ARP Report

7/30/2019 ARP Report

http://slidepdf.com/reader/full/arp-report 1/68

Identification of AnIntelligent Attacker in

ARP Spoofing

by

Subhash Kumar Singh

201011044

A thesis submitted in the partial fulfillment of the requirements for the degree

of

Master of Technology

in

Information and Communication Technology

to

Dhirubhai Ambani Institute of Information and Communication

Technology

Gandhinagar, India

November 2012



Declaration

This is to certify that

1. the thesis comprises my original work towards the degree of Master of

Technology in Information and Communication Technology at DA-IICT

and has not been submitted elsewhere for a degree.

2. due acknowledgement has been made in the text to all other material used.

Signature of Student

Subhash Kumar Singh

Certificate

This is to certify that the thesis work entitled Identification of An Intelli-

gent Attacker in ARP Spoofing has been carried out by Subhash Kumar Singh

(201011044) for the degree of Master of Technology in Information and Com-

munication Technology at this Institute under my supervision.

Thesis Supervisor

Prof. Anish Mathuria

ii



Acknowledgements

I would like to express my sincere thanks to my thesis supervisors, Prof. Anish

Mathuria, for their excellent guidance and constant supervision. They provided

me an excellent atmosphere for doing research. They inspired me to put my

best efforts and also criticized me at appropriate moments to make my work

proceed in the right direction.

I would like to express my special gratitude to my thesis examiners, Prof.

Sanjay Srivastava and Prof. Manish Gupta, for their valuable comments and

corrections. They pointed out subtle mistakes in my thesis work and suggested

relevant improvements.

I would like to acknowledge the academic and technical support at DA-

IICT. The state-of-the-art infrastructure at the institute provided me all the

needed resources which helped in accelerating my work. I would like to mention

special thanks to Prof. Manik Lal Das and members of security group for their

comments and time.

I am highly indebted to my parents for their cooperation and motivation.

Finally, I would like to thank god for his blessings and grace.

Subhash Kumar Singh



Abstract

ARP spoofing is a most powerful and simplest internal attack that can be

done in internal network. There are many techniques have been proposed to

secure Address Resolution Protocol (ARP). It includes cryptographic and non-

cryptographic techniques. Non-cryptographic techniques are mainly based on

probe packets. These techniques have less processing time in compared to cryp-

tographic techniques but we observed that an intelligent attacker can easily

bypass the techniques which are based on probe packets.

Ramachandran et. al. [1] suggested a clear separation between weak and

strong attacker. We are considering strong attacker as intelligent attacker be-

cause a strong attacker can bypass probe packet based ARP defense techniques

by generating appropriate response. These two attacking model can be used to

analyze any ARP defense technique. It only detects the ARP spoofing attack

but doesn’t identify the attacker, similarly other techniques have their own lim-

itations.

We enhanced the probe packet based technique to identify an intelligent at-tacker. Our proposed technique enables test host to imitate as normal host so

that an attacker can’t differentiate the test host from others. Meanwhile at-

tacker can be caught using the response of probe packets.

We did experiments and concluded that the proposed technique is effective

for defense of ARP spoofing.



Contents

Declaration ii

Certificate ii

Acknowledgements iii

Abstract iv

List of Figures vi

1 Introduction 1

1.1 Address Resolution Protocol (ARP) . . . . . . . . . . . . . . . . 1

1.2 Basic ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.3 ARP Cache Poisoning . . . . . . . . . . . . . . . . . . . . . . . . 3

1.4 Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.5 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.6 Organization of thesis . . . . . . . . . . . . . . . . . . . . . . . . 7

2 Background of Protocols 9

2.1 ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1.1 Header Format . . . . . . . . . . . . . . . . . . . . . . . . 92.1.2 ARP Cache . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.2 ICMP Echo Request Packets (Ping) and their Communication . 11

2.2.1 Header Format . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2.2 Packet Exchange . . . . . . . . . . . . . . . . . . . . . . . 13

