ARP Spoofing attack on public wireless


Sep 30, 2014
I'm working on a client's laptop and I recently installed Panda Antivirus Free on the laptop and upgraded to the pro trial to get the firewall. So far, the firewall has reported 25 blocked ARP attacks on the laptop. I've looked up how an ARP attack works and understand it enough that I know it has to be local. However, when running arp -a in command prompt, there was an invalid MAC address. I should also mention that whoever is attacking the laptop with ARP spoofing is also spoofing their MAC address. They seem to be using HTC MAC addresses.

I then used ipconfig and noticed that the IP address for the wireless (I'm at a career center that runs off of the closest high school's wireless) , as well as the gateway address, are different than the one assigned by DHCP with the other computers connected to the wireless. I've also noticed that the IP of the invalid MAC address on the ARP cache table changes very frequently, when the lease time for the DHCP is about 4 hours and I'm running arp -a about every few minutes.

Any idea on how to catch this person or find out their location? Can I be 100% sure that it's local? Help me please!


Nov 28, 2012
you really have to start with say wireshark and see what you can dig up. Who manages the network? you need to get into the router/firewall as well. it really isnt an easy task. for me I would quickly find the spoofed mac and show all the macs on the switches and see where it is exactly coming from if tis hardwired or roaming to different aps/ports. If they are changing the macs that often it might not be that easy.

All Your ARP Are Belong To Us!
The ability to associate any IP address with any MAC address provides hackers with many attack vectors, including Denial of Service, Man in the Middle, and MAC Flooding.

Denial of Service
A hacker can easily associate an operationally significant IP address to a false MAC address. For instance, a hacker can send an ARP reply associating your network router's IP address with a MAC address that doesn't exist. Your computers believe they know where your default gateway is, but in reality they're sending any packet whose destination is not on the local segment, into the Great Bit Bucket in the Sky. In one move, the hacker has cut off your network from the Internet.

Man in the Middle
A hacker can exploit ARP Cache Poisoning to intercept network traffic between two devices in your network. For instance, let's say the hacker wants to see all the traffic between your computer,, and your Internet router, The hacker begins by sending a malicious ARP "reply" (for which there was no previous request) to your router, associating his computer's MAC address with (see Diagram 3).

Now your router thinks the hacker's computer is your computer.

Next, the hacker sends a malicious ARP reply to your computer, associating his MAC Address with (see Diagram 4).

Now your machine thinks the hacker's computer is your router.

Finally, the hacker turns on an operating system feature called IP forwarding. This feature enables the hacker's machine to forward any network traffic it receives from your computer to the router (shown in Diagram 5).

Now, whenever you try to go to the Internet, your computer sends the network traffic to the hacker's machine, which it then forwards to the real router. Since the hacker is still forwarding your traffic to the Internet router, you remain unaware that he is intercepting all your network traffic and perhaps also sniffing your clear text passwords or hijacking your secured Internet sessions.

MAC Flooding
MAC Flooding is an ARP Cache Poisoning technique aimed at network switches. (If you need a reminder about the difference between a hub and a switch, see this sidebar.) When certain switches are overloaded they often drop into a "hub" mode. In "hub" mode, the switch is too busy to enforce its port security features and just broadcasts all network traffic to every computer in your network. By flooding a switch's ARP table with a ton of spoofed ARP replies, a hacker can overload many vendor's switches and then packet sniff your network while the switch is in "hub" mode.

Scared? Good, Now Calm Down!
This is scary stuff. ARP Cache Poisoning is trivial to exploit yet it can result in very significant network compromise. However, before you jump to Defcon-7, notice the major mitigating factor: only local attackers can exploit ARP's insecurities. A hacker would need either physical access to your network, or control of a machine on your local network, in order to deliver an ARP Cache Poisoning attack. ARP's insecurities can't be exploited remotely.

That said, hackers have been known to gain local access to networks. Good network administrators should be aware of ARP Cache Poisoning techniques.

Since ARP Cache Poisoning results from a lack of security in a protocol that is required for TCP/IP networking to function, you can't fix it. But you can help prevent ARP attacks using the following techniques.

For Small Networks
If you manage a small network, you might try using static IP addresses and static ARP tables. Using CLI commands, such as "ipconfig /all" in Windows or "ifconfig" in 'NIX, you can learn the IP address and MAC address of every device in your network. Then using the "arp -s" command, you can add static ARP entries for all your known devices. "Static" means unchanging; this prevents hackers from adding spoofed ARP entries for devices in your network. You can even create a login script that would add these static entries to your PCs as they boot.

However, static ARP entries are hard to maintain; impossible in large networks. That's because every device you add to your network has to be manually added to your ARP script or entered into each machine's ARP table. But if you manage fewer than two dozen devices, this technique might work for you.



Sep 30, 2014

What if I was to change the DHCP assigned IP to a static IP? The attacker obviously knows the MAC, but would changing the IP so it is static affect anything? Also, the attacker must have a program running that allows him to attack every 5 minutes exactly. Since 7:27 this morning, the attacker has tried to ARP spoof every five minutes. It is now 10:45. The firewall has blocked nearly 100 intrusion attempts by the attacker.