If you’ve ever watched a spy movie, you know about wiretapping. It’s when someone connects a device to a phone line and uses it to eavesdrop on conversations. But we’re here to discuss a different type of eavesdropping that targets communications between computers.

Using a technique called ARP spoofing, an attacker can redirect your traffic to their device, unless you’ve deployed some form of anti-spoofing protection of course. But before you panic, ARP spoofing only works if an attacker is already inside your network. It takes advantages of how addressing works with computers and the weaknesses in how computers find each other’s addresses to do its work.

What’s Your Address?

Addressing with computers can seem fairly complicated. You can refer to a specific computer in a variety of different ways, including domain names, IP addresses, and MAC addresses. However, each of these types of addresses exists for a logical reason. Starting at the top, domain names and URLs – what you’re used to using when browsing the Internet. They’re designed to be easy for humans to remember. The next level down is IP addresses. These are values like 127.0.0.1, which points to your computer. Using IP addresses, every device connected directly to the Internet has a unique identifier. They’re also used within a network to uniquely identify multiple different computers that share the same outward-facing IP address.

Neither domain names or IP addresses are permanently tied to a specific computer. In fact, you likely have a different internal IP address every time you connect to a wireless network (due to something called DHCP). These addresses are used for connections over the Internet, but connections within an Ethernet network use a different form of addressing.

How Computers Find Each Other

MAC addresses are addresses unique to a computer’s network adapter that are designed to stay the same. While it’s possible to change your computer’s MAC address, most people don’t. To send a message inside of a network (i.e. without crossing a router or gateway), you’ll need a computer’s IP and MAC addresses. The problem with this is that computers don’t know each other’s MAC addresses by default. If you know the IP address of your destination, how do you find the MAC address? The answer is the Address Resolution Protocol (ARP).

ARP takes a very simple approach to finding out: asking around. The computer that wants to send out a packet will send out an ARP Request packet to the network’s broadcast address (which has a MAC Address of FF:FF:FF:FF:FF:FF). As a result, every computer in the network will get a copy of the request. Everyone will check the requested IP address against their own, and, if it’s their address, will reply back with a packet saying “My MAC address is…” The requestor will now be able to send their packet and also can cache this IP/MAC address pairing for future reference.

Abusing ARP for Eavesdropping

This system works great as long as everyone in the network is benign. The main limitation of the ARP protocol is that there is no way to check if a MAC address really maps to a given IP address. Hackers know this and take advantage of it for their own devices. ARP is a “stateless” protocol, meaning that it doesn’t save any data (other than the cached addresses). This means that, when it receives an ARP reply, it doesn’t remember whether or not it requested that information. By default, computers will cache any ARP data that they receive.

ARP spoofing is when an attacker sends ARP replies mapping an IP address to their MAC address. As a result, any traffic intended for that IP address will go to them instead (since computers check caches before sending out an ARP request). This enables them to perform a Man-in-the-Middle (MitM) attack: intercepting a computer’s messages before it ever reaches them.

Performing a MitM attack allows an attacker to take a variety of actions. If the data is unencrypted (i.e. using HTTP instead of HTTPS), the attacker can read and modify it before passing it on to the intended user. Even encrypted traffic may be breakable if the attacker can take advantage of its position in the middle of the connection to force the computers to use an insecure encryption algorithm. Finally, traffic (encrypted or not) can simply be blocked by the attacker.

Protecting Your Secrets

ARP spoofing can be a serious threat to confidentiality, integrity, and availability of network traffic. An attacker who manages to perform a successful Man-in-the-Middle attack has significant power over the communications between affected parties.

On the bright side, ARP spoofing attacks can be prevented. One major assumption is that the attacker is already on your network. Spoofing MAC addresses doesn’t help them much on the Internet (which uses IP addressing). Second, ARP spoofing takes advantage of the stateless nature of the ARP protocol. Networking appliances with anti-spoofing capabilities can scan for unsolicited ARP replies and block them. Or you can just cache the MAC addresses of important servers and reject updates to those values.