ARP Poisoning vs. DNS Poisoning
ARP and DNS poisoning are both types of man-in-the-middle attacks that are used to steal login credentials, credit card numbers, account details or other personal details. Both consumers and businesses can be the targets of these types of attacks, so it is of utmost importance that companies protect their sites from these attacks.
What is ARP poisoning?
Address resolution protocol (ARP) poisoning allows an attacker who is on the same network as the victims to eavesdrop on traffic between the victims. ARP exists to translate between MAC addresses and IP addresses. With this protocol, networked devices ask what device is currently assigned to an IP address and then announce this mapping to the rest of the network. Devices typically cache this list to build a database of MAC-to-IP mappings.
With ARP poisoning, attackers corrupt the MAC-to-IP mappings of devices in the network by sending an ARP reply packet to a host, forcing that host to update the ARP cache with the new false value. The victim thinks they are communicating with the intended recipient, when they are actually communicating with the attacker.
ARP poisoning is different from ARP poisoning, although these terms are typically used interchangeably. While poisoning refers to an attacker corrupting the ARP tables on one or more machines, spoofing is specific to an attacker who is impersonating a machine's address. Since poisoning can’t be done without spoofing, these terms are usually used to mean the same thing.
What is DNS poisoning?
Domain name system (DNS) poisoning allows an attacker to take advantage of known vulnerabilities in the DNS cache to insert false entries. DNS exists to translate the domain name into the right IP address. When this translation is poisoned, the victim’s web browser is sent the wrong IP address and they end up on the wrong site. Usually, this site has been designed to look like the legitimate site with the purpose of stealing confidential information.
Though the terms are often used interchangeably, there is a difference between poisoning and spoofing. DNS poisoning is the method used by attackers to replace DNS data with a malicious redirect. DNS spoofing is a result of poisoning when users are sent to the malicious website.
What is the difference between ARP poisoning and DNS poisoning?
The biggest difference between these ARP poisoning and DNS poisoning is the format and scale in which they are used. ARP poisoning is accomplished by spoofed MAC addresses within the same network while DNS poisoning spoofs IP addresses of legitimate sites and can spread across multiple networks and servers.
How can I prevent these attacks?
To keep your consumers and organization secure, there are a few methods to deploy.
- Dynamic ARP Inspection (DAI). Many Ethernet switches are designed to reduce the risk of ARP poisoning. DAI features check the validity of ARP messages and drop packets that appear malicious.
- Network segmentation. Since ARP messages can’t travel across local subnets, a segmented network has less attack points than an unsecured network.
- Domain Name System Security Extensions (DNSSEC). This security system is a verified label that keeps your website free of DNS spoofing. A public/private key pair is used to verify and authenticate DNS data.
- Encrypt your data. If an attacker can’t read your DNS query, they won’t be able to redirect you. However, this encryption only works if your TLS/SSL certificates are properly managed and secure.
Protecting your organization against man-in-the-middle attacks comes down to proper machine identity management. Learn how to lower your risk of security breaches and keep your machine identities secure. Become an expert in how machine identities are used, when they are exposed, and why automation is essential.