Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | swapnilgupta1989 |
View: | 236 times |
Download: | 1 times |
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 1/68
Identification of AnIntelligent Attacker in
ARP Spoofing
by
Subhash Kumar Singh
201011044
A thesis submitted in the partial fulfillment of the requirements for the degree
of
Master of Technology
in
Information and Communication Technology
to
Dhirubhai Ambani Institute of Information and Communication
Technology
Gandhinagar, India
November 2012
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 2/68
Declaration
This is to certify that
1. the thesis comprises my original work towards the degree of Master of
Technology in Information and Communication Technology at DA-IICT
and has not been submitted elsewhere for a degree.
2. due acknowledgement has been made in the text to all other material used.
Signature of Student
Subhash Kumar Singh
Certificate
This is to certify that the thesis work entitled Identification of An Intelli-
gent Attacker in ARP Spoofing has been carried out by Subhash Kumar Singh
(201011044) for the degree of Master of Technology in Information and Com-
munication Technology at this Institute under my supervision.
Thesis Supervisor
Prof. Anish Mathuria
ii
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 3/68
Acknowledgements
I would like to express my sincere thanks to my thesis supervisors, Prof. Anish
Mathuria, for their excellent guidance and constant supervision. They provided
me an excellent atmosphere for doing research. They inspired me to put my
best efforts and also criticized me at appropriate moments to make my work
proceed in the right direction.
I would like to express my special gratitude to my thesis examiners, Prof.
Sanjay Srivastava and Prof. Manish Gupta, for their valuable comments and
corrections. They pointed out subtle mistakes in my thesis work and suggested
relevant improvements.
I would like to acknowledge the academic and technical support at DA-
IICT. The state-of-the-art infrastructure at the institute provided me all the
needed resources which helped in accelerating my work. I would like to mention
special thanks to Prof. Manik Lal Das and members of security group for their
comments and time.
I am highly indebted to my parents for their cooperation and motivation.
Finally, I would like to thank god for his blessings and grace.
Subhash Kumar Singh
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 4/68
Abstract
ARP spoofing is a most powerful and simplest internal attack that can be
done in internal network. There are many techniques have been proposed to
secure Address Resolution Protocol (ARP). It includes cryptographic and non-
cryptographic techniques. Non-cryptographic techniques are mainly based on
probe packets. These techniques have less processing time in compared to cryp-
tographic techniques but we observed that an intelligent attacker can easily
bypass the techniques which are based on probe packets.
Ramachandran et. al. [1] suggested a clear separation between weak and
strong attacker. We are considering strong attacker as intelligent attacker be-
cause a strong attacker can bypass probe packet based ARP defense techniques
by generating appropriate response. These two attacking model can be used to
analyze any ARP defense technique. It only detects the ARP spoofing attack
but doesn’t identify the attacker, similarly other techniques have their own lim-
itations.
We enhanced the probe packet based technique to identify an intelligent at-tacker. Our proposed technique enables test host to imitate as normal host so
that an attacker can’t differentiate the test host from others. Meanwhile at-
tacker can be caught using the response of probe packets.
We did experiments and concluded that the proposed technique is effective
for defense of ARP spoofing.
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 5/68
Contents
Declaration ii
Certificate ii
Acknowledgements iii
Abstract iv
List of Figures vi
1 Introduction 1
1.1 Address Resolution Protocol (ARP) . . . . . . . . . . . . . . . . 1
1.2 Basic ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 ARP Cache Poisoning . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.5 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.6 Organization of thesis . . . . . . . . . . . . . . . . . . . . . . . . 7
2 Background of Protocols 9
2.1 ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.1 Header Format . . . . . . . . . . . . . . . . . . . . . . . . 92.1.2 ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2 ICMP Echo Request Packets (Ping) and their Communication . 11
2.2.1 Header Format . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.2 Packet Exchange . . . . . . . . . . . . . . . . . . . . . . . 13
2.3 TCP Packets and their Communication . . . . . . . . . . . . . . 14
2.3.1 Header Format and Data Flow . . . . . . . . . . . . . . . 14
v
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 6/68
2.3.2 TCP Handshake . . . . . . . . . . . . . . . . . . . . . . . 15
3 Survey of ARP Defense Techniques 17
3.1 Classification of techniques . . . . . . . . . . . . . . . . . . . . . 17
3.1.1 Non-Cryptographic Techniques for Securing ARP Spoofing 19
3.1.2 Cryptographic Techniques for ARP . . . . . . . . . . . . . 28
3.1.3 Some other Techniques . . . . . . . . . . . . . . . . . . . 30
3.2 Attacking Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.3 Comparison of Existing Techniques . . . . . . . . . . . . . . . . . 33
4 Proposed Technique 36
4.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.2 Rules in Proposed Technique . . . . . . . . . . . . . . . . . . . . 38
4.3 Working of Proposed Technique . . . . . . . . . . . . . . . . . . . 38
4.4 Identification of Attacker . . . . . . . . . . . . . . . . . . . . . . 39
4.4.1 Mapping present in ARP cache of test host . . . . . . . . 41
4.4.2 Mapping doesn’t present in ARP cache of test host . . . . 43
4.5 Hiding the traffic pattern : in case of Probe Packets . . . . . . . 45
5 Experiment and Results 48
5.1 Experimental setup . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2 Measure of generated ARP traffic . . . . . . . . . . . . . . . . . . 50
5.3 Reducing number of probe packet (ARP Request packet) . . . . 52
5.4 System Load in promiscuous mode . . . . . . . . . . . . . . . . . 54
6 Conclusion 56
vi
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 7/68
List of Figures
1.1 Address Resolution Protocol(ARP) . . . . . . . . . . . . . . . . . 2
1.2 Flowchart for update in ARP cache . . . . . . . . . . . . . . . . . 31.3 DoS attack in LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 MITM attack in LAN . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 ARP Header(length in bytes) . . . . . . . . . . . . . . . . . . . . 9
2.2 IP Header(length in bits) . . . . . . . . . . . . . . . . . . . . . . 12
2.3 ICMP Header(length in bits) . . . . . . . . . . . . . . . . . . . . 13
2.4 TCP Header(length in bits) . . . . . . . . . . . . . . . . . . . . . 14
2.5 flow of TCP packets . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.6 TCP Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1 Fake ARP Request (ARP Header) . . . . . . . . . . . . . . . . . 21
3.2 Fake ARP Request (Ethernet Header) . . . . . . . . . . . . . . . 21
3.3 Possible Response of TCP SYN packet . . . . . . . . . . . . . . . 22
3.4 Four MR-ARP enabled machine deployed in LAN . . . . . . . . . 23
3.5 Enhanced MR-ARP technique . . . . . . . . . . . . . . . . . . . . 25
3.6 Flow Diagram for Self Confirming Engine (SDE) (when ARP
cache doesn’t have mapping for source IP in ARP request/reply
packet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.7 Flow Diagram for Self Confirming Engine (SDE) (when ARP
cache have mapping for source IP in ARP request/reply packet) 26
3.8 Flow Diagram for Spoof Detection Engine (SDE) . . . . . . . . . 27
4.1 Confirmation of Legitimate host in case of weak attacker . . . . . 39
vii
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 8/68
4.2 Identification of attacker when host A has correct mapping in his
ARP cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424.3 Confirmation of Legitimate host . . . . . . . . . . . . . . . . . . 43
4.4 Confirmation of attacker . . . . . . . . . . . . . . . . . . . . . . . 43
4.5 Generated schedule (number of ARP request packet generated
per second) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.1 Experiment setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2 Simple ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . 49
5.3 Spoofed ARP reply from attacker to host A . . . . . . . . . . . . 49
5.4 State of ARP cache at host A . . . . . . . . . . . . . . . . . . . . 495.5 Basic scheme to identify the attacker . . . . . . . . . . . . . . . . 50
5.6 ARP request traffic in normal ARP protocol . . . . . . . . . . . . 51
5.7 ARP request traffic in case of weak attacker . . . . . . . . . . . . 51
5.8 ARP request traffic in case of strong attacker (proposed technique) 52
5.9 probability distribution over number of probe packet sent . . . . 54
5.10 System load in non-promiscuous mode (core-2 processor) . . . . . 55
5.11 System load in promiscuous mode (core-2 processor) . . . . . . . 55
viii
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 9/68
List of Algorithms
1 ARP spoofing detection module . . . . . . . . . . . . . . . . . . . 40
2 Broadcast test() . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
ix
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 10/68
Chapter 1
Introduction
In LAN environment, any insider can attack a host on same network to steal
its information for possible reason of curiosity, business and governmental es-
pionage. ARP spoofing is most common form of attack on LAN. This attack
leads attacker to sniff and manipulate the local communication traffic.
If a host wants to communicate with another host over the network then the
sending host must has IP address and MAC address of the destination. Using
these two addresses any host can communicate with other host in the LAN.
If the sending host has only the IP address of destination then MAC address
of destination host is resolved by ARP protocol and further communication is
continued by using resolved IP address and MAC address pair.
1.1 Address Resolution Protocol (ARP)
Address resolution Protocol (ARP) first introduced in RFC 826 in 1982 [2].
ARP is a datalink layer protocol and used to obtain 48 bit Ethernet addressof host in LAN corresponding to requested 32 bit IP address. ARP maps an
IP address to corresponding Ethernet address. See in figure 1.1 , when host A
wants to communicate with another host B having IP address as IP B, then
host ’A’ will broadcast a message over LAN asking a question who has IP B ?
All the other host except host ’B’ will drop the ARP request packet because
ARP request is not for their IP address. The host corresponding to IP address
1
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 11/68
Figure 1.1: Address Resolution Protocol(ARP)
IP B will generate a ARP reply in response of sent ARP request packet, saying
that “This MAC address MAC B corresponds to requested IP address IP B”.
