ARP mitigations
| Attack | Mitigation |
|---|---|
| ARP Spoofing | Static ARP, DAI, Port Security |
| MITM Attacks | Encryption (VPN, HTTPS), VLANs |
| Rogue Devices | DHCP Snooping, MAC Filtering |
| Detection | arpwatch, Wireshark, IDS |
Static ARP entries (prevent spoofing)
Manually bind IPs to MACs on critical devices (servers, routers, gateways).
Linux (bash):
sudo arp -s <IP> <MAC> # Permanent static entry
Windows (powershell)
netsh interface ipv4 add neighbors <InterfaceIndex> <IP> <MAC>
Cisco Router:
arp <IP> <MAC> arpa
Limitation: Hard to maintain in large networks.
DHCP snooping + dynamic ARP inspection (DAI)
On Managed Switches (Cisco, HP, etc.)
Enable DHCP Snooping (trusts only authorized DHCP servers):
ip dhcp snooping
ip dhcp snooping vlan 10
interface Gig1/0/1
ip dhcp snooping trust # Allow DHCP server responses
Enable Dynamic ARP Inspection (DAI) (blocks fake ARP replies):
ip arp inspection vlan 10
interface Gig1/0/2
ip arp inspection trust # Trusted ports (e.g., routers)
ARP monitoring tools
Linux: arpwatch (alerts on ARP changes):
sudo apt install arpwatch
sudo systemctl start arpwatch
Windows: XArp (GUI-based ARP protection).
Network-wide: RARP (Reverse ARP) for validation.
Port security (MAC filtering)
Prevent unauthorized devices from connecting.
Example Cisco Switch:
interface Gig1/0/3
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
Blocks unknown MACs and logs violations.
VPN/Encryption (Mitigate MITM impact)
SSL/TLS (HTTPS, SSH) prevents decryption even if ARP spoofed.
IPSec VPNs encrypt all traffic between sites.
Network segmentation (VLANs + Private VLANs)
Isolate sensitive devices in separate VLANs.
Private VLANs (PVLANs) block lateral ARP spoofing.
ARP Spoofing detection tools
| Tool | Function |
|---|---|
| ArpON (Linux) | Blocks ARP attacks in real-time. |
| Wireshark | Detects unusual ARP traffic (like duplicate replies). |
| Snort/Suricata | IDS rules for ARP anomalies. |
| ARPGuard (Windows) | Actively prevents spoofing. |