ARP spoofing

An attacker using ARP spoofing will disguise as a host to the transmission of data on the network between the users.

The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host.

IP address-to-MAC address mappings in the local ARP cache may be statically entered.

[5] While static entries provide some security against spoofing, they result in maintenance efforts as address mappings for all systems in the network must be generated and distributed.

This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment.

ArpStar is a Linux module for kernel 2.6 and Linksys routers that drops invalid packets that violate mapping, and contains an option to repoison or heal.

Some virtualized environments such as KVM also provide security mechanisms to prevent MAC spoofing between guests running on the same host.

Linux ignores unsolicited replies, but, on the other hand, uses responses to requests from other machines to update its cache.

In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount.

A successful ARP spoofing (poisoning) attack allows an attacker to alter routing on a network, effectively allowing for a man-in-the-middle attack.