Both the sender and receiver of ARP packet uses the information in the ARP
request/response packet for further communication. Receiving host (host B)
of ARP request will store the information in the ARP request packets for op-
timization of communication. Therefore, host B doesn’t require to send back
ARP request again.
1.2 Basic ARP Protocol
ARP protocol is stateless1 for the simplicity and reducing the ARP traffic in-
volved in the resolution of address. See figure 1.2 ARP cache works on following
two rules :
1. For creation of new entry: When a host receives an ARP request/reply for
his own IP address then a new entry is created at ARP cache of receiver if
ARP cache doesn’t contain any entry for the sender of ARP request/reply
packet.
2. Updating an entry : When a host receives an ARP request/reply for his
own IP address then, if the entry for sender is present in ARP cache
of receiver then the information in the ARP packet is updated into ARP
1ARP doesn’t maintain state for sent ARP request to any host
2
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 12/68
Figure 1.2: Flowchart for update in ARP cache
cache of receiver and timeout time for IP address to MAC address mapping
is renewed.
1.3 ARP Cache Poisoning
In an ARP cache poisoning attack, attacker sends ARP request or reply to
victim and source entries in ARP header is marked with incorrect <IP,MAC>
association and the intended receiver of this fake packet will update its ARP
cache with false <IP,MAC>mapping. In a simple scenario, if an attacker wants
to impersonate as host X to host Y, then attacker has to send an ARP re-
quest (ARP request may be broadcasted or unicasted) to host Y telling that
attacker’s MAC address associated with IP of host X. Then host Y updates
mapping <IP X , MAC attacker> to its ARP cache and host Y will use this
corrupted mapping for further communication. Host Y will send data packets
to attacker instead of host X. Thus attacker can modify or read the data sent
3
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 13/68
by host Y to host X.
ARP cache poisoning can be done by in four ways [3] [1] [4] :
1. Send fake ARP request packet.
2. Send fake ARP reply packet to the victim.
3. Send fake ARP reply in response to ARP request.
4. Send fake gratuitous ARP request2 packet.
The ARP cache poisoning attacks are often part of other serious attacks e.g.
DoS attack, MITM attack. Sometimes attacker has predetermined goal and he
can use ARP cache poisoning to achieve such specific goals :
• DoS attacks : A malicious user poisons ARP cache of a victim so that
data packets sent by victim will not reach to destination instead it will
be captured or dropped by attacker and victim can’t communicate with
other over the network. See in figure 1.3, host A has a non-existing MAC
address corresponding to IP B in his cache so host A will send the packets
to non-existing MAC address and packet get dropped, therefore host A
will not be able to communicate with host B.
Figure 1.3: DoS attack in LAN
2A gratuitous ARP request is an ARP request packet where the source and destinationIP are both set to the IP of the machine issuing the packet and the destination MAC is thebroadcast address ff:ff:ff:ff:ff:ff.
4
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 14/68
• Host Impersonation : Attacker not only captures the packet but responds
back to host and imitate to victim that nothing is wrong and host is com-municating with legitimate user.
• Man-in-the-Middle (MITM) attack : Attacker can poison two hosts in the
LAN such that attacker receives packets from both the hosts and after
extracting sensitive data forwards the packets to their correct destination.
So no one can know that someone sitting between them and silently lis-
tening their conversation. This attack become more serious when attacker
modifies the content of packets, compromising the data integrity. See infigure 1.4 host C poison the ARP cache of host A and host B. Host A will
think he is communicating with host B, similarly host B will think he is
communicating with host A, but actually the whole communication pass-
ing through the host C. Thus C is working as Man-in-the-Middle between
host A and host B.
Figure 1.4: MITM attack in LAN
ARP Exploit tools : These are several tools that can be used to perform
ARP cache poisoning [5] :
1. ARP-SK ( http://www.arp-sk.org )
2. Arpoc and WCI ( http://www.phenoelit.de/arpoc/ )
3. Arpoison ( http://arpoison.sourceforge.net )
5
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 15/68
4. Brian ( http://www.bournemouthbynight.co.uk/tools/ )
5. Cain & Abel ( http://www.oxid.it/cain.html )
6. Dsniff ( http://naughty.monkey.org/ dugsong/dsniff/ )
7. Ettercap ( http://ettercap.sourceforge.net )
8. Hunt ( http://www.phrack.org/show.php?p=50&a=6 )
9. Parasite ( http://www.thc.org/releases.php )
1.4 Problem Definition
ARP protocol is not designed to verify the sender of ARP request or response
packets. So ARP protocol can be exploited by attacker because receiving host
directly updates its ARP cache with the source IP address and source MAC ad-
dress in received ARP packet. Many techniques were proposed to secure ARP.
They can be broadly classified to cryptographic and non-cryptographic tech-
niques. Non-cryptographic techniques mainly based on probe packets. Probe
packet based techniques are correct against a limited attacker, we will get intro-
duced with limited attacker in chapter 3. We analyzed the probe packet basedtechniques and found that an intelligent attacker (introduce in chapter 3) can
bypass these techniques very easily.
This is big and important challenge to secure the ARP from intelligent at-
tacker because an intelligent attacker can bypasses approximately all the probe
based technique. So we will design a secure ARP detection technique, which can
correctly identify the IP address to MAC address mapping in defined attacking
environment (section 3.2).
1.5 Goals
The goal of this research issue is to secure the ARP protocol from attackers.
We found the limitation in various probe packet based techniques [6] [1] [3] [4].
6
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 16/68
These technique can’t stand against an intelligent attacker. An intelligent at-
tacker can easily bypass the probe packet based technique by generating appro-priate response for sent request packet. So the following goals are of particular
interest :
• Correctly Identify the Script Kiddies : Anyone can download the soft-
wares, that are freely available on Internet (e.g. cane-abel, arp-sk), and
perform ARP cache poisoning. These categories of software send the fake
packet to target host so that the target host will update its IP to MAC
address mapping in his ARP cache. The proposed solution can check suchtype of attacker.
• Correctly Identify the Intelligent Attacker : Some attackers are smart
enough to analyze the behavior of target host. They can easily bypass the
ARP defense technique by simply generating the appropriate response for
the confirmation packets. We will build our proposed solution in such a
way that, an intelligent attacker can also be correctly identified.
• Hide the generated traffic of probe packets : An Intelligent attacker has
analyzing and computing power. By Collecting and analyzing the received
packet on his network interface card he can identify the presence of IDS
(Intrusion Detection System) in the LAN. Then attacker start behaving
like the host whom attacker want to spoof and IDS will not be able to
catch the attacker.
We will design a technique which will generate the traffic of probe packet
similar to a normal host over network by analyzing the network traffic and
we will hide the probe packets in such a way that attacker can’t have any
clue regarding the probe packets.
1.6 Organization of thesis
Chapter 1 introduced us with Address resolution protocol (ARP). In this chapter
we discussed why ARP protocol prone to attack. By performing ARP spoofing
7
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 17/68
anyone can easily exploit the ARP protocol for his own purpose (e.g. DOS at-
tack, MITM attack).
In chapter 2, we will see some standard network protocols that are used by
several proposed techniques. Here we will get some starting understanding of
ARP, ICMP and TCP Protocols.
In chapter 3, we will discuss the literature survey performed for the vari-
ous type of existing solution for ARP spoofing. In this chapter we figure out
two types of attacking model, that is very important to consider. The attacking
model is previously identified by Ramchandran and Nandi [1]. The same chapter
will give us brief idea about the probe packet based techniques [6] [1] [4] [3]and
their limitations.
In chapter 4, method is proposed to correctly identify IP to MAC address
mapping in different attacking environment, identified by Ramachandran [1].
We found that in probe packet based technique it is a challenging task to hide
the probe packets. Attacker can sniff these packets and he can distinguish the
confirmation packet and normal ARP packet. In chapter 4 we gave the tech-nique to hide the probe packets so that an intelligent attacker can be caught.
Implementation of our proposed technique and its analysis is described in
chapter 5. In chapter 6 we concluded the discussion and same chapter describes
the achievement of goals.
8
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 18/68
Chapter 2
Background of Protocols
Before we go for the further discussion we require some background of ARP,
ICMP and TCP protocol. These protocols are used in some of proposed tech-
niques. We have some discussion of ARP protocol in previous chapter.
2.1 ARP Protocol
We have discussed the packet exchange in ARP protocol. Now we left with
discussion of ARP header format and ARP cache.
2.1.1 Header Format
Figure 2.1: ARP Header(length in bytes)
9
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 19/68
Description of ARP header (figure 2.1) :
Hardware type (16 bit) Type of LAN.
Protocol type (16 bit) high level software address type provided.
Hardware address length (8 bit) length of hardware address in bytes.
Protocol address length (8 bit) length of protocol address in bytes.
Opcode (16 bit) specify type of operation requested
0 - ARP request
1 - ARP reply
Source Hardware address (48 bit) Hardware address of sender.
Source Protocol address (32 bit) Protocol address of sender.
Destination Hardware address (48 bit) Hardware address of receiver.
Destination Protocol address (32 bit) Protocol address of receiver.
2.1.2 ARP Cache
ARP cache is local memory that holds the mapping between IP address and
MAC address that are required for the communication in the network. There is
a timeout period associated for each IP address to MAC address mapping after
that mapping is flushed out of cache unless mapping is not accessed again withintimeout period. Timeout period is maintained in ARP cache to maintain the
dynamic mapping of IP address and MAC address. IP allocation is dynamic.
So host can change their IP address. Hence mapping of MAC and IP address
will change for host. So in order to preserve the dynamic mapping of address it
is important to have timeout entry in ARP cache. Otherwise ARP cache will
contain invalid <IP , MAC> mapping.
