Microsoft

ARP Address Security

Leave a comment

ARP, or Address Resolution Protocol, is the primary method for your computer to talk with other network devices. Basically, your computer has an IP address (192.168.1.100) and wants to talk with your email server (192.168.1.101). Your computer will send out an ARP request for the owner of 192.168.1.101. A message will come back saying that 192.168.1.101 has a MAC address of xx-xx-xx-xx-xx-x1. That’s basically how they communicate. It obviously gets a lot more tedious when you add gateways, routers, and switches to the mix. Then add internet devices too with different masks. Oh man!

But there is a problem – broadcast addresses are always the last available IP in a subnet (in our example it’d be 192.168.1.255 with a mac address of FF:FF:FF:FF:FF:FF). Gateway addresses are always the first available IP in the subnet (once again, 192.168.1.1). If someone wanted to poison the ARP cache, they could easily point to the gateway address and spoof everyone else on the network to believe that they’re the gateway.

Computer: Hi everyone, I’m looking for the gateway
Poison: I’M THE GATEWAY!!!
Poison: I’M THE GATEWAY!!!
Computer2: Hi everyone, I’m looking…
Poison: I’M THE GATEWAY!!!
Computer2: … for the gateway
Poison: I’M THE GATEWAY!!!

You can see why the poisoning of ARP can actually work. The poison programs will flood the network with broadcasts saying I’M THE GATEWAY!!!

So, how do you protect against this? The easiest way is to push a startup script to all your machines that deletes the current ARP and puts a static route in for your gateway. The only problem with this approach is if you ever change gateways or switches – the MAC address you enter as the static ARP will no longer be valid, and the routing for internet will cease.

Windows 2000/XP/Vista:

Start -> Run -> CMD
arp -d
arp -s 192.168.1.1 00-18-00-18-00-18

-d is for delete
-s is for static
obviously put your own gateway IP address in there and MAC address. If you need to find it, you can type arp -a and locate the MAC address associated with your gateway.

Vista requires elevated privs to run the arp commands. Right click on your command prompt and that will help with many of the problems.

Vista may require the following:

netsh -c “interface ipv4”
set neighbors “Local Area Connection” “192.168.1.1” “00-18-00-18-00-18”

Then check to make sure with:

arp -a

Leave a Reply

Your email address will not be published. Required fields are marked *