Thursday, March 10, 2011

What's an ARP poisoning attack, and how can you proect yourself from it?

In the world of hacking, and more specifically script kiddies, there's something known as an ARP poisoning attack.  ARP stands for Address Resolution Protocol.  This protocol is responsible for matching an IP address to a Mac address.

So what's an ARP poisoning attack you ask?  In a nutshell ARP poisoning attack is when a computer running special software, connected to a network, pretends to be the router.  It also pretends to be the other computers connected to the network.  What does this mean?  It means all of the traffic going over the network runs through the computer running this software.  This could be bad for a number of reasons.

Reasons this could be bad:

1.  A person running this software could use it in combination with a packet sniffer.  This means all the unencrypted stuff you're sending and receiving could be viewed by the wannabe hacker.  This could include AIM conversations, FTP passwords, Facebook pages, etc...

2.  A person running this software could spoof security certificates.  What does this mean for you?  You could be signing into your encrypted e-mail, and have your password stolen.  Generally you will get a bit of dialogue that explains the certificate can't be verified, but you can't always rely on this.  I'll explain further how to protect yourself in a second.

3.  A person running this software could spoof DNS.  What does this mean for you?  You could be redirected to an inappropriate website in a very bad place to view it.  Or maybe you get tricked into installing a Trojan on what's normally a safe website.  Such a thing could give a script kiddie full access to your computer.

Now that I've explained a bit about what an ARP poisoning attack is, I will explain some ways to protect yourself.


If you use a wireless router at home it should always be protected with the best encryption.  Use a long passphrase.  Never use WEP encryption as it's practically useless.  This should be enough to protect yourself at home.


Unsecured public wifi is the riskiest kind to be on.  The absolute best way to protect yourself in this situation is to set up an SSH tunnel to send all of your traffic through a remote box.  SSH is encrypted, and by tunneling all of your traffic through it, you will be keeping your information private.  To do this you can issue the following command (assuming you're running Linux with ssh capabilities):

ssh -f user@server.com -L 3000:server.com:25 -N

Fill in all of the user and server information accordingly.   This will send all of the traffic on port 3000 of your computer to the remote server you have set up.  All the traffic will go through port 25 on that computer.  You can replace the ports with whatever you like to suit your needs.  Just make sure your programs are set up to go through the correct port.

If you don't set up an SSH server to tunnel your traffic through there are still some steps you can take to protect yourself.  You can install a nice script blocker like No-Script(a plug-in for Firefox).  With No-Script you wont have any surprise java drive by Trojan scripts pop up and try to get you to run them.  This can be a good thing regardless of if you're on an unprotected/untrustworthy network or not.

Look for dialogue detecting unverified security certificates.  This is common place on the Internet as you generally need to pay money to verify a certificate, but it could also be sign of an attack.
The last thing you can do is just use common sense.  Companies wont ask you for your re-verification on your password generally, or credit card, or what have you.  You've probably heard this enough, but I thought I might add it because apparently some people still get fooled by phishing schemes.