ARP

Spoofing

• Use static, read-only entries for critical services in the ARP cache of a host (prevents only simple attacks and does not scale).

• Switches do cross-checking of ARP responses (combined with certification).

• OS of devices ignore unsolicited replies. The different OS’s respond differently:

  • Linux ignores, but accepts responses to requests from other machines to update its cache.

  • Windows ARP cache can be configured through registry entries.

• Packet filtering: a spoofed packet can contain packets from outside the network that shows source addresses from inside the network and vice-versa.

• Authentication and encryption

• The above mitigations can only prevent simple ARP attacks. Use anti-ARP tools to identify and stop the more sophisticated adversary.