ARP cache contain static and dynamic entries. Static entries are added
manually to the cache. Some host never change their IP address, it remains
static, so the IP address to MAC address mapping for such host remains same.
Static entry are permanent, resolutions and update of these entries depend on
the implementation of ARP module of OS. Dynamic entries are resolved by the
ARP protocol. Dynamic entries are kept in the ARP cache for a timeout period
and after that they are removed. These entry get updated using ARP protocol.
10
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 20/68
Dynamic cache entries are associated with timeout period. If we store themapping forever then the following problem will arise :
• Device hardware changes : If any host suffers some NIC card failure and
it is changed then the mapping of its IP with previous Ethernet address
becomes invalid.
• Device IP address changes : If any host changes its IP then also the entry
in ARP cache for that IP address becomes invalid.
2.2 ICMP Echo Request Packets (Ping) and their
Communication
ICMP (Internet Control Message Protocols) packet header is encapsulated over
IP header. ICMP packets are of two types : error-reporting message and query
message. Whenever a host or router has some problem in processing IP packets
then they will report back to sender of packet about this error using the error
reporting message. Query message used to retrieve some specific information
from another hosts or router.
Ping packet comes under the category of query message. It is used to check
the host is alive or not. Figure 2.2 shows the IP header and figure 2.3 shows
the ICMP ping packet header.
11
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 21/68
Figure 2.2: IP Header(length in bits)
2.2.1 Header Format
Description of IP header (figure 2.2) :
Version (4 bit) Version of the IPv4 protocol.
Header length (4 bit) Total length of the datagram header in 4-byte word.
Service (8 bit) Defines the type of service.
Total length (16 bit) Defines total length (header plus data) of IPv4 datagram in
Identification (16 bit) Uniquely identify the fragment of an original IP datagram.
Flag (3 bit) Used in fragmentation.
Fragmentation offset (13 bit) Used in fragmentation.
Time to live (8 bit) This field limit’s the life of IP datagram.
Protocol (8 bit) Define the higher-level protocol that uses the service of the
1 - ICMP
2- IGMP
6 TCP
17 UDP
Checksum Protection used in IPv4 for data corruption.Source Protocol address (32 bit) IP address of sender.
Destination Protocol address (32 bit) IP address of receiver.
12
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 22/68
Figure 2.3: ICMP Header(length in bits)
Description of ICMP ECHO header (figure 2.3) :
Type (8 bit) type of the message
8 - ICMP echo request
0 - ICMP echo reply
Code (8 bit) reason of particular message type
0 for ICMP echo request/reply
Header checksum (16 bit) calculated for ICMP part of packet.
Identifier (16 bit) This field is used to help match echo request
the associated reply.
Sequence Number (16 bit) This field is used to help match echo request
the associated reply.
2.2.2 Packet Exchange
Sender of ICMP echo request packet puts the destination IP address in the
IP header at destination IP entry and corresponding MAC address is kept in
destination MAC address in the ethernet header. At the receiver side host
first matches the destination MAC address in ethernet header, if MAC address
matched with receiver’s MAC address then packet is forwarded to IP layer
otherwise packet is dropped. At IP layer, if destination IP address of IP header
matches with receiver’s IP address then packet is accepted. In response of ICMP
request packet the receiver of ICMP echo request packet will produce a ICMP
echo reply with same identifier and sequence number of ICMP echo request
packet, otherwise packet is dropped.
13
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 23/68
2.3 TCP Packets and their Communication
TCP (Transmission Control Protocol) is connection oriented, reliable transport
layer protocol. It is process to process protocol. It creates a virtual connection
between two program to send data. Figure 2.4 shows the header format of TCP.
2.3.1 Header Format and Data Flow
Figure 2.4: TCP Header(length in bits)
Data Flow See figure 2.5, when a process B wants to send data to process
A, then process B submits its data to assigned TCP port. Each process which
wants to communicate over network must bind with some port. Then TCP
sends its data to IP layer by putting TCP header. At IP layer IP header is
added to TCP packets. Now IP datagrams are sent to next hop corresponding
to the destination IP address.
At receiver side, same process in reverse oder is done. packet moved from
ethernet layer then to IP layer. At the last at the TCP layer payload of IP
datagrams are demultiplexed to respective ports and packets are reassembled.
Finally reassembled unit of data is transfered to process A.
14
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 24/68
Figure 2.5: flow of TCP packets
2.3.2 TCP Handshake
As we know that TCP is a connection oriented transport protocol. TCP pro-
vides the in order packet packet transmission. So to make it possible, three-way
handshake is done in TCP protocol. During handshake, both end process ex-
change the required field, like sequence number, window size etc..
See figure 2.6, TCP three-way handshake is done in following manner:
1. Client sends TCP SYN packet to server. In TCP SYN packet only the
SYN flag is set. Sequence number of this packet is chosen at random and
sent to server. TCP SYN packet contains no data. It is sent only for
synchronization of sequence number.
2. If port at server is available for giving service to client then server will
generate TCP SYN/ACK packet. SYN and ACK flags are set in TCP
SYN/ACK packet. This packet contains sequence number and acknowl-
edgement number. Acknowledgement confirms that TCP SYN packet
safely reached to server and sequence number is a new random from server.
15
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 25/68
Figure 2.6: TCP Handshake
If port is unavailable then server will reply with TCP RST packet, RST
flag set. Purpose of this packet is to say client that service is unavailable
and client has to reset the connection.
3. Third packet in the handshake is response for the server’s SYN packet.After this packet client or server can start sending data to each other.
16
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 26/68
Chapter 3
Survey of ARP Defense
Techniques
There are many proposals to defend ARP protocol against ARP cache poison-
ing. We can classify them in cryptographic and non cryptographic techniques.
We can also classify them as prevention, detection and mitigation techniques.
3.1 Classification of techniques
The various techniques can be categorized in following ways:
stateful vs stateless ARP cache
In some of techniques [3] [7] stateful ARP cache is used. Stateful ARP
records the state of operation to be performed. Contrary, ARP cache is state-
less and no host has to record IP address of host with whom we started the ARP
Protocol. Host with stateful ARP cache, whenever host sent ARP request, then
an entry is created in the stateful ARP cache. When host receives ARP reply
then stateful ARP cache is looked to ensure that ARP request generated be-
cause host has generated the ARP request. In stateless ARP cache each received
ARP request/reply packets are considered as valid packet.
It is wrong to believe that stateful ARP cache alone can stop ARP spoofing.
17
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 27/68
Stateful ARP cache can block unsolicited replies but ARP request too can be
malicious e.g. ARP cache poisoning is possible using ARP request packet. Wecan get the advantages of stateful ARP cache but we have to pay the cost of
memory space and we have to upgrade the protocol stack with stateful ARP
cache. Instead in stateless ARP cache we don’t have to maintain state of pro-
tocol for any host and also we don’t require any special dedicated memory to
hold the entry for sent request.
cryptographic vs non-cryptographic
cryptographic techniques like (SARP [8] , TARP [9] etc.) uses cryptographic
primitives whereas non-cryptographic approaches(like SCE [6], SDE [1]) are
based on distinctive features of ARP or LAN, behavior of attacker, legitimate
host or some other assumptions. Cryptographic solution are slower than the
non-cryptographic techniques because they involve computation cost. Crypto-
graphic techniques are not backward compatible because we have to change the
message format which will require changes at each host.
Centralized (test host) vs distributed (host based)
Centralized systems are based on sniffing node or some test hosts in the
LAN which analyzes the sniffed packets for identifying the attacker. In somecases [8] [9] a host in network act as key store or key distributing agent, whereas
in the distributed techniques responsibility to identify attacker is not on the
some specific host. In host based technique each host runs some algorithm to
prevent or to identify the attacker. Main drawback of centralized system is
single point failure. If the test host in centralize system stops working then the
LAN will become vulnerable to attack. But there is no such drawback in host
based solutions for ARP cache poisoning.
Prevention vs detection vs mitigation [10]
There are lots of techniques dealing with ARP spoofing or ARP cache poi-
soning. These techniques can be broadly classified into prevention, detection
and mitigation techniques.
• Prevention Technique : Prevention techniques blocks the ARP attack us-
18
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 28/68
ing some preventive measure so that it is not possible to perform ARP
cache poisoning. They generally modify the ARP protocol and follow newset of rules. So these techniques are resistant to ARP cache poisoning but
we have to pay the cost of backward compatibility.
• Mitigation Technique : These techniques are preventative measure for
ARP spoofing. They do not provide complete solution for the ARP spoof-
ing but these techniques reduce the chance of spoofing.
• Detection Technique : These techniques do not attempt to stop ARP
spoofing, instead they identify the attacker or detect the presence of at-
tacker. Advantage of these techniques is that these are backward compat-
ible but again we have to pay cost in term of processing time to identify
attacker after spoofing has been done.
In this chapter we will review many existing technique to secure ARP proto-
col. We mainly focus on details of non-cryptographic techniques. Cryptographic
techniques provide the stronger protection. They can solve the problem of ARP
spoofing but these techniques suffer from higher processing, computational cost
and single point failure problem.
3.1.1 Non-Cryptographic Techniques for Securing ARP
Spoofing
Embedded IDS to monitor and Prevent MITM attack on wired LAN
Belenguer et al. [11] has implemented a low cost embedded IDS system which
can detect and prevent the MITM attack. The basic concept of this technique
is to refresh the mapping in ARP cache before they time out. Refresh is done
by sending ICMP or ARP request packet. If reply for generated request pack-
ets doesn’t received by sender of request packet then sender will consider the
target host of request packet as down and remove its entry from the ARP cache.
