ARP Poisoning Attack: How Does It Happen and How to Prevent It

Recently, the number of ARP attacks on the BSC and ETH chains exceeded 290,000 and 40,000, respectively. Over 186,000 independent addresses have lost more than $1.64m to ARP attackers. In this short read, we’d like to present a comprehensive analysis of the ARP poisoning attack scene and detailed information on how to prevent and manage these attacks if and when they happen.

Since its invention, crypto accounts and transactions have been vulnerable to attacks. Particularly this year, we have seen growing numbers of several types and forms of attacks. This high attack rate has been a concern to the crypto and blockchain communities at large. Chief among these is the address poisoning attack, also called the ARP poisoning attack.

Disturbingly, there has been an increase in ARP attacks in recent times. Regarding trends, the BSC chain has been exploding since November 22, while the ETH chain has been exploding since Nov. 27, with the scale of attacks on both chains intensifying. Also, the number of independent addresses affected by the attacks exceeded 150,000 and 36,000, respectively. As of today, more than 340K addresses have been poisoned on the chain, totalling 99 victim addresses, and more than 1.64M USD have been stolen.

The Address Resolution Protocol (ARP) supports the layered approach used since the earliest days of computer networking. ARP Poisoning is a type of cyberattack that abuses weaknesses in the widely used Address Resolution Protocol (ARP) to disrupt, redirect or spy on network traffic. 

Because security was not a paramount concern when ARP was introduced in 1982, the protocol designers never included authentication mechanisms to validate ARP messages. Any device on the network can answer an ARP request, whether the original message was intended for it or not. For example, if Computer A “asks” for the MAC address of Computer B, an attacker at Computer C can respond, and Computer A would accept this response as authentic. This oversight has made a variety of attacks possible. By leveraging readily available tools, a threat actor can “poison” the ARP cache of other hosts on a local network, filling the ARP cache with inaccurate entries. 

Address Resolution Protocol (ARP) poisoning is when an attacker sends falsified ARP messages over a local area network (LAN) to link an attacker’s MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is linked to an authentic IP address, the attacker can receive any messages directed to the legitimate MAC address. As a result, the attacker can intercept, modify, or block communication with the legitimate MAC address.

A recent BSC survey by X-explore revealed that hackers affect the ARP attack by initiating multiple USD 0 transfers. After VICTIM A sends a typical transaction of 452 BSC-USD to USER B, USER B will immediately receive 0 BSC-USD from ATTACKER C. At the same time, within the same transaction hash, USER A himself will uncontrollably transfer 0 BSC-USD to ATTACKER C (realising a “back and forth” 0 BSC-USD transfer operation).

As a blockchain user, the ARP poisoning attack can be fatal to your account. The most direct impact of an ARP Poisoning attack is that traffic destined for one or more hosts on the local network will instead be steered to a destination of the attacker’s choosing. Exactly what effect this will have depends on the specifics of the attack. The traffic could be sent to the attacker’s machine or forwarded to a nonexistent location. In the first instance, there may be no observable effect, while the second may inhibit access to the network.

As of Friday, 94 unique addresses have been scammed, with attackers carting away a cumulative total of 1,640,000 USD. Sadly, with the increase in attackers’ targets, it is expected that a large number of users will continue to be scammed shortly.

Types of ARP poisoning transactions

There are generally two ways in which an ARP Poisoning attack can occur. These include:

MiTM attacks are the most common and also the most dangerous. With the MiTM, the attacker sends out falsified ARP responses for a given IP Address, typically the default gateway for a particular subnet. This causes victim machines to populate their ARP cache with the MAC address of the attacker’s machine instead of the local router’s MAC address. Victim machines will then incorrectly forward network traffic to the attacker.  

A DoS attack denies one or more victims access to network resources. In the case of ARP, an attacker might send ARP Response messages that falsely map hundreds or even thousands of IP addresses to a single MAC address, potentially overwhelming the target machine. This attack can also target switches, potentially impacting the entire network’s performance. 

Session Hijacking attacks are similar to Man-in-the-Middle, except that the attacker will not directly forward traffic from the victim machine to its intended destination. Instead, the attacker will capture a genuine TCP sequence number or web cookie from the victim and use it to assume the victim’s identity. 

There are several ways to protect your address from ARP poisoning attacks. Some of these include:

You can prevent ARP attacks by statically mapping all the MAC addresses in a network to their rightful IP addresses. Although this is highly effective it adds a tremendous administrative burden. 

Most managed Ethernet switches have features designed to mitigate ARP Poisoning attacks. Typically known as Dynamic ARP Inspection (DAI), these features evaluate the validity of each ARP message and drop packets that appear suspicious or malicious. 

Also, properly controlling physical access to your workspace can help mitigate ARP Poisoning attacks. ARP messages are not routed beyond the boundaries of the local network, so would-be attackers must be in physical proximity to the victim network or already have control of a machine on the network. 

Concentrating important resources in a dedicated network segment where enhanced security is present can also greatly diminish the potential impact of an ARP Poisoning attack.

Although encryption will not actually prevent an ARP attack from occurring, it can mitigate the potential damage. 

ARP poisoning remains a threat to crypto users, and as such, it must be addressed immediately. Like all cyber threats, it is best addressed through a comprehensive information security program. 

The first step in combating the ARP poisoning menace is creating awareness. Hence the need for wallet apps to step up risk alerts so that ordinary users can be aware of such attacks when transferring tokens.