A brief guide to how the ARP protocol works and ARP poisoning attacks. The importance of encryption. Acronym of Address Resolution Protocol, ARP is a protocol that operates at the network access level and which allows obtaining the correspondence between IP addresses and MAC addresses (see How to change MAC address on Windows, Linux, and macOS ), the latter being uniquely assigned to each network card connected to the LAN.
The ARP protocol works at a lower level than the well-known ping command ( Ping what it is, how it works, and what it is used for ), thus managing to obtain information from devices connected to a network, even if they do not respond to ICMP requests. In the article Finding the IP address of a device that doesn’t respond to a ping, we discussed Arping. This mechanism allows you to send ARP requests and is also used by many diagnostic programs such as Nmap, Wireshark, and the Fing Android app.
By pressing the Windows+R key combination in Windows and then typing arp -a at the command prompt, you can check the IP address to physical address conversion tables used by the ARP protocol. The relationships between IP addresses and 48-bit MAC addresses are kept in the ARP cache table.
When a device’s MAC address is unknown, ARP sends an ARP request packet to other machines connected to the same network.If a machine replies with the address, the ARP cache is updated to speed up future requests.
ALSO READ: Word Trust Center: What It’s For And How It Preserves Security And Privacy
What Is An ARP Poisoning Attack?
The ARP protocol was designed to be as efficient as possible. This has brought specific security gaps that have been (and are being) exploited for years to carry out attacks. By altering the MAC address associated with a given device’s IP connected to the network, all data packets are automatically sent to the system on which the software with which the ARP poisoning attack was launched is installed.
The data is analyzed, possibly modified, and then forwarded to the actual recipient. Thus, two interlocutors will believe they are communicating directly when a real attack occurs. Over time, many utilities have allowed and still allowed to steal passwords and personal information within a local network.
During an ARP spoofing attack, the Windows arp -a command would show two different IP addresses corresponding to the same MAC address. ARP poisoning attacks and any other man-in-the-middle (MITM) attacks can be neutralized simply by encrypting data in transit.
This is why it is therefore, essential to always connect to HTTPS pages, use email services that support the TLS protocol, and always activate a VPN service if you connect to the Internet via an unknown network or, in any case, managed by a third party, such as a public WiFi or even open. We discussed it in the article ” How to browse safely on a public or unsecured WiFi network, ” to which we invite you to refer.
Professionals and business users should always connect to the VPN server installed in their office or company during mobile connections. In this way, the encrypted tunnel that will be established will prevent any monitoring, modification, or theft of data by malicious people along the route:
- Making VPN more secure on Synology NAS servers
- VPN connection in Windows with OpenVPN
Regular users can rely on VPN services provided by third parties capable of offering sufficient guarantees in terms of security: How, when, and why to use a VPN connection.