Belenguer et al. has developed two security mode depending on the avail-
ability of port mirroring1:
1replicate data from all ports of switch onto a single port.
19
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 29/68
1. Reactive security mode
2. Proactive security mode
Reactive security mode : Port mirroring at switch is essential for this security
mode. A device is attached to the mirrored port of switch. The attached device
maintains a list of ARP cache entries and their lifetime. This device pings(ICMP
echo request) the host whose lifetime has expired from cache to check the active
host. System will delete the entries from its ARP cache who didn’t generate
reply for ICMP echo request. Suppose there is n active host then extra packet
generated will be order of n.
System stores all the ARP request in a buffer. This buffer enables the device
to detect those ARP replies which are not related to an ARP request. If device
finds that attacker is trying to do MITM attack then combat MITM module
will repair the the cache of victim host by telling him correct mapping. Say for
example, attacker attempted to poison the cache of host B by sending him fake
ARP request/reply packet for IP A(<IP A , MAC attacker>), associating his
own MAC address. Then the embedded device will send ARP reply to host B
with source mapping <IP A , MAC A> in ARP header. So latency will be lessthan RTT.
Proactive security mode : This mode is applicable for switches LAN where
no special mirroring port is available. Embedded device is connected to regular
port. Embedded device will work to refresh the important mappings like Inter-
net gateway router by sending corrective ARP request.
For a example, to refresh the cache of gateway and host A, device will send a
unicast ARP Request with source mapping in ARP header as <IP A , MAC A>.
Then gateway will send ARP reply to host with source mapping <IP gateway
, MAC gateway>. Thus ARP cache of both entities get refreshed.
20
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 30/68
Detection of sniffer using trap ARP request packet
This technique by Trabelsi and Rahmani [12], based on ARP cache poisoning
attack, a test host first corrupts the cache of all the hosts that are running
in promiscuous mode by sending ARP request packet at fake broadcast ad-
dress (FF:FF:FF:FF:FF:FE) with fake IP. FF:FF:FF:FF:FF:FE is considered
as fake broadcast address because in same paper, it is found that many op-
erating system accept the frame with ethernet destination address equal to
FF:FF:FF:FF:FF:FE as a broadcast frame. In the next step test host establish
TCP connection to host. Sniffing host reply back with TCP SYN/ACK or RST
packet and normal host reply back with ARP request.
1. Setting the fake mapping in host running in promiscuous mode :
Figure 3.1: Fake ARP Request (ARP Header)
Figure 3.2: Fake ARP Request (Ethernet Header)
In this phase, the test host wants to corrupt the ARP cache of host that
are running in promiscuous mode with a fake mapping <IP-X , MAC-
X>. So the test host broadcasts the trap ARP request, see figure 3.1 and
figure 3.2, but the trap ARP request uses FF:FF:FF:FF:FF:FE instead of
FF:FF:FF:FF:FF:FF in ethernet header destination MAC address entry.
It is done because test host only wants to corrupt the host in promiscuous
mode otherwise all the host get corrupted with this fake mapping. Now
all the host running in promiscuous mode will have <IP-X , MAC-X> as
21
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 31/68
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 32/68
MITM-Resistant Address Resolution Protocol (MR-ARP)
Figure 3.4: Four MR-ARP enabled machine deployed in LAN
MITM-Resistant Address Resolution Protocol [13] employs a long term IP/MAC
mapping table, as well as the ARP cache used in existing ARP to retain IP/MAC
mapping for alive machine over long periods. In order to avoid losing the map-
ping for alive hosts, source keep sending ARP request before timeout happen
for any entry in long term cache and if reply came then host refresh the entry
for IP/MAC association. If any host get ARP request or reply from any new
IP then host request voting from neighbors to judge the correctness of IP/MAC
association.
MR-ARP resolved the problem of ARP spoofing by solving the two subprob-
lems. First, in case when the MAC conflict occurs because a host, say host B,
received new MAC address for IP A and in ARP cache host is associated with
MAC A. If host A is alive then priority is given to MAC A for the IP A and to
check the activity of host A, 50 unicast ARP request is sent to host A. If host
B received one or more than one ARP reply from host A, then mapping <IP A
, MAC A> is retained in the ARP cache.
Second, if host receives the ARP request or reply from new IP address, IP
address for which receiver doesn’t have mapping in ARP cache and long term
table, then it is very difficult to verify the sender of ARP request/reply packet.
To resolve this problem voting based technique is used. See figure 3.4, four
23
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 33/68
MR-ARP enabled machine deployed in the LAN (M1, M2, M3 and M4). When
any of the MR-ARP enabled host receives any ARP request or reply from newIP, say IP A then that host will broadcast voting request for IP A. Then those
MR-ARP enabled host which contain mapping for IP A will respond with 50
ARP voting reply with IP/MAC pair. Host B accept first N votes. Then host B
calculate he MAC address that received over 0.5N votes and accept that MAC
address as associated with IP A.
First the host will generate n (number of host in LAN) packet as a request
for voting and then each MRP enabled host (k) will vote with traffic rate ri. So
total extra traffic generated will be n + ri*k and latency will be for only voting
process.
Voting scheme of MR-ARP works correctly when the voters have the approx-
imately same traffic rate. If there is dissimilar traffic rates ,e.g. 802.11 LAN,
then it will result in unfair voting. Dissimilarity in traffic rate arises because
some host are connected to wired network and some are wireless connected.
Think of scenario when MR-ARP enabled host connected to LAN using wire-
less and attacker is using wired connection then attacker can win the voting,due to dissimilarity in traffic rate attacker can vote more in his favor. So this
limitation of MR-ARP overcome by NAM et al. [14] by using computational
puzzles.
See figure 3.5 , in EMP-ARP there are two puzzles. First is solved by sender
of voting request and other is solved by neighboring EMP-ARP host. The first
puzzle ensures that any EMP-ARP host can’t perform DoS attack by continu-
ous sending voting request to neighboring EMP-ARP hosts. The second puzzle
provides the fairness among the hosts in voting.
First puzzle is solved by sender of voting request, computes:
ms = M AC A || T s (3.1)
where MACA is MAC address of sender and Ts is local time of sender and send
it to target host.
24
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 34/68
Figure 3.5: Enhanced MR-ARP technique
Sender transforms the ms by :
cs = F m(ms) (3.2)
where Fm is transformation function
Fm defined as :
F m(x) = f m(f m−1(...f 1(x))) (3.3)
where f ı is defined as modular exponentiation.
In figure 3.5 we can see that each receiver computes and send :
mr = M AC A || M AC R || P (3.4)
where MACA is sender MAC address, MACR is receiver’s MAC address and P
is parameter of second puzzle send by sender of vote request host.
Sender of vote request computes:
P = H (K || M AC A || T s) (3.5)
25
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 35/68
where H is publicly known hash function, K is secret known only to sender,
MACA is MAC address of sender and Ts is local time of sender and send it toneighbor nodes.
Receiver of voting request transforms mr using transformation function Fm
and it is transformed into cr and sent to sender of voting request host i.e.
cr= Fr(mr) , after solving this puzzle EMR-ARP node send the MAC address
of queried IP address. Sender can verify the correctness of each answer by
computing mr using transformation function Gm. In their experiments, it is
found that processing power of any host is not significantly different. So each
host will take approximately equal time for solving the puzzle. This will result
in a fair voting even in the dissimilar traffic rates.
Self Confirming Engine (SCE)
Figure 3.6: Flow Diagram for Self Confirming Engine (SDE) (when ARP cachedoesn’t have mapping for source IP in ARP request/reply packet)
Figure 3.7: Flow Diagram for Self Confirming Engine (SDE) (when ARP cachehave mapping for source IP in ARP request/reply packet)
Self Confirming Engine [6] uses ARP packet as confirmation packet to cor-
rect address mapping violations leading to MITM attack. See figure 3.6 and
figure 3.7, whenever there is change in information of ARP cache, SCE will
26
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 36/68
generate a unicast ARP request2 packet to the previous Ethernet address cor-
responding to IP address of altered entry. This will result in either response orno response from previous Ethernet address. If ARP reply is received then we
update the ARP cache with previous <IP , MAC> mapping, meaning previous
MAC address still alive and an attempt has been made to corrupt the ARP
cache. If we don’t receive an ARP reply then we can say that mapping has been
changed to new MAC address from previous one for that IP address.
See figure 3.6, whenever host A does not have mapping for received IP ad-
dress(here IP B) in his cache then host A will directly update its cache without
any confirmation. So an attacker can send false ARP packets in such situation
and can get entry in ARP cache of host A. This is serious drawback of SCE. By
seeing figure 3.7 we can say two extra ARP packet is generated as a cost and
the detection will complete in less than 2*RTT.
Main requirement of SCE is that ARP cache of any host must contain correct
MAC address for received IP address so that SCE can send confirmation packet
to correct host and get updated correctly. If ARP cache doesn’t hold the correct
mapping for that IP then attacker can perform poisoning successfully by sendingfake packets.
Spoof Detection Engine (SDE)
Figure 3.8: Flow Diagram for Spoof Detection Engine (SDE)
See figure 3.8, in this technique [1], there is a sniffing host in the LAN which
2Destination MAC address in Ethernet header for ARP request will contain the MACaddress of host instead of broadcast MAC address (FF:FF:FF:FF:FF:FF)
27
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 37/68
sniffs entire ARP traffic, and whenever sniffing host finds any ARP packet mis-
matched with its database they directly generate fake alarm otherwise in caseon new information for its database, the mapping is confirmed by sending con-
firmation packet to the host. Suppose Host B sends an ARP request with source
entry in ARP header <IP B , MAC B> to host A, requesting for MAC address
of IP B and sniffing host A doesn’t have entry for IP B in his cache. Then Host
A will send TCP SYN packet as a confirmation packet to host B, TCP SYN
packet is sent to IP B with destination MAC address equal to the MAC B. It
is assumed that protocol stack is correct. Therefore if the TCP SYN/ACK or
TCP RST is received by host A in response of TCP SYN packet to host B then
no ARP spoofing has been done by host B otherwise in case of no response
we can say ARP spoofing has been done because we don’t get reply packet for
confirmation packet and possible reason must be packet drop at the host due to
mismatch of IP address.