2.3 TCP Packets and their Communication . . . . . . . . . . . . . . 14

2.3.1 Header Format and Data Flow . . . . . . . . . . . . . . . 14

v



2.3.2 TCP Handshake . . . . . . . . . . . . . . . . . . . . . . . 15

3 Survey of ARP Defense Techniques 17

3.1 Classification of techniques . . . . . . . . . . . . . . . . . . . . . 17

3.1.1 Non-Cryptographic Techniques for Securing ARP Spoofing 19

3.1.2 Cryptographic Techniques for ARP . . . . . . . . . . . . . 28

3.1.3 Some other Techniques . . . . . . . . . . . . . . . . . . . 30

3.2 Attacking Model . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

3.3 Comparison of Existing Techniques . . . . . . . . . . . . . . . . . 33

4 Proposed Technique 36

4.1 Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4.2 Rules in Proposed Technique . . . . . . . . . . . . . . . . . . . . 38

4.3 Working of Proposed Technique . . . . . . . . . . . . . . . . . . . 38

4.4 Identification of Attacker . . . . . . . . . . . . . . . . . . . . . . 39

4.4.1 Mapping present in ARP cache of test host . . . . . . . . 41

4.4.2 Mapping doesn’t present in ARP cache of test host . . . . 43

4.5 Hiding the traffic pattern : in case of Probe Packets . . . . . . . 45

5 Experiment and Results 48

5.1 Experimental setup . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.2 Measure of generated ARP traffic . . . . . . . . . . . . . . . . . . 50

5.3 Reducing number of probe packet (ARP Request packet) . . . . 52

5.4 System Load in promiscuous mode . . . . . . . . . . . . . . . . . 54

6 Conclusion 56

vi



List of Figures

1.1 Address Resolution Protocol(ARP) . . . . . . . . . . . . . . . . . 2

1.2 Flowchart for update in ARP cache . . . . . . . . . . . . . . . . . 31.3 DoS attack in LAN . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.4 MITM attack in LAN . . . . . . . . . . . . . . . . . . . . . . . . 5

2.1 ARP Header(length in bytes) . . . . . . . . . . . . . . . . . . . . 9

2.2 IP Header(length in bits) . . . . . . . . . . . . . . . . . . . . . . 12

2.3 ICMP Header(length in bits) . . . . . . . . . . . . . . . . . . . . 13

2.4 TCP Header(length in bits) . . . . . . . . . . . . . . . . . . . . . 14

2.5 flow of TCP packets . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.6 TCP Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.1 Fake ARP Request (ARP Header) . . . . . . . . . . . . . . . . . 21

3.2 Fake ARP Request (Ethernet Header) . . . . . . . . . . . . . . . 21

3.3 Possible Response of TCP SYN packet . . . . . . . . . . . . . . . 22

3.4 Four MR-ARP enabled machine deployed in LAN . . . . . . . . . 23

3.5 Enhanced MR-ARP technique . . . . . . . . . . . . . . . . . . . . 25

3.6 Flow Diagram for Self Confirming Engine (SDE) (when ARP

cache doesn’t have mapping for source IP in ARP request/reply

packet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.7 Flow Diagram for Self Confirming Engine (SDE) (when ARP

cache have mapping for source IP in ARP request/reply packet) 26

3.8 Flow Diagram for Spoof Detection Engine (SDE) . . . . . . . . . 27

4.1 Confirmation of Legitimate host in case of weak attacker . . . . . 39

vii



4.2 Identification of attacker when host A has correct mapping in his

ARP cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424.3 Confirmation of Legitimate host . . . . . . . . . . . . . . . . . . 43

4.4 Confirmation of attacker . . . . . . . . . . . . . . . . . . . . . . . 43

4.5 Generated schedule (number of ARP request packet generated

per second) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

5.1 Experiment setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

5.2 Simple ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . 49

5.3 Spoofed ARP reply from attacker to host A . . . . . . . . . . . . 49

5.4 State of ARP cache at host A . . . . . . . . . . . . . . . . . . . . 495.5 Basic scheme to identify the attacker . . . . . . . . . . . . . . . . 50

