Anti ARP spoofing to protect your network

What's ARP spoofing?

Address Resolution Protocol (ARP) spoofing, also known as ARP flooding, ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. The attack can only be used on networks that make use of ARP and not another method of address resolution. So do not use ARP is a way to anti ARP spoofing

The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway.

ARP spoofing attacks can be run from a compromised host, or from an attacker's machine that is connected directly to the target Ethernet segment. It's not easy to anti ARP spoofing

How to anti ARP spoofing.

An open source solution for anti ARP spoofing is ArpON "Arp handler inspectiON". It is a portable ARP handler which detects and blocks all Man In The Middle attacks through ARP poisoning and spoofing attacks with a static ARP inspection (SARPI) and dynamic ARP inspection (DARPI) approach on switched or hubbed LANs with or without DHCP. This requires an agent on every host that is to be protected.

Another method to anti ARP spoofing, DHCP snooping, can be used on larger networks, but is limited to DHCP clients, and as such, can be easily circumvented.[clarification needed] The DHCP service on the network device keeps a record of the MAC addresses that are connected to each port, so it can possibly detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, ProCurve, Extreme Networks, Dlink and Allied Telesis.

Detection is another avenue of anti ARP spoofing. Given the separation of duties requirement in regulated industry, the ARPDefender appliance is widely used in financial institutions. Arpwatch is a Unix program which listens for ARP replies on a network, and sends a notification via email when an ARP entry changes. The GUI-driven XArp software XArp is available for Windows and Linux. XArp performs ARP packet inspection on a per-network-interface basis with configurable inspection filters and active verification modules. This way, active attacks as well as corrupted caches in the network can be detected. XArp has a number of detection modules that perform passive detection like: preventing locally static entries to be overwritten, detecting changes in the local mapping, checking integrity of ARP packets. Furthermore, the use of active network ARP discovery enables the validation of local network consistency as well as the detection of attackers. XArp run as protection version under Linux and can prevent attacks. Furthermore, XArp can e.g. send detected attack alerts by email. anti-arpspoof creates static ARP entries in the client and default gateway cache, and cleans poisoned dynamic entries.

Checking for the existence of MAC address cloning may anti ARP spoof attack, although there are legitimate uses of MAC address cloning. If more than one IP address is returned, MAC cloning is present.

A simple anti ARP spoofing method that only works for simple ARP spoofing attacks is the use of static IP-MAC mappings. However, this only prevents simple attacks and does not scale on a large network, since the mapping has to be set for each pair of machines resulting in (n*n) ARP caches that have to be configured.