ARP spoofing, sometimes called ARP poisoning, is a threat that all internet users should be aware of.
In this blog, we'll cover the ins and out of ARP spoofing so you know exactly what to watch out for.
What is ARP?
In computing, the key ingredients to sending and information from one device to another are protocols. Protocols essentially set out the rules and regulations for transfer between lots of different networks and devices.
In the widely used 'OSI model' of computing systems that maps the broad communications infrastructure devices use to exchange information, different protocols preside are associated with different system layers. Each layer is functionally distinct, demarcating the different ways data is dealt with.
ARP is used to ensure that communications and data requested through the internet make it to the correct physical machine on a local network. How does it do this? ARP matches 32-bit Internet Protocol (IP) addresses from the network layer – which are used for exchanging data across the internet and usually change for every new browsing session – to 48-bit Media Access Control (MAC) addresses that correlate to a specific physical machine on a local network, found in the link layer. This is the part of the OSI model that deals which shifts around incoming and outgoing data in a local network.
When a data/communications source wants to find out the MAC address of a destination device, it consults its ARP cache. If it finds the correct MAC address in the cache, it can be used for communicating. If the source doesn't know the MAC address, it will simply broadcast an ARP request containing its IP address, MAC address, and destination IP address. The device with an IP address that matches will respond to the request. The MAC address is then stored in the ARP cache for use next time.
What is ARP Spoofing?
ARP Spoofing is a type of cyber-attack that facilitates the interception of communications between two devices on a given network. It is often categorized as a Man-in-the-middle (MITM) attack because of the way it disrupts a channel within which data is being transferred.
Using spoofing software, the attacker will send a falsified ARP request to a Local Area Network (LAN) and connect their MAC address with a legitimate IP address. This is why the process is sometimes referred to as 'poisoning' – the malicious packets are subtly snuck into the network.
The result? Any messages sent to the MAC address can be intercepted by the attacker, and they block them from reaching their intended destination and either modify or replace the data packets being transferred.
How ARP spoofing facilitates further attacks
ARP spoofing can be utilized as a means to orchestrate other cyber-attacks on unsuspecting users, placing them in further peril.
Denial-of-service attacks aim to make a network either partially or completely inaccessible to those who usually use it. This is usually done by flooding a targeted machine with requests. DoS attacks can utilize ARP spoofing by using it to flood the MAC address with these requests. |
Session hijacking is a type of attack where the perpetrator attempts to take control of a user session, which would commence after the user has logged into a website, for example. ARP spoofing is one method attackers use to steal identification. |
Other MITM attacks of all shapes and sizes – essentially any action that looks to maliciously intercept and modify data being sent and received through a network – are often facilitated by ARP spoofing. |
How can I protect myself against ARP spoofing?
There are several ways you can prevent ARP spoofing attacks. One obvious one is to invest in some detection software that will allow you to spot potential threats. There are tools you can install on your device/s that are designed specifically for this purpose, such as XArp. There is also broader intrusion-detection software available too, such as Snort.
Alternatively, you could set yourself up with some packet inspection software, that will check all the data on the network perimeter. This type of filtering can usually be performed by a firewall.
Another option would be to create a static ARP address for every device on the network. Static ARP addresses cannot be manipulated by ARP reply packets. Although useful, this will only mitigate the most basic of threats.
Can a VPN protect me from ARP spoofing?
The short answer is...yes! VPNs are one the best defenses against ARP spoofing you can invest in, and they have the added advantage of bringing with them a host of other benefits that will greatly improve your experience online (more on that below), as well as the fact you can get a quality service for a decent price.
VPN providers reroute all your traffic through an encrypted tunnel all the way to one of their many private servers dotted across the globe. This means websites that typically obtain your device's IP address when you visit them will instead see the IP address of the server you've connected to.
VPNs render your traffic essentially worthless for any ARP spoofer, as they won't be able to decrypt the industry-standard 256-bit encryption protocol most premium VPNs use.
The most secure VPNs
Here at ProPrivacy, we review, analyze and recommend the best VPN companies and their products so that you know you're getting a good deal.
Below is a short summary of the most secure VPNs out there that will give you enhanced protection against ARP spoofing and various other threats:
- ExpressVPN - The most secure VPN on our list. This service is super secure but doesn’t compromise on speed and performance.
- Private Internet Access - A secure zero logs VPN. Not only is it packed with security features, but it has proven its no logs policy in court!
- CyberGhost VPN - An easy to use VPN with watertight security. It offers secure apps for Android & iOS with the same great levels of privacy.
- Surfshark - A secure VPN that is packed with value. For $2.49 a month you get excellent encryption, privacy features and fast connection speeds.
- Proton VPN - A very secure VPN service from the developers of ProtonMail. With that pedigree it's no surprise that it made it into our top picks.
Are VPNs just about security?
No! VPNs are primarily about providing you with an enhanced level of privacy, as well as being amongst the best tools available to unblock geo-restricted content.
The encryption protocols the best VPNs use will prevent your ISP, or anyone else watching your traffic for that matter, knowing where it's coming from. It is thus a big step up in terms of privacy and security from just normal browsing.
However, this also means VPN users can pretend to be in whatever location the server they connect to is based in. If I wanted to watch shows exclusively available on US Netflix, for example, I could just connect to a server in the USA. From Netflix's point of view, I'm just another subscriber based in America.