5.6 ARP request traffic in normal ARP protocol . . . . . . . . . . . . 51

5.7 ARP request traffic in case of weak attacker . . . . . . . . . . . . 51

5.8 ARP request traffic in case of strong attacker (proposed technique) 52

5.9 probability distribution over number of probe packet sent . . . . 54

5.10 System load in non-promiscuous mode (core-2 processor) . . . . . 55

5.11 System load in promiscuous mode (core-2 processor) . . . . . . . 55

viii



List of Algorithms

1 ARP spoofing detection module . . . . . . . . . . . . . . . . . . . 40

2 Broadcast test() . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

ix



Chapter 1

Introduction

In LAN environment, any insider can attack a host on same network to steal

its information for possible reason of curiosity, business and governmental es-

pionage. ARP spoofing is most common form of attack on LAN. This attack

leads attacker to sniff and manipulate the local communication traffic.

If a host wants to communicate with another host over the network then the

sending host must has IP address and MAC address of the destination. Using

these two addresses any host can communicate with other host in the LAN.

If the sending host has only the IP address of destination then MAC address

of destination host is resolved by ARP protocol and further communication is

continued by using resolved IP address and MAC address pair.

1.1 Address Resolution Protocol (ARP)

Address resolution Protocol (ARP) first introduced in RFC 826 in 1982 [2].

ARP is a datalink layer protocol and used to obtain 48 bit Ethernet addressof host in LAN corresponding to requested 32 bit IP address. ARP maps an

IP address to corresponding Ethernet address. See in figure 1.1 , when host A

wants to communicate with another host B having IP address as IP B, then

host ’A’ will broadcast a message over LAN asking a question who has IP B ?

All the other host except host ’B’ will drop the ARP request packet because

ARP request is not for their IP address. The host corresponding to IP address

1



Figure 1.1: Address Resolution Protocol(ARP)

IP B will generate a ARP reply in response of sent ARP request packet, saying

that “This MAC address MAC B corresponds to requested IP address IP B”.

Both the sender and receiver of ARP packet uses the information in the ARP

request/response packet for further communication. Receiving host (host B)

of ARP request will store the information in the ARP request packets for op-

timization of communication. Therefore, host B doesn’t require to send back

ARP request again.

1.2 Basic ARP Protocol

ARP protocol is stateless1 for the simplicity and reducing the ARP traffic in-

volved in the resolution of address. See figure 1.2 ARP cache works on following

two rules :

1. For creation of new entry: When a host receives an ARP request/reply for

his own IP address then a new entry is created at ARP cache of receiver if

ARP cache doesn’t contain any entry for the sender of ARP request/reply

packet.

2. Updating an entry : When a host receives an ARP request/reply for his

own IP address then, if the entry for sender is present in ARP cache

of receiver then the information in the ARP packet is updated into ARP

1ARP doesn’t maintain state for sent ARP request to any host

2



Figure 1.2: Flowchart for update in ARP cache

cache of receiver and timeout time for IP address to MAC address mapping

is renewed.

1.3 ARP Cache Poisoning

In an ARP cache poisoning attack, attacker sends ARP request or reply to

victim and source entries in ARP header is marked with incorrect <IP,MAC>

association and the intended receiver of this fake packet will update its ARP

cache with false <IP,MAC>mapping. In a simple scenario, if an attacker wants

to impersonate as host X to host Y, then attacker has to send an ARP re-

quest (ARP request may be broadcasted or unicasted) to host Y telling that

attacker’s MAC address associated with IP of host X. Then host Y updates

mapping <IP X , MAC attacker> to its ARP cache and host Y will use this

corrupted mapping for further communication. Host Y will send data packets

to attacker instead of host X. Thus attacker can modify or read the data sent

3



by host Y to host X.

ARP cache poisoning can be done by in four ways [3] [1] [4] :

1. Send fake ARP request packet.

2. Send fake ARP reply packet to the victim.

3. Send fake ARP reply in response to ARP request.

4. Send fake gratuitous ARP request2 packet.

The ARP cache poisoning attacks are often part of other serious attacks e.g.

