Arp Spoofing in Axum with Postgresql
Arp Spoofing in Axum with Postgresql — how this specific combination creates or exposes the vulnerability
Arp spoofing is a Layer 2 attack where an attacker sends falsified Address Resolution Protocol messages to associate their MAC address with the IP address of a legitimate host, typically the database server. In an Axum application that communicates with a Postgresql database, this attack path becomes relevant when the application resolves the database hostname to an IP at startup or via DNS and then maintains a long-lived connection. An attacker on the same network segment can intercept traffic by poisoning the ARP cache of the Axum host, causing frames intended for the Postgresql server to be sent to the attacker instead. Because Axum often runs on async runtimes with connection pools, a poisoned ARP entry can silently redirect credentials, query results, and potentially prepared statement data without breaking the TCP stream, making the intrusion hard to detect at the application layer.
In practice, this matters when Axum services run inside shared networks (e.g., cloud VPCs, containers on the same subnet, or CI runners) where an attacker can reach the same broadcast domain as the Postgresql instance. The Axum service may use native TLS for the Postgresql connection (sslmode=require or verify-full), but ARP spoofing operates below TLS, so encryption in transit does not prevent interception at the link layer. If the Postgresql server is reachable by hostname, an Axum service that reuses connections across resolved IPs may continue communicating with the attacker’s machine until the ARP cache expires or the connection is re-established. This exposes authentication exchanges, potentially revealing usernames and password hashes, and can allow the attacker to inject or modify queries if they can complete a TLS handshake using a presented but unauthorized certificate (e.g., via a compromised CA or a misconfigured sslrootcert).
Compounded by typical Axum patterns, such as using a configuration struct to hold database URLs and a runtime connection pool, a poisoned ARP cache can lead to data exposure and unauthorized statement execution. For example, an attacker may silently drop or alter query results, leading to logic issues or data corruption that may be mistaken for application bugs. Because middleBrick scans test unauthenticated attack surfaces and include network-related findings, they can highlight weak perimeter controls that make ARP spoofing feasible, even though the scanner does not simulate Layer 2 attacks directly. Developers should treat ARP spoofing as a network-level precondition that can undermine otherwise secure Postgresql integrations in Axum, and design mitigations accordingly.
Postgresql-Specific Remediation in Axum — concrete code fixes
Remediation focuses on reducing the impact of ARP spoofing by ensuring that the Axum application validates the identity of the Postgresql server at the connection layer and minimizes the window of exposure. Use IP-based connections where feasible, enforce strict certificate validation, and avoid relying on mutable hostname-to-IP mappings after initial resolution. Below are concrete, runnable examples for an Axum service integrating with Postgresql using sqlx.
1) Prefer IP addresses and pin the server certificate
Configure the connection string to use the Postgresql server IP directly and require full certificate verification. This reduces reliance on DNS and ARP-dependent hostname resolution and ensures the server’s identity is verified via TLS.
// config/src/lib.rs
use serde::Deserialize;
#[derive(Deserialize, Debug, Clone)]
pub struct DatabaseConfig {
pub host: String, // Use IP, e.g., "10.0.0.5"
pub port: u16, // 5432
pub database: String,
pub username: String,
pub password: String,
pub ssl_mode: SslMode,
}
#[derive(Deserialize, Debug, Clone, sqlx::postgres::PgConnectOptionsExt)]
pub enum SslMode {
Require,
VerifyFull,
}
impl DatabaseConfig {
pub fn to_connect_options(&self) -> sqlx::postgres::PgConnectOptions {
let mut opts = sqlx::postgres::PgConnectOptions::new()
.host(&self.host)
.port(self.port)
.database(&self.database)
.username(&self.username)
.password(self.password);
match self.ssl_mode {
SslMode::Require => opts = opts.require_tls(),
SslMode::VerifyFull => opts = opts.verify_full(),
}
opts
}
}
// main.rs
use sqlx::postgres::PgPoolOptions;
async fn build_pool(cfg: &DatabaseConfig) -> Result, sqlx::Error> {
let opts = cfg.to_connect_options();
PgPoolOptions::new()
.max_connections(5)
.connect_with(opts)
.await
}
2) Use static connection parameters and avoid runtime hostname rebinding
Ensure the Axum runtime does not re-resolve the hostname on each connection attempt. Resolve the IP once at startup and pass the fixed value to the connection pool.
// src/main.rs
use axum::Router;
use sqlx::{postgres::PgPoolOptions, PgPool};
use std::net::IpAddr;
async fn connect_to_db() -> PgPool {
let ip: IpAddr = "192.0.2.10".parse().expect("valid IP");
let opts = format!(
"host={} port=5432 user=appuser password={} dbname=appdb sslmode=verify-full",
ip,
std::env::var("PG_PASSWORD").expect("PG_PASSWORD must be set")
);
PgPoolOptions::new()
.max_connections(10)
.connect(&opts)
.await
.expect("Failed to connect to Postgresql")
}
#[tokio::main]
async fn main() {
let _pool = connect_to_db().await;
let app = Router::new();
// ...
}
3) Rotate credentials and monitor connections
Even with IP pinning, rotate database credentials regularly and use tooling to monitor unexpected connection sources. Leverage Postgresql’s pg_stat_activity to detect anomalous sessions that may indicate interception or manipulation.
-- Run periodically to audit connections
SELECT
pid,
usename,
client_addr,
state,
query
FROM pg_stat_activity
WHERE datname = 'appdb'
AND client_addr NOT IN ('192.0.2.1', '192.0.2.2'); -- allowed IPs