0

So one way to prevent arp poisoning is to lock the associated entry in the arp cache for the gateway. My question is, why isn't this done by default? What are the drawbacks? I was thinking that you would not be able to connect to a new network, but couldn't you unlock it ONLY when you're connecting to a new network and lock it immediately after?

trallgorm
  • 875
  • 7
  • 19
  • But what if the first packet you got back was the MITM pretending to be the gateway and not the gateway itself when you connected, then you would forever trust the MITM and not the gateway. – Scott Chamberlain Mar 02 '16 at 22:19
  • Wouldn't that be a problem whether or not it was locked? Or you could just disconnect and reconnect to the network in that case. But thats a good point. – trallgorm Mar 02 '16 at 22:20

1 Answers1

1

One very large drawback is that MAC addresses are by default assigned by the vendor in their production process. This means that every network interface has a unique MAC address. Now imagine the scenario where you need to replace that gateway due to a hardware defect. A new device will have a new MAC address, so unless its software allows to to manually set its MAC address (and your remember to do so during an outage), you need to manually update the ARP table on every single device connected to it. And those devices may not even be in your control.

Another argument is that as I pointed out many devices allow you to change its MAC addresss. So if they change it into the same MAC address as the gateway, you still would be vulnerable to ARP poisoning, it then all depends on the order in which ARP replies are received by the clients and how they handle them.

Teun Vink
  • 6,788
  • 2
  • 27
  • 35