Preventing an ARP Spoof

It is not particularly satisfying to simply detect ARP spoofing, which only identifies a problem
after it has already occurred. Although it may not be possible to prevent ARP spoofing entirely,
one simple precaution can be taken where it may count the most. The devious thing about an
ARP spoof is that the attack is really directed at the machine being deceived, not the machine
whose IP address is being taken over. Presumably, the machine or machines being deceived
contain data that the ARP spoofer wants to get or modify.
The deception is useful to the ARP spoofer because the legitimate holder of the IP address is
trusted in some way by the machine being deceived. Perhaps the trusted machine is allowed to
NFS mount filesystems, use rlogin, or start a remote shell without being prompted for a
password (particularly troublesome for privileged user accounts). Ideally, machines extending
such trust should simply not use ARP to identify the hardware addresses of the machines they
trust.

-Stop Using ARP-
Machines extending trust to other machines on the local network based on an IP address
should not use ARP to obtain the hardware address of the trusted machines. Instead, the
hardware address of the trusted machines should be loaded as permanent entries into the ARP
cache of the trusting machine. Unlike normal ARP cache entries, permanent entries do not
expire after a few minutes. Sending a datagram to an IP address associated with a permanent
ARP cache entry will never result in an ARP request. With no ARP request being sent, an
attacker does not have the opportunity to send an ARP reply. It seems unlikely that any
operating system would overwrite a permanent ARP cache entry with an unsolicited ARP
reply.
With permanent ARP cache entries for trusted machines, the trusting host will not use ARP to
determine the correct hardware address and will not be fooled into sending IP data to an ARP
spoofer. Of course, it will also send IP data to the machine even if the machine has been down
for some time. Another downside to permanent ARP entries is that the cache entries will need
revising if the hardware address changes for a legitimate reason. Finally, ARP caches may be of
limited size, limiting the number of permanent entries or further limiting the time a dynamic
entry spends in the cache.

-Displaying ARP Cache Entries-
On Unix and Windows 95/NT machines, you use the arp command to manipulate and
inspect the ARP cache. This command has several options.
arp -a
The -a option displays all ARP cache entries for all interfaces of the host. The following output
is an example of what you would see on a Windows 95 machine:
Interface: 147.226.112.167
Internet Address Physical Address Type
147.226.112.1 aa-00-04-00-bc-06 static
147.226.112.88 08-00-20-0b-f0-8d dynamic
147.226.112.101 08-00-2b-18-93-68 static
147.226.112.102 08-00-2b-1b-d7-fd static
147.226.112.103 00-00-c0-63-33-2d dynamic
147.226.112.104 00-00-c0-d5-da-47 dynamic
147.226.112.105 08-00-20-0b-7b-df dynamic
147.226.112.106 08-00-20-0e-86-ef dynamic
147.226.112.124 08-00-2b-1c-08-68 dynamic
147.226.112.169 08-00-09-2a-3c-08 dynamic

-Deleting an ARP Cache Entry-
At some point you may want to delete a permanent ARP cache entry that is no longer valid or
delete a dynamic entry that you suspect of being spoofed. The -d option deletes the entry with
the given IP address from the ARP cache.
arp -d 147.226.112.101


-Inserting a Permanent ARP Cache Entry-
The -s option inserts a permanent (static) ARP cache entry for the given IP address. Typically,
the Ethernet address would be obtained by displaying the entire ARP cache as shown previously.
arp -s 147.226.112.101 08-00-2b-18-93-68
To ensure that the address is in the ARP cache you can first use the ping command to send an
ICMP/IP echo request to the IP address in question. A somewhat more secure, but tedious,
method is to use an operating system dependent method for querying the machine in question
for its own hardware address from its console. You can place a series of such commands into
the startup script for the machine that will be extending trust to others.

-Inserting Many Permanent ARP Cache Entries-
The -f option loads permanent entries into the ARP cache from a file containing an IP address
to hardware address database.
arp -f arptab
In this example, the file is named “arptab,” but the name of the file is up to the system
administrator using the command. The -f option to the arp command is not available on all
systems. In particular, it is missing from the current versions of Windows 95 and Windows
NT. However, it is really just a substitute for a series of arp commands with the -s option.