7

As part of a school project I am trying to do a MITM attack on my local network using ARP poisoning. I choose a target and then I send a spoofed ARP packet to it and to the router every 100 milliseconds. The spoofed ARP packets are ARP responses, which are supposed to make the target believe I am the router and make the router believe I am the target. This is supposed to make the router send me anything it wants to send to the target, and make the target send me anything it wants to send to the router.

When I tried it on my school network, I had no problems and everything worked as it should. But when I tried it on my home network, it didn't work. When I checked why, I saw that all of my spoofed ARP packets are getting sent, but only the target is affected by them and sends me its packets. The router continued to send its packet to the target, ignoring my spoofed ARP packets.

Now my question is, is it possible that my router somehow detected my ARP spoofing attack and ignored it? How likely is it that a home router is capable of ignoring an ARP spoofing attack?

Cokegod
  • 171
  • 1
  • 4

2 Answers2

1

For recent routers, the answer is yes, it is likely, depending on router's configuration.

There is a concept known as Dynamic ARP Inspection (DAI) to protect against ARP poisoning.

With DAI, routers form a table of IP address - MAC address - corresponding switch port / VLAN bindings, which is called as DHCP Snooping Binding Table. This table is automatically updated when any device connects to the network and asks for an IP address from the DHCP server. For example, if your device is connected to the network with the IP address A from the switch port x (the Layer-2 port you are connected to the router), and your device has MAC address B; this combination of A-B-x is recorded in the DHCP Snooping Binding Table of the router.

When your device sends a packet to the network, the router checks its DHCP Snooping Binding Table to verify the binding combination is valid. This means that the packet coming from the switch port x is accepted if and only if the IP address is A and the MAC address is B.

In case of ARP spoofing attacks, you send packets with different IP/MAC addresses from switch port x. Since there is no binding in the DHCP Snooping Binding Table with this combination, your packet is rejected by the router. Therefore, you cannot perform an ARP poisoning attack.

DAI can be enabled or disabled by the network admins, but it is mostly disabled by default.

darkvanilla
  • 11
  • 3
1

Yes. See this question related to the same subject but confused about the very feature you are questioning. Is that possible? A router with arpspoof from factory

Community
  • 1
zedman9991
  • 3,377
  • 15
  • 22