This technique is effective only in case of weak script kiddies but it is not
effective in case of intelligent attacker. In case of intelligent attacker, who has
customized protocol stack, paper claimed that they can detect spoofing but
can’t identify the attacker. One major drawback of this technique is that it hassingle point of failure.
Suspected host is confirmed by sending the TCP-SYN packet, so extra traffic
will be TCP-SYN packet and its response. Its latency will be of 2*RTT.
3.1.2 Cryptographic Techniques for ARP
The following techniques has used the cryptographic primitives to achieve the
defense against ARP spoofing :
Secure ARP [8] uses asymmetric cryptography. Any SARP enabled host
identified by its own IP address and has a public/private key pair. There is
a trusted third party, Authoritative Key Distributor(AKD), that is contacted
to get the public key of a host so that ARP replies can be authenticated by
28
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 38/68
verifying the appended signature.
Ticket Based address resolution protocol (TARP [9]) implements security by
distributing centrally generated IP/MAC address mapping attestation, called
ticket, and signed by Local Ticket Agent (LTA). Host attach this ticket to ARP
replies so that the receiver can verify the validity of the address association.
Secure Unicast ARP (SUARP [15]) extends DHCP protocol to handle its
packets. DHCP+ server can be configured have the MAC-to-IP address map-
ping or vice versa for all the computers under its domain. If host want to com-
municate with another host and it does not have its MAC address then host
sends unicast SUARP request packet to DHCP+ server. DHCP+ server reply
back with requested MAC address addition of message integrity code (MIC).
Host then uses the MIC to judge the correctness of message and respond back
with acknowledgement.
In Goyal and Tripathy [16] scheme , two components of ARP reply were
identified they are the <IP address, MAC address> mapping and the recency of
the <IP address, MAC address> mapping. The <IP,MAC> mapping requiresa digital signature since the <IP,MAC> mapping must be authentic and its
authenticity must be publicly verifiable. The second component requirement
fulfilled by one time password in the ARP reply. By including one time password
we can indicate recency of <IP address, MAC address> mapping and this will
eliminate the chances of misuse of digital signature of legitimate user by the
attacker. Here a digital signature containing the IP address to MAC address
mapping, the clock time and tip of a hash chain3 used for verifying one time
passwords. Each host maintain five tuple entry <IP, MAC, n , Hn (K||R), t>
for any host Hj to whom host Hi want to communicate, n is the time period of
20 minutes from time t, K is secret of host H j , R is random number selected by
Hj , H is hash function. After ith cache time out period host Hj recompute its
signature and (i-1)th one pass key and send as ARP reply. Host Hi uses public
3Hash chain can be defined as series of hash, e.g. Hn+1(k) = H(Hn(k)) where H is anyone way hash function like MD5.
29
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 39/68
key of Hj to get one pass key and compute hash on one pass key to verify the
reply and if it is correct then host Hi updates its cache with new one pass keyand refresh the <IP,MAC> mapping.
3.1.3 Some other Techniques
In Trabelsi and Shuaib scheme of detection [17] first detects the host that have
enabled IP packet routing4. Test host generates trap ICMP echo request packet
to given target host in a network. Hosts that have enabled IP route responds
back and other host drop the ICMP echo request packet. Then test host cor-
rupts the ARP cache of all the hosts that respond to ICMP request packet and
collects the packets forwarded by them. After analyzing the packets, one can
discriminate the suspicious host. It generates n-1 trap ICMP packet and test
host will get response from m IP forwarding enabled hosts. After that test host
will send ARP packets to corrupt the cache of suspected host. so total extra
packet generated will be (n-1) + m + (m*no. of packet required to corrupt the
cache).
El Hazz and Trabelsi [3] used the mechanism of stateful ARP cache and
Fuzzy Logic to prevent ARP cache poisoning. ARP reply of sent ARP Request
is verified by sending an unicast ARP request to sender MAC address of ARP
reply packet for which ARP request has been sent. If reply for unicast ARP re-
quest is received then that MAC address is possibility for requested IP address.
So for each received ARP request ARP request is sent back to sender of ARP
request. It causes two extra ARP packets in total ARP traffic.
Suppose more than one MAC address responded for that IP, say IP B then
mapping is resolved using Fuzzy Logic Controller. Each host maintain some
previous knowledge about the hosts whom he communicated previously. When
a host multiple response for any ARP request then which host should be trusted
4IP routing is the process of forwarding a packet based on the destination IP address. IPuses a routing table to determine the next-hop IP address and interface for a packet beingsent or forwarded.
30
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 40/68
is decided by two factor : Trust Level (TL) and Importance (Im).
SecurityLevel = F (T rustLevel, Importance) (3.6)
Trust Level, it indicates how much the host is trusted in term of trusted,
highly trusted or not trusted at all. Importance factor indicate the importance
of a system e.g. router is more important than internal server and internal server
is more important than laptop. These two values combined and the host in state
of confusion use this information to resolve the mapping in case of multiple ARP
reply for ARP request. Fuzzy logic used to combine the effect of TL and Im.
But here, problem is that a host with high security level can impersonate as
lower security level host easily because he has higher security level.
In Wang and Zhou [7] approach, instead of stateless ARP cache stateful ARP
cache is implemented in order to manage and secure the ARP cache. There is
difference in response frequency of malicious host and legitimate host because
attacker wants to associate his MAC address to respective IP in target host’s
ARP cache so he will send ARP response more frequent than normal host. So
host with higher frequency of response will be declared to attacker. If the re-
sponse frequency is not very different then the victim host, who is resolving
the mapping, will send large amount of refuse packets to LAN. Monitoring the
response time one can differentiate between legitimate and malicious reply be-
cause response time of legitimate host related to normal distribution function
while response time of malicious host are abnormal because it accepts lot of
refuse packet and take more time to response. It takes N timeout of latency.
In middleware approach [18] two queues are maintained called requestedQ
and respondedQ. When a host send ARP request packet that is memorized by
recording the target IP in the requestedQ. When host receive a reply then re-
questQ checked for whether request is outstanding. If request is outstanding
then its entry updated to respondQ and if it is not present in the requestQ
then it is checked in reqpondQ. If respondQ already have entry then respond
is considered as duplicate and cache is checked. If entry found in cache then it
is refreshed if not then alarm is raised and entry for that IP is flushed. As it
31
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 41/68
is using stateful ARP cache and updates ARP cache with only ARP request,
therefore if receiver of ARP request want to communicate with sender thenagain he has to send ARP request packet.
3.2 Attacking Model
Attacker is malicious user who is generating fake packets in-order to exploit
ARP protocol. As we have seen anyone in LAN can perform ARP cache poi-
soning attack simply by generating a fake packets. Many of paper discussed
about ARP cache poisoning but they don’t give clear picture of attacking mod-
els. Many proposed techniques only discuss how the ARP cache poisoning can
be avoided but they don’t mention motives and behavior of attacker. In paper
by Ramachandran [1] give the clear separation between two types of attackers
that are weak attacker and strong attacker. We are using these two attacking
behavior of attackers.
• Weak Attacker : This category of attacker can generate spoofed packets
using any software (e.g. arp-sk 5, cain and abel2). But they don’t have
compromised protocol stack. Protocol stack will work correctly. Protocol
stack will generate correct reply for any of request packets sent to the
host. Weak attacker posses power of generating fake packets but he cant
stop or control other host or network devices from doing their usual job.
Attacker can’t control the other host from generating response or other
packets similarly attacker can’t control the networking devices in their fa-
vor.
• Strong Attacker : This category of attackers are more powerful than weak
attacker because the can generate fake packets similar to weak attackers
but they have one more power over weak attacker that they have com-
5http://sid.rstack.org/arp-sk/
2http://www.oxid.it/cain.html
32
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 42/68
promised protocol stack. For any detection system it is very difficult to
identify strong attacker as compared to weak attacker because a strongattacker modifies his protocol stack according to the detection technique,
while weak attacker has correct protocol stack so detection technique can
easily identify the weak attacker.
3.3 Comparison of Existing Techniques
In following table, we compared the existing techniques. We did comparison of
existing techniques by considering them in weak and strong attacking model.
We also listed the number of extra packet generated and time taken by these
techniques to resolve the correct mapping since receiving an ARP request/reply.
Following variables are used in table :
• Y - Listed technique is effective for the respective attacking model.
• Y - Listed technique is not effective for the respective attacking model.
• n - Number of host in the network.
• m - Number of suspicious host.
• ri - Reply traffic rate.
• k - Number of MR-ARP enabled host.
• RTT - Round trip time
In table 3.1, we analyzed the existing cryptographic techniques. Abad et.
al. [10] gave some performance analysis for cryptographic techniques and weincluded his results in table 3.1. We can see cryptographic techniques are good
solution for the intelligent attacker but main drawback of cryptographic tech-
niques are is that they are taking processing time and the are centralized so-
lution. If the centralized systems get compromised then whole technique will
crash.
