Arp Spoofing on Gcp
How Arp Spoofing Manifests in Gcp
Arp Spoofing in Google Cloud Platform environments typically exploits misconfigured VPC networks and improperly secured service accounts. Unlike traditional on-premises ARP attacks that target Layer 2 networks, Gcp Arp Spoofing attacks leverage Gcp's networking architecture to intercept traffic between services.
The most common Gcp-specific manifestation occurs when service accounts have excessive IAM permissions across multiple projects. Attackers can create VM instances in one project, then use compromised credentials to impersonate services in another project, effectively 'spoofing' the identity of legitimate services.
// Vulnerable Gcp configuration example
// Attacker creates VM with broad IAM permissions
const compute = new Compute();
const vm = compute.instances().insert({
project: 'attacker-project',
zone: 'us-central1-a',
body: {
machineType: 'https://www.googleapis.com/compute/v1/projects/attacker-project/zones/us-central1-a/machineTypes/n1-standard-1',
networkInterfaces: [{
network: 'default',
accessConfigs: [{}]
}]
}
});
// Service account with excessive cross-project permissions
const iam = new Iam();
const policy = iam.projects().getIamPolicy({
resource: 'target-project'
}).execute();
// Attacker can now impersonate services in target-project
policy.bindings.push({
role: 'roles/iam.serviceAccountUser',
members: ['serviceAccount:target-project@developer.gserviceaccount.com']
});Another Gcp-specific attack vector involves Cloud Functions and Cloud Run services. When these services communicate without proper authentication headers, attackers can intercept and modify requests between services running in the same VPC.
// Vulnerable Cloud Run service communication
const axios = require('axios');
async function handleRequest(req, res) {
// No authentication between services
const response = await axios.get(
'https://target-service-uc.a.run.app/api/data'
);
res.json(response.data);
}
// Attacker creates malicious service with same endpoint
// and intercepts traffic from legitimate servicesCloud NAT and Cloud Load Balancer misconfigurations also enable Arp Spoofing-like attacks. When NAT rules are too permissive or load balancers accept traffic from unauthorized sources, attackers can route traffic through compromised instances.
// Vulnerable Cloud NAT configuration
resources:
- type: gcp-types/compute-v1:networks
name: default-network
properties:
autoCreateSubnetworks: true
routingConfig:
routingMode: REGIONAL
- type: gcp-types/compute-v1:routers
name: vulnerable-router
properties:
network: $(ref.default-network.selfLink)
nats:
- name: open-nat
sourceSubnetworkIpRangesToNat: LIST_OF_SUBNETWORKS
natIpAllocateOption: MANUAL_ONLY
natIps:
- '34.82.158.233'
subnetworks:
- name: default
sourceIpRangesToNats:
- 'ALL_IP_RANGES' // Too permissiveGcp-Specific Detection
Detecting Arp Spoofing in Gcp requires monitoring IAM permissions, network traffic patterns, and service communications. middleBrick's Gcp-specific scanning identifies these vulnerabilities by analyzing runtime behavior and configuration.
Service account permission analysis is critical. middleBrick scans for service accounts with excessive cross-project permissions and identifies when accounts can impersonate other services.
// middleBrick scan output for IAM vulnerabilities
{
"riskScore": 73,
"category": "Authentication",
"severity": "High",
"finding": "Service account has cross-project impersonation permissions",
"remediation": "Restrict service account permissions to minimum required scopes",
"gcpResource": "projects/target-project/serviceAccounts/target@target.iam.gserviceaccount.com"
}Network traffic analysis between Cloud Functions and Cloud Run services reveals potential spoofing attempts. middleBrick tests service-to-service communication without proper authentication headers.
// middleBrick network communication test
{
"test": "Service-to-Service Authentication",
"result": "Missing authentication headers",
"severity": "Medium",
"recommendation": "Implement service account JWT authentication",
"endpoint": "https://target-service-uc.a.run.app/api/data"
}middleBrick also analyzes Cloud NAT and load balancer configurations for overly permissive rules that could enable traffic routing attacks.
