CONTROL OVER A ROUTER VIA ARP COVERT CHANNEL

Author Name: 1. Akor Jacob Terungwa

Volume/Issue: 06/05

Country: Russia

DOI NO.: 08.2020-25662434 DOI Link: https://doi-ds.org/doilink/10.2025-11763429/UIJIR

Affiliation:

1. Student, Innopolis University,

ABSTRACT

The study utilized an action research approach wherein the researcher used PowerPoint Slide The increasing sophistication of cyberattacks has encouraged adversaries to exploit covert communication channels that evade conventional security controls. This study explores the feasibility of using the Address Resolution Protocol (ARP) as a covert command-and-control (C2) channel for MikroTik routers. Leveraging ARP’s lack of authentication, encryption, and logging, a proof-of-concept was developed in a controlled GNS3 environment. A Python client injected commands into spoofed MAC address fields of ARP packets, while a MikroTik script monitored its ARP table and executed actions including rebooting, DNS spoofing, and reverting spoofing. The approach successfully established covert communication that bypassed common defenses such as firewalls and DNS monitoring. Mitigation strategies using Wazuh and Zeek demonstrated effective detection of anomalies. The findings highlight ARP-based covert channels as a practical Layer 2 security risk and propose viable detection mechanisms.

Key words: Covert channel, ARP, MikroTik, Network Security, Layer 2, Wazuh, Zeek, Command and Control (C2)