33
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 43/68
Table 3.1: Comparison of Existing Techniques
ApproachWeakAttacker
StrongAttacker
No. of Packet Latency
Cryptographic Techniques
SARP [8] Y Y n+2 2*RTT + 2*de-cryption time
TARP [9] Y Y n RTT + decryp-tion time
SUARP [15] Y Y Decrease 9.22times
RTT + decryp-tion time
Goyal andTripathyscheme [16]
Y Y Less than 1%degradation of performancedegradation
RTT + time forcalculating hash
Non-cryptographic Techniques
EmbeddedIDS [11]
Y N Number of ac-tive host
Less than RTT
Fuzzy LogicScheme [3]
Y Y Two extra ARPpacket for eachgenerated ARPrequest
–
Sniffer Detec-tion [12]
Y N 3*(n-1) Less than1.5*RTT
MR-ARP [13] Y N n + ri*k Voting timeSCE [6] Y N Two ARP
packet for eachreceived update
2 * RTT
SDE [1] Y N Two TCP pack-ets for eachmapping conflict
2*RTT
Trabelsiand ShuaibScheme [17]
Y N m + (n-1) +m*no. of packetto corrupt ARPcache
–
Wang and ZhouScheme [7]
N N Packet taken forsample
N time out
Middleware ap-proach [18]
N N More than ARP –
34
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 44/68
We can see in table 3.1 that all non-cryptographic techniques can’t identify
attacker in strong attacking environment, except fuzzy logic scheme [3].
35
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 45/68
Chapter 4
Proposed Technique
Any probe packet based technique, e.g. SCE [6], SDE [1] etc. works on assump-
tion that hosts in the LAN including attacker would have correctly running pro-
tocol stack. These techniques assumed that hosts can’t modify their protocol
stack. These techniques can correctly identify the weak type of attacker because
a weak attacker only use some kind of software to generate spoofed packet and
his protocol stack is correct. Hence any probe packet based technique can take
advantage of correct protocol stack of suspected host to ensure the IP to MAC
mapping by sending a query packet to suspect. ARP request, TCP SYN, ICMP
packets can be used as query packets. In case of weak attacker, if suspect is
legitimate host then suspects can generate appropriate reply for query packets
otherwise if suspect is attacker then query packets get dropped at suspect be-
cause some mismatches in IP address or MAC address. Therefore suspect can’t
generate response for query packets and can be identified as attacker.
But an intelligent attacker can evade such probe packet based techniques by
generating the appropriate response for the query packet. For example, in case
of weak attacking environment SDE [1] uses TCP SYN packet as query packet
to confirm that suspected host is true or attacker. So if an attacker generate
TCP ACK packet for the query TCP SYN packet then test host would believe
that attacker is legitimate host.
36
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 46/68
4.1 Assumptions
We assumed that an intelligent attacker, termed as strong attacker, can modify
his protocol stack and it is not necessary for him to follow flow sequence of
packets in any protocol (e.g. BackTrack OS1).At the same time, a legitimate
host has correct protocol stack. A strong attacker works in promiscuous mode
meaning he can sniff all the packets coming to his network interface.
We are considering a adversary who can’t control the network devices or
communication channel. An attacker can impersonate as different host but he
can’t stop real host from replying to ARP request for them because ARP requestis broadcasted over LAN so it is received by real host as well as by attacker.
Then, real host will reply back for the ARP request.
We assumed that attacker doesn’t want to be out of communication over
LAN for a long time. Here out of communication means that other host over
LAN can’t communicate with that host. If any host wants to be remain com-
municated in LAN then he must generate ARP reply for received ARP request
otherwise he can’t communicate. So every host will generate response for the
ARP request for its own IP address.
As above it has been discussed that strong attacker has power to bring
changes to his protocol stack and he can manipulate the flow of packets. There-
fore if an intelligent attacker has any clue that he is under some test, in other
words if attacker finds that target of ARP Spoofing using some type of technique
to validate the attacker then attacker will act appropriately and he will evade
the detection technique.
1www.backtrack-linux.org
37
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 47/68
4.2 Rules in Proposed Technique
Proposed technique works on following rules :
• Rule A : “The network interface card of a host working in non-promiscuous
mode will accept only those packets which are sent to its MAC address,
Broadcast address and subscribed multicast addresses. In promiscuous
mode network interface card of host will accept each and every packet
strikes to network interface and push the captured packets to upper layer
of protocol stack.”
• Rule B : “If a test host receives ARP request/reply and mapping for
source IP address in the received ARP header is present in test host’s
ARP cache then broadcast an ARP request for the source IP in received
ARP request/reply packet.”
• Rule C : “If a test host receives ARP request/reply and it doesn’t has
mapping for received IP address in his ARP cache then test host broad-
casts many ARP requests for each possible IP address in LAN.” This rule
requires further discussion and we will see it in section 4.5.
4.3 Working of Proposed Technique
The detailed working of proposed technique is shown in algorithm 1 (ARP spoof-
ing detection module) and algorithm 2 (broadcast test). The above rules are
used to identify the attacker. According to rule A, whenever a test host receives
ARP packet then it accepts only those packets which are sent to its MAC ad-
dress, broadcast address or subscribed multicast address. This rule is derived
from the normal behavior or correct host. Received ARP packet and state of
ARP cache will decide which rule will be applicable to identify the correct IP
to MAC address mapping.
When a test host receives ARP packet, then there will be two possibility for
source <IP , MAC> mapping either mapping is present in ARP cache of test
38
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 48/68
host or not. These condition are handled by rule B and rule C by following
ways:
• IP to MAC address mapping present in ARP cache According to rule B,
if source <IP , MAC> mapping of received ARP packet present in the
ARP cache of test host then test host will broadcast ARP request for
the source IP address in received ARP packet. For example, if test host
receives <IP A , MAC B> mapping of source in ARP request/response
packet and test host has mapping <IP A , MAC A> mapping in his cache.
Then test host will send a broadcast ARP request packet for IP A.
• IP to MAC address mapping not present in ARP cache According to rule
C, if source <IP , MAC> mapping of received ARP packet doesn’t present
in the ARP cache of test host then test host will go for broadcast test. In
broadcast test test host will generate broadcast ARP request packet for
each IP address in the LAN. Test host move to promiscuous mode and
collect the ARP reply coming within the time out period of ARP request
reply communication. We will see the further detail of broadcast test in
section 4.5.
4.4 Identification of Attacker
Figure 4.1: Confirmation of Legitimate host in case of weak attacker
The basic idea to identify attacker is shown in figure 4.1. If a host receives
ARP request/reply packet and source <IP , MAC> mapping in ARP packet
get mismatched with the mapping present in the ARP cache of host. Then
39
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 49/68
Algorithm 1 ARP spoofing detection module
Description : Algorithm for Enhanced technique to correctly identify the mapping between IP address and mac address at a given host.Input : ARP request/reply packet from any otherhost.
1: if Mismatch in information of received ARP packet with ARP cache or ARPrequest/reply from IP address that doesn’t have entry in ARP cache then
2: if Source IP address in ARP header has entry in ARP cache then3: Generate Broadcast ARP request for source IP in received ARP packet.
- - - - (Rule B)4: if Got a ARP response from previous MAC address of that IP then5: update the ARP cache with entry such that previous MAC address
corresponds to that IP.6: else7: Go for broadcast test() - - - -(Rule C)8: end if 9: else
10: Go for broadcast test() - - - -(Rule C)11: end if 12: else13: Don’t do anything14: end if
Algorithm 2 Broadcast test()
Description : Algorithm to perform broadcast test so that test host can identify correct mapping of IP address to MAC address
1: Generate broadcast ARP request packets with mean µ and variance of σ2
for all the possible IP address in the LAN.2: Record all the ARP reply that comes within valid time for the sent ARP
request.3: if Test host got two or more reply from same MAC address then
4: MAC address belongs to attacker who wants to spoof for some IP address.Remove the mappings from ARP cache corresponding to attacker’s MACaddress.
5: else6: Update the ARP table for the IP address with the MAC address who
responds for only single ARP request.7: end if
40
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 50/68
receiving host of ARP packet will send confirmation packet, here in proposed
technique ARP request packet is confirmation packet, for source IP address inARP header in received ARP packet. A legitimate host will generate response
for the confirmation packet. Thus we can identify correct mapping for IP ad-
dress.
Above test is sufficient for a weak attacker and similarly existing tech-
niques [1] [4] [3] [12] used the approach to identify attacker. But in case of
strong attacker, he can deceive the probe packet based techniques by gener-
ating appropriate response for the probe packets. Here in this section we are
explaining how one can identify the attacker in a situation when the attacker is
intelligent.
When a host, say host A, receives an ARP packet then each received ARP
packet would have source mapping, say <IP B , MAC B>. It is also possible
that host receives multiple ARP request ARP request/reply packet. The source
<IP , MAC> mapping not necessarily present in ARP cache of host A. So the
following cases arise :
• Host A has mapping in his ARP cache for IP B (Mapping present in ARP
cache of test host).
• Host A doesn’t have mapping in his ARP cache for IP B (Mapping doesn’t
present in ARP cache of test host).
4.4.1 Mapping present in ARP cache of test host
Figure 4.2 shows the detail of the case when test host has mapping for source
IP address in received ARP packet in his ARP cache. If an attacker, say host C,
sends spoof ARP request with source mapping <IP B , MAC C> to host A and
host A has IP B mapped to MAC B in its ARP cache. There is a chance that
host B has changed his MAC address from MAC B to MAC C. Then in-order
to find out correct mapping for IP B host A will broadcast ARP request for
IP B. So host B will response back with ARP reply packet corresponding to
ARP request packet for IP B.
41
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 51/68
Figure 4.2: Identification of attacker when host A has correct mapping in hisARP cache
Attacker, host C, can’t stop host B from generating reply for ARP request
packet and attacker can’t control the communication channel so ARP reply
reach to host A and MAC address in the ARP cache of host A corresponding
to IP B is matched with the source mapping in reply from host B. If previous
MAC address corresponding to IP B is same as the source MAC address from
host B then we can say host B is legitimate host and MAC C will be declared
as attacker because he attempted to associated IP B with his MAC address.