// middleBrick configuration analysis
{
"resourceType": "gcp-types/compute-v1:routers",
"finding": "NAT configuration allows all IP ranges",
"severity": "Medium",
"affectedResource": "projects/attacker-project/regions/us-central1/routers/vulnerable-router",
"remediation": "Restrict source IP ranges to specific subnets only"
}Real-time monitoring with Cloud Logging and Cloud Monitoring helps detect unusual authentication patterns that indicate spoofing attempts.
// Cloud Logging query for suspicious authentication
resource.type="gcp_project"
logName="projects/YOUR_PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"
protoPayload.authenticationInfo.principalEmail="*@attacker-project.iam.gserviceaccount.com"
| jsonPayload
| filter serviceName="iam.googleapis.com"
| limit 100Gcp-Specific Remediation
Remediating Arp Spoofing vulnerabilities in Gcp requires implementing principle of least privilege, proper service authentication, and network segmentation. middleBrick's findings provide specific remediation guidance for each vulnerability type.
Service account permissions should be restricted using IAM conditions and least privilege principles. Implement service perimeters using VPC Service Controls to limit cross-project access.
// Secure service account configuration
const iam = new Iam();
// Create service account with minimal permissions
const serviceAccount = iam.projects().serviceAccounts().create({
name: 'projects/target-project/serviceAccounts',
body: {
accountId: 'secure-service',
displayName: 'Secure Service Account'
}
}).execute();
// Restrict permissions using IAM conditions
const policy = {
bindings: [{
role: 'roles/iam.serviceAccountUser',
members: ['serviceAccount:secure-service@target-project.iam.gserviceaccount.com'],
condition: {
title: 'Restrict to specific project',
description: 'Only allow access within target-project',
expression: 'resource.name.startsWith("projects/target-project/")'
}
}]
};
iam.projects().setIamPolicy({
resource: 'target-project',
body: policy
}).execute();Service-to-service authentication should use service account JWT tokens or mutual TLS. Implement authentication middleware in Cloud Functions and Cloud Run services.
// Secure Cloud Run service communication
const { google } = require('googleapis');
const jwt = new google.auth.JWT(
process.env.SERVICE_ACCOUNT_CLIENT_EMAIL,
null,
process.env.SERVICE_ACCOUNT_PRIVATE_KEY,
['https://www.googleapis.com/auth/cloud-platform']
);
async function secureRequest(req, res) {
try {
// Authenticate using service account JWT
const auth = await jwt.authorize();
const response = await axios.get(
'https://target-service-uc.a.run.app/api/data',
{
headers: {
'Authorization': `Bearer ${auth.access_token}`,
'X-Cloud-Project': process.env.GCP_PROJECT
}
}
);
res.json(response.data);
} catch (error) {
res.status(401).json({ error: 'Unauthorized' });
}
}Network configurations should use VPC network peering with firewall rules instead of overly permissive NAT configurations. Implement Private Google Access and restrict external IP assignments.
// Secure VPC configuration
resources:
- type: gcp-types/compute-v1:networks
name: secure-network
properties:
autoCreateSubnetworks: false
routingConfig:
routingMode: REGIONAL
- type: gcp-types/compute-v1:subnetworks
name: secure-subnet
properties:
region: us-central1
network: $(ref.secure-network.selfLink)
ipCidrRange: 10.128.0.0/20
privateIpGoogleAccess: true
enableFlowLogs: true
- type: gcp-types/compute-v1:firewalls
name: secure-firewall
properties:
network: $(ref.secure-network.selfLink)
direction: INGRESS
allowed:
- IPProtocol: TCP
ports: ['443', '80']
sourceRanges: ['10.128.0.0/20'] // Only allow internal traffic
targetTags: ['secure-service']