ARP-spoofing defense

Nicholas Leippe nick at
Wed Mar 14 11:07:17 MDT 2007

On Wednesday 14 March 2007 10:52, Topher Fischer wrote:
> I'm doing a little research project that uses ARP-spoofing to perform an
> attack.  It's kind of unnerving to see how easy it is to perform a
> man-in-the-middle attack with ARP-spoofing, and mess with somebody's
> network traffic.
> My first question is, does anybody here actively do anything to protect
> their machines against ARP-spoofing?  Do you set static entries in your
> ARP tables, or run any services to watch for unusual ARP activity?  Have
> you made any adjustments to your router settings in this regard?
> Also, in my mind, the solution to this problem seems too easy.  I must
> be missing something.  Why do machines even pay attention to ARP replies
> that they did not solicit?  Why isn't ARP just implemented so that when
> a request is sent out, then any matching replies are processed and
> nothing more?  What am I missing here?

This is an optimization.  Your host does this with the idea that if you do 
decide to talk to one of these machines from which it has already seen ARP 
traffic, it can skip that step.

As for man-in-the middle, playing with ARP can cause disruption of services, 
and could intercept insecure protocols.  Which is why for critical data, ssl 
or other secure mechanism should be used.

More information about the PLUG mailing list