Analysis of Address Resolution Protocol Poisoning Attacks on Mikrotik Routers Using Live Forensics Methods

Abstract

The rapid development of wireless technology has made network communication more accessible but also increasingly vulnerable to security threats. One of the major threats is the Man-in-the-Middle (MitM) Attack, particularly ARP Spoofing, which manipulates the Address Resolution Protocol (ARP) to intercept or alter network traffic. ARP Spoofing, also known as ARP Poisoning, allows attackers to associate incorrect MAC addresses with IP addresses, enabling unauthorized access and potential data interception. This research focuses on the detection and investigation of ARP Spoofing on MikroTik routers using live forensic methods. The study utilizes Wireshark as a primary tool to monitor ARP-based network activity and identify anomalies indicative of ARP Spoofing attacks. The National Institute of Standards and Technology (NIST) forensic framework, which includes Collection, Examination, Analysis, and Reporting, is employed as a methodology for analyzing forensic evidence. The research also incorporates a virtualized attack simulation environment using VirtualBox, where a PC Client acts as the target, an attacker PC executes an ARP Spoofing attack using Ettercap, and Wireshark captures network traffic for forensic examination. The simulation results reveal that an ARP Spoofing attack can successfully manipulate network traffic by altering ARP table entries. The attacker assumes the identity of IP Address 192.168.0.1 with MAC Address e8-cc-18-41-3f-fb, while the target’s identity is duplicated as 192.168.0.19 with MAC Address 08:00:27:15:4c:3c, as confirmed through Wireshark analysis and ARP table inspection using the command prompt. These findings emphasize the importance of implementing proactive security measures, such as Dynamic ARP Inspection (DAI), encryption protocols, and continuous network monitoring, to mitigate the risks associated with ARP Spoofing attacks.