion here. But there are things you can do to stop this from happening. This tip, excerpted from InformIT, discusses the first step in defeating ARP poison, detecting the problem. The entire article on InformIT explains how ARP attacks work as well.


hile stopping ARP attacks is impossible due to the inherent part it plays in data transfer, spoofed ARP requests are very easy to detect. Although there are many tools and programs available that attempt to warn administrators of ARP attacks, they all basically work the same way.

One program that does this is arpwatch. This program basically monitors all ARP/IP address pairing and alerts its user when changes occur. It does this by listening on the network, much like a sniffer, and comparing all captured replies against a database. Other programs take a snapshot of all related IP/MAC addresses, and periodically request updates from networked computers. However, these methods often result in numerous false alarms due to DCHP networks, which dynamically assign IP addresses. (Editor's note: You can download a program called an Improved ARP Sniffer from cert.uni-stuttgart.de/archive/bugtraq/2000/06/msg00417.html. Also, you can read a good article on sniffers at cert.uni-stuttgart.de/archive/bugtraq/2000/06/msg00417.html.)

The only real solution for avoiding ARP attacks is to encrypt all data passing over the network. Although this is a possibility, it is not commonly employed due to the processing overhead and complexity of setup.


To read the entire article from which this tip comes, click over to InformIT. You have to register there, but it doesn't cost you anything.


This was first published in October 2002

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close