ARP Spoof Detection
NDISDetect ARP spoofing attacks by tracking IP to MAC address mappings.
Overview
ARP spoofing (ARP poisoning) is a technique where an attacker sends fake ARP messages to associate their MAC address with another host's IP address. This enables man-in-the-middle attacks on local networks.
How It Works
- 1NDIS filter captures all ARP packets
- 2IP→MAC mappings are stored in a tracking table
- 3When an ARP reply changes a known mapping, an alert is raised
- 4Gratuitous ARP packets are flagged as suspicious
Detection Events
| Event | Description |
|---|---|
| MAC Change | Known IP now has different MAC address |
| Gratuitous ARP | Unsolicited ARP announcement |
| Duplicate IP | Multiple MACs claiming same IP |
Network Changes
Legitimate network changes (DHCP lease renewal, router replacement) can trigger alerts. Review alerts in context before taking action.
Captured Information
- • IP address — The IP being spoofed
- • Old MAC — Previously known MAC address
- • New MAC — New (potentially malicious) MAC
- • ARP operation — Request or Reply
- • Timestamp — When the change was detected
IP→MAC Table
The NDIS filter maintains a table of known IP→MAC mappings learned from ARP traffic. This table is used to detect changes.
192.168.1.1 → AA:BB:CC:DD:EE:01 (Gateway) 192.168.1.100 → AA:BB:CC:DD:EE:02 (Host A) 192.168.1.101 → AA:BB:CC:DD:EE:03 (Host B)
UI Features
- • Network tab — ARP events with spoof indicators
- • ARP filter — Show only ARP-related events
- • Spoof alerts — Highlighted in red
- • MAC history — See previous MACs for an IP
Mitigation
When ARP spoofing is detected:
- • Investigate the source of the spoofed ARP packets
- • Consider using static ARP entries for critical hosts
- • Enable Dynamic ARP Inspection on managed switches
- • Use VPN or encrypted connections on untrusted networks