ASA: agent-based secure ARP cache management

Author(s): M. Oh ; Y.-G. Kim ; S. Hong ; S. Cha
DOI: 10.1049/iet-com.2011.0566

For access to this article, please select a purchase option:

Buy article PDF

Buy Knowledge Pack

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership

Recommend Title Publication to library

IET Communications — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Author(s): M. Oh ¹ ; Y.-G. Kim ¹ ; S. Hong ² ; S. Cha ¹
- Affiliations: 1: Department of Computer Science and Engineering, Korea University, Seoul, Korea
  2: School of Computing, Soongsil University, Seoul, Korea
Source: Volume 6, Issue 7, 1 May 2012, p. 685 – 693
DOI: 10.1049/iet-com.2011.0566 , Print ISSN 1751-8628, Online ISSN 1751-8636

Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the ‘original’ ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.

References

1. 1)
  - Xing, W., Zhao, Y., Li, T.: `Research on the defense against ARP spoofing attacks based on WinPcaP', Proc. Second Int. Workshop on Education Technology and Computer Science (ETCS2010), March 2010, Wohan, China, p. 762–765.
2. 2)
  - K. Kwon , S. Ahn , J.W. Chung . Network security management using ARP spoofing. Lect. Notes Comput. Sci. , 142 - 149
3. 3)
  - http://ettercap.sourceforge.net/index.php, accessed July 2011.
4. 4)
  - Pansa, D., Chomsiri, T.: `Architecture and protocols for secure LAN by using a software-level certificate and cancellation of ARP protocol', Proc. Int. Conf. on Convergence and Hybrid Information Technology (ICCIT2008), November 2008, Busan, Korea, p. 21–26.
5. 5)
  - http://www.toolcrypt.org/tools/tratt/index.html, accessed July 2011.
6. 6)
  - V. Goyal , R. Tripathy . An efficient solution to the ARP cache poisoning problem. Lect. Notes Comput. Sci. , 40 - 51
7. 7)
  - http://www.oxid.it/cain.html, accessed July 2011.
8. 8)
  - Trabelsi, Z., El-Hajj, W.: `Preventing ARP attacks using a fuzzy-based stateful ARP cache', Proc. IEEE Int. Conf. on Communications (ICC2007), June 2007, p. 1355–1360.
9. 9)
  - F.A. Barbhuiya , S. Roopa , R. Ratti . An active host-based detection mechanism for ARP-related attacks. Commun. Comput. Inf. Sci. , 2 , 432 - 443
10. 10)
  - J. Yu , C. Fang , L. Lu , Z. Li . Mitigating application layer distributed denial of service attacks via effective trust management. IET Commun. , 16 , 1952 - 1962
11. 11)
  - S. Kumar . Impact of distributed denial of service (DDoS) attack due to ARP storm. Lect. NotesComput. Sci. , 997 - 1002
12. 12)
  - S.Y. Nam , D. Kim , J. Kim . Enhanced ARP: preventing ARP poisoning-based man-in-the-middle attacks. IEEE Commun. Lett. , 2 , 187 - 189
13. 13)
  - B. Caswell , J. Beale , J.C. Foster , J. Faircloth . (2007) Snort 2.1- intrusion detection.
14. 14)
  - C.M. Kozierok . (2005) TCP/IP guide.
15. 15)
  - RFC-826: ‘An ethernet address resolution protocol’, 1982.
16. 16)
  - V. Ramachandran , S. Nandi . Detecting ARP Spoofing: an active technique. Inf. Syst.Secur. , 239 - 250
17. 17)
  - http://sid.rstack.org/arp-sk/, accessed July 2011.
18. 18)
  - M.G. Gouda , C.T. Huang . A secure address resolution protocol. Comput. Netw.: Int. J. Comput. Telecommun. Netw. , 1 , 57 - 71
19. 19)
  - Philip, R.: `Securing wireless networks from ARP cache poisoning', 2007, Maser's, San Jose State University.
20. 20)
  - Limmaneewichid, P., Lilakiatsakun, W.: `P-ARP: A novel enhanced authentication scheme for securing ARP', Proc. 2011 Int. Conf. on Telecommunication Technology and Applications, May 2011, p. 83–87.
21. 21)
  - http://www.arpdefender.com, accessed November 2011.
22. 22)
  - http://www.arpalert.org, accessed July 2011.
23. 23)
  - Lootah, W., Enck, W., Mcdanie, P.: `TARP: ticket-based address resolution protocol', Proc. 21st Annual Computer Security Applications Conf. on (ACSAC2005), December 2005, Tucson, AZ, USA, p. 108–116.
24. 24)
  - http://arpspoof.sourceforge.net, accessed July 2011.
25. 25)
  - RFC-1121: ‘Act One – The Poems, Network Working Group’, 1989.
26. 26)
  - http://en.wikipedia.org/wiki/ARP_spoofing, accessed July 2011.
27. 27)
  - http://www.arp-guard.com, accessed July 2011.
28. 28)
  - Snort, http://www.snort.org, accessed July 2011.
29. 29)
  - Hou, X., Jiang, Z., Tian, X.: `The detection and prevention for ARP spoofing based on Snort', Proc. Second Int. Conf. on Computer Application and System Modeling (ICCASM2010), November 2010, XiaMen, China, p. 137–139.
30. 30)
  - Bruschi, D., Ornaghi, A., Rosti, E.: `S-ARP: a secure address resolution protocol', Proc. 19th Annual Computer Security Applications Conf. (ACSAC2003), December 2003, Las Vegas, NV, USA, p. 66–74.
31. 31)
  - Ortega, A.P., Marcos, X.E., Chiang, L.D., Abad, C.L.: `Preventing ARP cache poisoning attacks: a proof of concept using OpenWrt', Proc. Network Operations and Management Symp. (APNOMS2009), September 2009, p. 1–9.
32. 32)
  - Cisco Systems, Configuring Dynamic ARP Inspection, Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SX. 2006.
33. 33)
  - N. Hubballi , S. Roopa , R. Ratti . An active intrusion detection system for LAN specific attacks. Lect. Notes Comput. Sci. , 129 - 142

ASA: agent-based secure ARP cache management

ASA: agent-based secure ARP cache management

Buy article PDF

Buy Knowledge Pack

Thank you

References

Related content