DoS attack, MITM attack. Sometimes attacker has predetermined goal and he

can use ARP cache poisoning to achieve such specific goals :

• DoS attacks : A malicious user poisons ARP cache of a victim so that

data packets sent by victim will not reach to destination instead it will

be captured or dropped by attacker and victim can’t communicate with

other over the network. See in figure 1.3, host A has a non-existing MAC

address corresponding to IP B in his cache so host A will send the packets

to non-existing MAC address and packet get dropped, therefore host A

will not be able to communicate with host B.

Figure 1.3: DoS attack in LAN

2A gratuitous ARP request is an ARP request packet where the source and destinationIP are both set to the IP of the machine issuing the packet and the destination MAC is thebroadcast address ff:ff:ff:ff:ff:ff.

4



• Host Impersonation : Attacker not only captures the packet but responds

back to host and imitate to victim that nothing is wrong and host is com-municating with legitimate user.

• Man-in-the-Middle (MITM) attack : Attacker can poison two hosts in the

LAN such that attacker receives packets from both the hosts and after

extracting sensitive data forwards the packets to their correct destination.

So no one can know that someone sitting between them and silently lis-

tening their conversation. This attack become more serious when attacker

modifies the content of packets, compromising the data integrity. See infigure 1.4 host C poison the ARP cache of host A and host B. Host A will

think he is communicating with host B, similarly host B will think he is

communicating with host A, but actually the whole communication pass-

ing through the host C. Thus C is working as Man-in-the-Middle between

host A and host B.

Figure 1.4: MITM attack in LAN

ARP Exploit tools : These are several tools that can be used to perform

ARP cache poisoning [5] :

1. ARP-SK ( http://www.arp-sk.org )

2. Arpoc and WCI ( http://www.phenoelit.de/arpoc/ )

3. Arpoison ( http://arpoison.sourceforge.net )

5



4. Brian ( http://www.bournemouthbynight.co.uk/tools/ )

5. Cain & Abel ( http://www.oxid.it/cain.html )

6. Dsniff ( http://naughty.monkey.org/ dugsong/dsniff/ )

7. Ettercap ( http://ettercap.sourceforge.net )

8. Hunt ( http://www.phrack.org/show.php?p=50&a=6 )

9. Parasite ( http://www.thc.org/releases.php )

1.4 Problem Definition

ARP protocol is not designed to verify the sender of ARP request or response

packets. So ARP protocol can be exploited by attacker because receiving host

directly updates its ARP cache with the source IP address and source MAC ad-

dress in received ARP packet. Many techniques were proposed to secure ARP.

They can be broadly classified to cryptographic and non-cryptographic tech-

niques. Non-cryptographic techniques mainly based on probe packets. Probe

packet based techniques are correct against a limited attacker, we will get intro-

duced with limited attacker in chapter 3. We analyzed the probe packet basedtechniques and found that an intelligent attacker (introduce in chapter 3) can

bypass these techniques very easily.

This is big and important challenge to secure the ARP from intelligent at-

tacker because an intelligent attacker can bypasses approximately all the probe

based technique. So we will design a secure ARP detection technique, which can

correctly identify the IP address to MAC address mapping in defined attacking

environment (section 3.2).

1.5 Goals

The goal of this research issue is to secure the ARP protocol from attackers.

We found the limitation in various probe packet based techniques [6] [1] [3] [4].

6



These technique can’t stand against an intelligent attacker. An intelligent at-

tacker can easily bypass the probe packet based technique by generating appro-priate response for sent request packet. So the following goals are of particular

interest :

• Correctly Identify the Script Kiddies : Anyone can download the soft-

wares, that are freely available on Internet (e.g. cane-abel, arp-sk), and

perform ARP cache poisoning. These categories of software send the fake

packet to target host so that the target host will update its IP to MAC

address mapping in his ARP cache. The proposed solution can check suchtype of attacker.

• Correctly Identify the Intelligent Attacker : Some attackers are smart

enough to analyze the behavior of target host. They can easily bypass the

ARP defense technique by simply generating the appropriate response for

the confirmation packets. We will build our proposed solution in such a

way that, an intelligent attacker can also be correctly identified.