One important thing to notice is that we used broadcast ARP request while
several existing technique [6] [3] [13] has used unicast ARP packet for confir-
mation of precious MAC address corresponding to source IP address in ARP
request is alive or not. We used broadcast because unicast ARP request is not a
conventional ARP packet. Some IDS like snort2 will generate alarm for unicast
ARP request. At other point of view a unicast ARP packet will help an intelli-
gent attacker to identify the host which are running some defense technique for
ARP spoofing.
42
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 52/68
Figure 4.3: Confirmation of Legitimate host
Figure 4.4: Confirmation of attacker
4.4.2 Mapping doesn’t present in ARP cache of test host
Figure 4.3 and figure 4.4 shows the details of the case when test host doesn’t
have mapping for source IP address in received ARP packet in his ARP cache.
Previously we have mapping in ARP cache of test so that it can be used to
verify the response by giving priority to MAC address present in ARP cache of
test host. That is the reason we have to generate ARP request for all IP address
in the LAN.
So whenever a test host, host A, receives ARP packet and host A doesn’t
have mapping for source IP address in ARP packet then host A will generate aflood of ARP request with all possible IP in the LAN. Host in LAN will generate
response for the ARP request which are corresponding to their IP address. So
each legitimate host will claim for single IP address.
2http://www.snort.org
43
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 53/68
Strong attacker, say host C, must generate reply for ARP request for his own
IP address and victim IP address, IP B. As host C want to perform ARP cachepoisoning over host A and wants to associate his MAC address MAC C with
IP B. So host A will have two response for IP B, one from host B (legitimate
host) and another from host C (attacker) but we know that single IP address
can’t be assigned to more that one host or MAC address. So we can say that
someone is trying to poison the ARP cache of host A. Meanwhile, host C will
generate response for his own IP address, IP C. If host C remain silent for that
interval of time (time when the broadcast test is running) for ARP requests
for his own IP address then he will loose communication with others for that
interval of time.
By analyzing the response we can identify attacker and legitimate host. A
legitimate host will generate ARP reply corresponding to ARP request for only
his own IP address. At the same time, attacker will generate response for two
ARP request. So we can easily identify the attacker.
An intelligent attacker can sniff the flood of ARP request, then he can draw
inference that a test is conducted by test host. Now attacker can evade the testby not generating response for his own IP address. Because this action will lead
test host in dilemma to choose MAC address for IP for which test is conducted.
So it is very important to hide the flood of ARP request so that attacker can’t
notice the test conducted on attacker. Suppose attacker knows about the test
and after that he is trying to evade the technique by not generating response
for ARP request for his own IP then attacker has to pay the cost of loss of
communication for sufficient long time.
In the following section we will discuss how we hide the ARP request traffic
from the attacker.
44
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 54/68
4.5 Hiding the traffic pattern : in case of Probe
Packets
The type of attacker who has power to generate fake packets and has compro-
mised protocol stack are come under the category of strong attacker. Many
techniques are limited to only weak type of attacker, in some research paper [1]
they tried to deal with the strong type of attacker. But they are limited to only
the detection of attacker. It is very difficult to identify the strong attacker.
It is important to determine the correct IP address and MAC address pair,
in case a attacker generate appropriate reply for the probe packets, so in such
cases the victim host will receive two or more MAC address corresponding to
some IP, one from a correct host and other from attacker. So in such scenario
the test host can’t proceed communication as he doesn’t know about correct
mapping hence it is important to resolve the mapping and to identify the cor-
rect IP address to MAC address mapping.
If we want to correctly identify the mapping of IP address to true host then
we have to generate traffic of probe packets such a way that attacker can’t dif-ferentiate between the normal ARP request traffic and request packet that are
generated because of verification test that is running by test host. If suppose
test host inject the probe packets directly to the network then attacker can sniff
the traffic and from such sudden rise in traffic attacker can draw an inference
that a test is conducted by test to resolve correct mapping and if he generates
reply for the ARP request made for his own IP address and IP address that he
wants to spoof then attacker can be caught.
So attacker will bypass this verification test by not generating the ARP re-
ply for his own IP address and due to this he has to pay loss of communication
for the period of verification test. If we don’t want that attacker can’t bypass
the verification test then the test host must generate the ARP Request traffic
similar to normal host present in the LAN.
45
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 55/68
In-order to generate ARP request traffic similar to the normal ARP traffic
we will analyze the LAN traffic and test host will decide mean (µ) and variance(σ2) and use these parameters to schedule the traffic for verification test.
calculation of mean and variance for normal ARP traffic
sample mean variance
sample01 µ1 σ12
sample02 µ2 σ22
sample03 µ3 σ32
sample04 µ4 σ42
sample05 µ5 σ52
sample06 µ6 σ62
sample07 µ7 σ72
sample08 µ8 σ82
sample09 µ9 σ92
sample10 µ10 σ102
In above table see, test host has taken 10 sample for ARP Request traffic in-
order to calculate the parameters for generation of probe packets to the attacker
so that attacker can’t identify the probe packets.
µ =µ1 + µ2 + ...... + µ10
10(4.1)
σ2 =σ2
1+ (µ − µ1)2 + σ2
2+ (µ − µ2)2 + ......σ2
10+ (µ − µ10)2
10(4.2)
Now the test host has parameters to generate the probe packets at the rate
of normal ARP Request traffic in the LAN. But here the test host doesn’t has
schedule to generate packets. The packet generation can be easily scheduled
using the following equation. The following equation follow the distribution
such a way that its mean will be µ and variance will be σ2 :
x = µ + σ ∗ random fun(0, 1) (4.3)
46
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 56/68
where x will give the number of ARP Request generated at unit time, µ and σare calculated values and random fun(0,1) will generate n random number with
µ=1 and σ2=0 e.g. suppose we have µ=1.382 and σ2=203.097 then we gener-
ated the following schedule using the above equation for 186 seconds (suppose
there is 256 host in LAN) because within 186 seconds we can generate 256 ARP
request with µ=1.382, see figure 4.5.
Figure 4.5: Generated schedule (number of ARP request packet generated per
second)
If attacker sniffs whole the traffic then he can know that test host has gen-
erated the probe packets to resolve the mapping and in such situation stronger
attacker can take a benefit because in each probe packet at the ethernet source
and at ARP header source MAC address is marked with the MAC address of
test host. So we will choose 20 randomly generated MAC address and use these
MAC address to send probe packets so that attacker can’t know that presence
of verification test.
47
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 57/68
Chapter 5
Experiment and Results
5.1 Experimental setup
We did experiment over switched LAN (see figure 5.1). The LAN consist of
20 machines and one system working as gateway. In figure 5.1, we focused
three system : gateway, host A as victim (running windows XP) and third host
(ubuntu11.10) works as attacker. IP address and MAC address of respective
host is given in the figure 5.1.
Figure 5.1: Experiment setup
Following libraries and software are used for the implementation of code base
and experiments:
48
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 58/68
1. Wireshark1 (for analysis of network packets)
2. libpcap2 (for capturing the network packets)
3. libnet3 (for injecting packet into network)
4. ’C’ programming language
Figure 5.2 shows the trace of simple ARP protocol’s packets. First trace
shows that host A transmitted a broadcasted ARP request packet to know MAC
address of 10.100.57.40. Then another host corresponding to 10.100.57.40 will
reply back to host A its MAC address and the state of ARP cache is reflected
in the ARP cache, figure 5.4.
Figure 5.2: Simple ARP Protocol
Figure 5.3, shows that a single spoofed ARP reply can be used to poison the
cache of host A. Attacker send ARP reply to host A with fake source mapping in
ARP Reply < 10.100.57.2 , 00:1f:e2:5c:45:ad>. Then host A updates his ARP
cache for 10.100.57.2 and changes are reflected in ARP cache, figure 5.4.
Figure 5.3: Spoofed ARP reply from attacker to host A
Figure 5.4: State of ARP cache at host A
1http://www.wireshark.org2http://www.tcpdump.org3http://www.packetfactory.net/libnet
49
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 59/68
Figure 5.5 shows the basic concept of proposed technique. In the first trace
of figure 5.5, attacker sent an ARP reply with fake source mapping < 10.100.57.2, 00:1f:e2:5c:45:ad>. So host A will generates two ARP request in-order to iden-
tify the attacker one for 10.100.57.2 and another for 10.100.57.40. Gateway will
generate ARP reply for the ARP request for 10.100.57.2. As attacker wants to
associate his MAC address corresponding to 10.100.57.2 in the host A’s cache
that’s why attacker generate ARP reply for ARP request for 10.100.57.2.
Now host A generates ARP request for 10.100.57.40. Then attacker will gen-
erate ARP reply for ARP request for 10.100.57.40 otherwise if attacker denies
from generating ARP reply then attacker will be out of communication. We can
caught attacker by seeing ARP reply from him for two IP addresses.
Figure 5.5: Basic scheme to identify the attacker
Here we saw that, host A directly generated ARP request for 10.100.57.40.
But actually it is very difficult to guess the IP address for checking purpose.
So in actual algorithm we used Broadcast test() to generate ARP request for
all the IP. It is also important to hide probe packets from attacker’s knowledge
and this is done in Broadcast test().
