© The Institution of Engineering and Technology
Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the ‘original’ ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.
References
-
-
1)
-
Xing, W., Zhao, Y., Li, T.: `Research on the defense against ARP spoofing attacks based on WinPcaP', Proc. Second Int. Workshop on Education Technology and Computer Science (ETCS2010), March 2010, Wohan, China, p. 762–765.
-
2)
-
K. Kwon ,
S. Ahn ,
J.W. Chung
.
Network security management using ARP spoofing.
Lect. Notes Comput. Sci.
,
142 -
149
-
3)
-
http://ettercap.sourceforge.net/index.php, accessed July 2011.
-
4)
-
Pansa, D., Chomsiri, T.: `Architecture and protocols for secure LAN by using a software-level certificate and cancellation of ARP protocol', Proc. Int. Conf. on Convergence and Hybrid Information Technology (ICCIT2008), November 2008, Busan, Korea, p. 21–26.
-
5)
-
http://www.toolcrypt.org/tools/tratt/index.html, accessed July 2011.
-
6)
-
V. Goyal ,
R. Tripathy
.
An efficient solution to the ARP cache poisoning problem.
Lect. Notes Comput. Sci.
,
40 -
51
-
7)
-
http://www.oxid.it/cain.html, accessed July 2011.
-
8)
-
Trabelsi, Z., El-Hajj, W.: `Preventing ARP attacks using a fuzzy-based stateful ARP cache', Proc. IEEE Int. Conf. on Communications (ICC2007), June 2007, p. 1355–1360.
-
9)
-
F.A. Barbhuiya ,
S. Roopa ,
R. Ratti
.
An active host-based detection mechanism for ARP-related attacks.
Commun. Comput. Inf. Sci.
,
2 ,
432 -
443
-
10)
-
J. Yu ,
C. Fang ,
L. Lu ,
Z. Li
.
Mitigating application layer distributed denial of service attacks via effective trust management.
IET Commun.
,
16 ,
1952 -
1962
-
11)
-
S. Kumar
.
Impact of distributed denial of service (DDoS) attack due to ARP storm.
Lect. NotesComput. Sci.
,
997 -
1002
-
12)
-
S.Y. Nam ,
D. Kim ,
J. Kim
.
Enhanced ARP: preventing ARP poisoning-based man-in-the-middle attacks.
IEEE Commun. Lett.
,
2 ,
187 -
189
-
13)
-
B. Caswell ,
J. Beale ,
J.C. Foster ,
J. Faircloth
.
(2007)
Snort 2.1- intrusion detection.
-
14)
-
C.M. Kozierok
.
(2005)
TCP/IP guide.
-
15)
-
RFC-826: ‘An ethernet address resolution protocol’, 1982.
-
16)
-
V. Ramachandran ,
S. Nandi
.
Detecting ARP Spoofing: an active technique.
Inf. Syst.Secur.
,
239 -
250
-
17)
-
http://sid.rstack.org/arp-sk/, accessed July 2011.
-
18)
-
M.G. Gouda ,
C.T. Huang
.
A secure address resolution protocol.
Comput. Netw.: Int. J. Comput. Telecommun. Netw.
,
1 ,
57 -
71
-
19)
-
Philip, R.: `Securing wireless networks from ARP cache poisoning', 2007, Maser's, San Jose State University.
-
20)
-
Limmaneewichid, P., Lilakiatsakun, W.: `P-ARP: A novel enhanced authentication scheme for securing ARP', Proc. 2011 Int. Conf. on Telecommunication Technology and Applications, May 2011, p. 83–87.
-
21)
-
http://www.arpdefender.com, accessed November 2011.
-
22)
-
http://www.arpalert.org, accessed July 2011.
-
23)
-
Lootah, W., Enck, W., Mcdanie, P.: `TARP: ticket-based address resolution protocol', Proc. 21st Annual Computer Security Applications Conf. on (ACSAC2005), December 2005, Tucson, AZ, USA, p. 108–116.
-
24)
-
http://arpspoof.sourceforge.net, accessed July 2011.
-
25)
-
RFC-1121: ‘Act One – The Poems, Network Working Group’, 1989.
-
26)
-
http://en.wikipedia.org/wiki/ARP_spoofing, accessed July 2011.
-
27)
-
http://www.arp-guard.com, accessed July 2011.
-
28)
-
Snort, http://www.snort.org, accessed July 2011.
-
29)
-
Hou, X., Jiang, Z., Tian, X.: `The detection and prevention for ARP spoofing based on Snort', Proc. Second Int. Conf. on Computer Application and System Modeling (ICCASM2010), November 2010, XiaMen, China, p. 137–139.
-
30)
-
Bruschi, D., Ornaghi, A., Rosti, E.: `S-ARP: a secure address resolution protocol', Proc. 19th Annual Computer Security Applications Conf. (ACSAC2003), December 2003, Las Vegas, NV, USA, p. 66–74.
-
31)
-
Ortega, A.P., Marcos, X.E., Chiang, L.D., Abad, C.L.: `Preventing ARP cache poisoning attacks: a proof of concept using OpenWrt', Proc. Network Operations and Management Symp. (APNOMS2009), September 2009, p. 1–9.
-
32)
-
Cisco Systems, Configuring Dynamic ARP Inspection, Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SX. 2006.
-
33)
-
N. Hubballi ,
S. Roopa ,
R. Ratti
.
An active intrusion detection system for LAN specific attacks.
Lect. Notes Comput. Sci.
,
129 -
142
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-com.2011.0566
Related content
content/journals/10.1049/iet-com.2011.0566
pub_keyword,iet_inspecKeyword,pub_concept
6
6