• Hide the generated traffic of probe packets : An Intelligent attacker has

analyzing and computing power. By Collecting and analyzing the received

packet on his network interface card he can identify the presence of IDS

(Intrusion Detection System) in the LAN. Then attacker start behaving

like the host whom attacker want to spoof and IDS will not be able to

catch the attacker.

We will design a technique which will generate the traffic of probe packet

similar to a normal host over network by analyzing the network traffic and

we will hide the probe packets in such a way that attacker can’t have any

clue regarding the probe packets.

1.6 Organization of thesis

Chapter 1 introduced us with Address resolution protocol (ARP). In this chapter

we discussed why ARP protocol prone to attack. By performing ARP spoofing

7



anyone can easily exploit the ARP protocol for his own purpose (e.g. DOS at-

tack, MITM attack).

In chapter 2, we will see some standard network protocols that are used by

several proposed techniques. Here we will get some starting understanding of

ARP, ICMP and TCP Protocols.

In chapter 3, we will discuss the literature survey performed for the vari-

ous type of existing solution for ARP spoofing. In this chapter we figure out

two types of attacking model, that is very important to consider. The attacking

model is previously identified by Ramchandran and Nandi [1]. The same chapter

will give us brief idea about the probe packet based techniques [6] [1] [4] [3]and

their limitations.

In chapter 4, method is proposed to correctly identify IP to MAC address

mapping in different attacking environment, identified by Ramachandran [1].

We found that in probe packet based technique it is a challenging task to hide

the probe packets. Attacker can sniff these packets and he can distinguish the

confirmation packet and normal ARP packet. In chapter 4 we gave the tech-nique to hide the probe packets so that an intelligent attacker can be caught.

Implementation of our proposed technique and its analysis is described in

chapter 5. In chapter 6 we concluded the discussion and same chapter describes

the achievement of goals.

8



Chapter 2

Background of Protocols

Before we go for the further discussion we require some background of ARP,

ICMP and TCP protocol. These protocols are used in some of proposed tech-

niques. We have some discussion of ARP protocol in previous chapter.

2.1 ARP Protocol

We have discussed the packet exchange in ARP protocol. Now we left with

discussion of ARP header format and ARP cache.

2.1.1 Header Format

Figure 2.1: ARP Header(length in bytes)

9



Description of ARP header (figure 2.1) :

Hardware type (16 bit) Type of LAN.

Protocol type (16 bit) high level software address type provided.

Hardware address length (8 bit) length of hardware address in bytes.

Protocol address length (8 bit) length of protocol address in bytes.

Opcode (16 bit) specify type of operation requested

0 - ARP request

1 - ARP reply

Source Hardware address (48 bit) Hardware address of sender.

Source Protocol address (32 bit) Protocol address of sender.

Destination Hardware address (48 bit) Hardware address of receiver.

Destination Protocol address (32 bit) Protocol address of receiver.

2.1.2 ARP Cache

ARP cache is local memory that holds the mapping between IP address and

MAC address that are required for the communication in the network. There is

a timeout period associated for each IP address to MAC address mapping after

that mapping is flushed out of cache unless mapping is not accessed again withintimeout period. Timeout period is maintained in ARP cache to maintain the

dynamic mapping of IP address and MAC address. IP allocation is dynamic.

So host can change their IP address. Hence mapping of MAC and IP address

will change for host. So in order to preserve the dynamic mapping of address it

is important to have timeout entry in ARP cache. Otherwise ARP cache will

contain invalid <IP , MAC> mapping.

ARP cache contain static and dynamic entries. Static entries are added

manually to the cache. Some host never change their IP address, it remains

static, so the IP address to MAC address mapping for such host remains same.

Static entry are permanent, resolutions and update of these entries depend on

the implementation of ARP module of OS. Dynamic entries are resolved by the

ARP protocol. Dynamic entries are kept in the ARP cache for a timeout period

and after that they are removed. These entry get updated using ARP protocol.

10



Dynamic cache entries are associated with timeout period. If we store themapping forever then the following problem will arise :

• Device hardware changes : If any host suffers some NIC card failure and

it is changed then the mapping of its IP with previous Ethernet address

becomes invalid.