5.2 Measure of generated ARP traffic
Figure 5.6 shows the normal ARP request packet traffic in normal ARP proto-
col. Figure 5.7 represents the ARP request traffic generated by the any probe
based techniques to correctly identify a weak attacker. Figure 5.8 represents
the ARP request packet traffic generated by our proposed technique. Here we
50
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 60/68
Figure 5.6: ARP request traffic in normal ARP protocol
used ARP request packet as probe packet. Every probe based technique willgenerate a probe packet whenever the test host is uncertain about the IP ad-
dress to MAC address mapping and reply of probe packet is used to resolve
the mapping. The probe packet based techniques only works for weak type of
attacker, they have correct protocol stack. So probe packet based techniques
take advantage of correct protocol stack of hosts to identify the correct mapping.
Here in simulation of a generalized probe packet based technique for weak
attacker, whenever conflict arises related to IP address to MAC address mapping
then ARP Request packet is sent to respective MAC address and mapping is
resolved using the response of probe packet. We plot the graph (figure 5.7) to
represent the traffic that will cost if we will deploy probe packet based techniques
in the local LAN.
Figure 5.7: ARP request traffic in case of weak attacker
51
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 61/68
We simulated the proposed technique over experimental setup and we recorded
the number of ARP request packets. Figure 5.8 is plot of number of ARP re-quest packet generated by a test host, who is running our proposed technique.
In proposed technique, test host generates 256 ARP request, each for all 256
possible IP address over LAN, whenever test host receive ARP request/reply
from source host for which test host doesn’t have mapping in its ARP cache or
test host is in state of confusion because some other MAC address claiming for
same IP address. Otherwise priority is given to existing mapping in ARP cache
and the confirmation of this mapping is done by generating a broadcast ARP
request for respective IP address.
Figure 5.8: ARP request traffic in case of strong attacker (proposed technique)
By comparing the traffic generated by proposed technique with normal ARP
protocol (figure 5.6), probe packet based technique (figure 5.7) and proposed
techniques (figure 5.8), we can say that proposed technique can be deployed
over the LAN and this increased ARP traffic is cost of securing LAN against
strong attacker.
5.3 Reducing number of probe packet (ARP Re-
quest packet)
In identifying the attacker with compromised protocol stack, we are generating
the number of ARP request packet to the order of size of LAN e.g. if there is
1000 host in LAN then we have to generate 1000 ARP request packets, when-
52
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 62/68
ever we receive a new mapping from ARP packet that is not present in the
ARP cache. So in identification of stronger attacker we have to pay this muchof communication cost.
We can reduce the number of generated packet but this will decrease the ac-
curacy of broadcast test, see figure 5.9. We can draw analogy between birthday
attack problem and number of generated packet to identify the attacker and
this will infer the accuracy of test. Actually we are in search of two different IP
address which have same MAC address. We used the following equation (equa-
tion for computing probability in birthday problem) and plot the probability
distribution (assuming LAN has 1000 host) with the number of ARP request
packet generated to find the attacker.
q (n, d) = 1 −
d − 1
d
n(5.1)
where q(n,d) is probability for the accuracy of broadcast test in LAN size of d
host and n probe packets.
In figure 5.9, we can see that number of probe packets and accuracy of
proposed technique is directly proportional to each other. We are choosing a
random IP address from the LAN and send ARP request packet using any ran-
domly generated MAC address. From the calculation on above equation we get
to know that by sending 693 ARP request packets we can find the attacker with
probability 0.5.
We are generating many ARP request packets as our probe packet and in-
order to collect the response of each ARP request packet the test host must gointo promiscuous mode because each ARP request packet marked with random
MAC address so that attacker can’t identify the probe packets. So test host
doesn’t want to drop response of probe packets and test host will use response
packet to resolve the IP address to MAC address mapping. Because attacker
will generate two response for to IP address, one for his IP address own and an-
other for IP address whom he want to spoof and a legitimate host will generate
53
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 63/68
Figure 5.9: probability distribution over number of probe packet sent
response for only his own IP address.
5.4 System Load in promiscuous mode
System goes into promiscuous mode during period of broadcast test. The figure
5.10 and figure 5.11 are two snapshot of system with core-2 processor showing
that system will have little higher load in promiscuous mode than non promiscu-
ous. In single core processor we found that load increased to 10% in promiscuous
mode as compared to non-promiscuous mode. So running test host in promis-
cuous mode for the period of broadcast test is not a significant issue.
54
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 64/68
Figure 5.10: System load in non-promiscuous mode (core-2 processor)
Figure 5.11: System load in promiscuous mode (core-2 processor)
55
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 65/68
Chapter 6
Conclusion
We proposed enhanced version of detection technique. Approximately all probe
based techniques can’t identify the strong attacker. An intelligent attacker can
easily bypass many non-cryptographic techniques. The proposed technique is
not limited to detection of ARP spoofing but it can detect and identify both
the weak and strong attacker.
Proposed technique is not based on any cryptographic primitives and central
server so it doesn’t have any complexity and single point failure problem. The
key feature of technique is to hide the probe packets from the attacker. Attacker
is identified by analyzing his response during Broadcast test().
This technique is backward compatible because we haven’t added any new
field in ARP header. There is no requirement to bring changes at the host be-
cause we are not modifying the ARP protocol. This technique can be deployed
at any host. It doesn’t require to change the configuration of LAN.
We are paying some amount of traffic overhead in this detection technique
but traffic is not significantly high. We simulated the proposed technique in test
bed and proof of correctness is recorded.
56
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 66/68
Bibliography
[1] V. Ramachandran and S. Nandi, “Detecting arp spoofing: an active tech-
nique,” in Proceedings of the First international conference on Information Systems Security , ICISS’05, (Berlin, Heidelberg), pp. 239–250, Springer-
Verlag, 2005.
[2] D. C. Plummer, “An Ethernet Address Resolution Protocol. ARPA RFC -
826,” Nov. 1982.
[3] W. El-Hajj and Z. Trabelsi, “Using a fuzzy logic controller to thwart data
link layer attacks in ethernet networks,” in WCNC , pp. 2547–2552, 2007.
[4] N. Hubballi, S. Roopa, R. Ratti, F. A. Barbhuiya, S. Biswas, A. Sur,
S. Nandi, and V. Ramachandran, “An active intrusion detection sys-
tem for lan specific attacks,” in Proceedings of the 2010 international
conference on Advances in computer science and information technology ,
AST/UCMA/ISA/ACN’10, (Berlin, Heidelberg), pp. 129–142, Springer-
Verlag, 2010.
[5] T. DEMUTH and A. LEITNER, “Arp spoofing and poisoning traffic
tricks,” July 2005.
[6] K. Masataka, K. Takashi, and Y. Suguru, “A self-confirming engine for pre-
venting man-in-the-middle attack(security)(internet technology iv),” IE-
ICE transactions on communications , vol. 87, no. 3, pp. 530–538, 2004-03-
01.
[7] Z. Wang and Y. Zhou, “Monitoring arp attack using responding time and
state arp cache,” in ISNN (4), pp. 701–709, 2009.
57
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 67/68
[8] D. Bruschi, A. Ornaghi, and E. Rosti, “S-arp: a secure address resolution
protocol,” in Proceedings of the 19th Annual Computer Security Applica-tions Conference , ACSAC ’03, (Washington, DC, USA), pp. 66–, IEEE
Computer Society, 2003.
[9] W. Lootah, W. Enck, and P. McDaniel, “Tarp: Ticket-based address reso-
lution protocol,” Comput. Netw., vol. 51, pp. 4322–4337, Oct. 2007.
[10] C. L. Abad and R. I. Bonilla, “An analysis on the schemes for detecting
and preventing arp cache poisoning attacks,” in Proceedings of the 27th
International Conference on Distributed Computing Systems Workshops ,
ICDCSW ’07, (Washington, DC, USA), pp. 60–, IEEE Computer Society,
2007.
[11] J. Belenguer and C. T. Calafate, “A low-cost embedded ids to monitor and
prevent man-in-the-middle attacks on wired lan environments,” in Proceed-
ings of the The International Conference on Emerging Security Informa-
tion, Systems, and Technologies , SECUREWARE ’07, (Washington, DC,
USA), pp. 122–127, IEEE Computer Society, 2007.
[12] Z. Trabelsi and H. Rahmani, “Detection of sniffers in an ethernet network,”
in ISC , pp. 170–182, 2004.
[13] S. Y. Nam, D. Kim, and J. Kim, “Enhanced arp: preventing arp poisoning-
based man-in-the-middle attacks,” Comm. Letters., vol. 14, pp. 187–189,
Feb. 2010.
[14] S. Y. Nam, S. Jurayev, S.-S. Kim, K. Choi, and G. S. Choi, “Mitigating
arp poisoning-based man-in-the-middle attacks in wired or wireless lan,”
EURASIP J. Wireless Comm. and Networking , vol. 2012, p. 89, 2012.
[15] B. Issac, “Secure arp and secure dhcp protocols to mitigate security at-
tacks,” I. J. Network Security , vol. 8, no. 2, pp. 107–118, 2009.
[16] V. Goyal and R. Tripathy, “An efficient solution to the arp cache poison-
ing problem,” in Proceedings of the 10th Australasian conference on Infor-
mation Security and Privacy , ACISP’05, (Berlin, Heidelberg), pp. 40–51,
Springer-Verlag, 2005.
58
7/30/2019 ARP Report
http://slidepdf.com/reader/full/arp-report 68/68
[17] Z. Trabelsi and K. Shuaib, “Spoofed arp packets detection in switched lan
networks,” in SECRYPT , pp. 40–47, 2006.
[18] M. V. Tripunitara and P. Dutta, “A middleware approach to asynchronous
and backward compatible detection and prevention of arp cache poisoning,”
in Proceedings of the 15th Annual Computer Security Applications Confer-
ence , ACSAC ’99, (Washington, DC, USA), pp. 303–, IEEE Computer
Society, 1999.
[19] W. R. Stevens, TCP/IP Illustrated, Volume 1: The Protocols . Addison-
Wesley, 1994.