• Device IP address changes : If any host changes its IP then also the entry

in ARP cache for that IP address becomes invalid.

2.2 ICMP Echo Request Packets (Ping) and their

Communication

ICMP (Internet Control Message Protocols) packet header is encapsulated over

IP header. ICMP packets are of two types : error-reporting message and query

message. Whenever a host or router has some problem in processing IP packets

then they will report back to sender of packet about this error using the error

reporting message. Query message used to retrieve some specific information

from another hosts or router.

Ping packet comes under the category of query message. It is used to check

the host is alive or not. Figure 2.2 shows the IP header and figure 2.3 shows

the ICMP ping packet header.

11



Figure 2.2: IP Header(length in bits)

2.2.1 Header Format

Description of IP header (figure 2.2) :

Version (4 bit) Version of the IPv4 protocol.

Header length (4 bit) Total length of the datagram header in 4-byte word.

Service (8 bit) Defines the type of service.

Total length (16 bit) Defines total length (header plus data) of IPv4 datagram in

Identification (16 bit) Uniquely identify the fragment of an original IP datagram.

Flag (3 bit) Used in fragmentation.

Fragmentation offset (13 bit) Used in fragmentation.

Time to live (8 bit) This field limit’s the life of IP datagram.

Protocol (8 bit) Define the higher-level protocol that uses the service of the

1 - ICMP

2- IGMP

6 TCP

17 UDP

Checksum Protection used in IPv4 for data corruption.Source Protocol address (32 bit) IP address of sender.

Destination Protocol address (32 bit) IP address of receiver.

12



Figure 2.3: ICMP Header(length in bits)

Description of ICMP ECHO header (figure 2.3) :

Type (8 bit) type of the message

8 - ICMP echo request

0 - ICMP echo reply

Code (8 bit) reason of particular message type

0 for ICMP echo request/reply

Header checksum (16 bit) calculated for ICMP part of packet.

Identifier (16 bit) This field is used to help match echo request

the associated reply.

Sequence Number (16 bit) This field is used to help match echo request

the associated reply.

2.2.2 Packet Exchange

Sender of ICMP echo request packet puts the destination IP address in the

IP header at destination IP entry and corresponding MAC address is kept in

destination MAC address in the ethernet header. At the receiver side host

first matches the destination MAC address in ethernet header, if MAC address

matched with receiver’s MAC address then packet is forwarded to IP layer

otherwise packet is dropped. At IP layer, if destination IP address of IP header

matches with receiver’s IP address then packet is accepted. In response of ICMP

request packet the receiver of ICMP echo request packet will produce a ICMP

echo reply with same identifier and sequence number of ICMP echo request

packet, otherwise packet is dropped.

13



2.3 TCP Packets and their Communication

TCP (Transmission Control Protocol) is connection oriented, reliable transport

layer protocol. It is process to process protocol. It creates a virtual connection

between two program to send data. Figure 2.4 shows the header format of TCP.

2.3.1 Header Format and Data Flow

Figure 2.4: TCP Header(length in bits)

Data Flow See figure 2.5, when a process B wants to send data to process

A, then process B submits its data to assigned TCP port. Each process which

wants to communicate over network must bind with some port. Then TCP

sends its data to IP layer by putting TCP header. At IP layer IP header is

added to TCP packets. Now IP datagrams are sent to next hop corresponding

to the destination IP address.

At receiver side, same process in reverse oder is done. packet moved from

ethernet layer then to IP layer. At the last at the TCP layer payload of IP

datagrams are demultiplexed to respective ports and packets are reassembled.

Finally reassembled unit of data is transfered to process A.

14



Figure 2.5: flow of TCP packets

2.3.2 TCP Handshake

As we know that TCP is a connection oriented transport protocol. TCP pro-

vides the in order packet packet transmission. So to make it possible, three-way

handshake is done in TCP protocol. During handshake, both end process ex-

change the required field, like sequence number, window size etc..

See figure 2.6, TCP three-way handshake is done in following manner:

1. Client sends TCP SYN packet to server. In TCP SYN packet only the

SYN flag is set. Sequence number of this packet is chosen at random and

sent to server. TCP SYN packet contains no data. It is sent only for

synchronization of sequence number.

2. If port at server is available for giving service to client then server will

generate TCP SYN/ACK packet. SYN and ACK flags are set in TCP

SYN/ACK packet. This packet contains sequence number and acknowl-

edgement number. Acknowledgement confirms that TCP SYN packet

safely reached to server and sequence number is a new random from server.

15



Figure 2.6: TCP Handshake

If port is unavailable then server will reply with TCP RST packet, RST

flag set. Purpose of this packet is to say client that service is unavailable

and client has to reset the connection.

3. Third packet in the handshake is response for the server’s SYN packet.After this packet client or server can start sending data to each other.

16



Chapter 3

Survey of ARP Defense

Techniques

There are many proposals to defend ARP protocol against ARP cache poison-

ing. We can classify them in cryptographic and non cryptographic techniques.

We can also classify them as prevention, detection and mitigation techniques.

3.1 Classification of techniques

The various techniques can be categorized in following ways:

stateful vs stateless ARP cache

In some of techniques [3] [7] stateful ARP cache is used. Stateful ARP

records the state of operation to be performed. Contrary, ARP cache is state-

less and no host has to record IP address of host with whom we started the ARP

Protocol. Host with stateful ARP cache, whenever host sent ARP request, then

an entry is created in the stateful ARP cache. When host receives ARP reply

then stateful ARP cache is looked to ensure that ARP request generated be-

cause host has generated the ARP request. In stateless ARP cache each received

ARP request/reply packets are considered as valid packet.

It is wrong to believe that stateful ARP cache alone can stop ARP spoofing.

17



Stateful ARP cache can block unsolicited replies but ARP request too can be

malicious e.g. ARP cache poisoning is possible using ARP request packet. Wecan get the advantages of stateful ARP cache but we have to pay the cost of

memory space and we have to upgrade the protocol stack with stateful ARP

cache. Instead in stateless ARP cache we don’t have to maintain state of pro-

tocol for any host and also we don’t require any special dedicated memory to

hold the entry for sent request.

cryptographic vs non-cryptographic

cryptographic techniques like (SARP [8] , TARP [9] etc.) uses cryptographic

primitives whereas non-cryptographic approaches(like SCE [6], SDE [1]) are

based on distinctive features of ARP or LAN, behavior of attacker, legitimate

host or some other assumptions. Cryptographic solution are slower than the

non-cryptographic techniques because they involve computation cost. Crypto-

graphic techniques are not backward compatible because we have to change the

message format which will require changes at each host.

Centralized (test host) vs distributed (host based)

Centralized systems are based on sniffing node or some test hosts in the

LAN which analyzes the sniffed packets for identifying the attacker. In somecases [8] [9] a host in network act as key store or key distributing agent, whereas

in the distributed techniques responsibility to identify attacker is not on the

some specific host. In host based technique each host runs some algorithm to

prevent or to identify the attacker. Main drawback of centralized system is

single point failure. If the test host in centralize system stops working then the

LAN will become vulnerable to attack. But there is no such drawback in host

based solutions for ARP cache poisoning.

Prevention vs detection vs mitigation [10]

There are lots of techniques dealing with ARP spoofing or ARP cache poi-

soning. These techniques can be broadly classified into prevention, detection

and mitigation techniques.

• Prevention Technique : Prevention techniques blocks the ARP attack us-

18



ing some preventive measure so that it is not possible to perform ARP

cache poisoning. They generally modify the ARP protocol and follow newset of rules. So these techniques are resistant to ARP cache poisoning but

we have to pay the cost of backward compatibility.

• Mitigation Technique : These techniques are preventative measure for

ARP spoofing. They do not provide complete solution for the ARP spoof-

ing but these techniques reduce the chance of spoofing.

• Detection Technique : These techniques do not attempt to stop ARP

spoofing, instead they identify the attacker or detect the presence of at-

tacker. Advantage of these techniques is that these are backward compat-

ible but again we have to pay cost in term of processing time to identify

attacker after spoofing has been done.

In this chapter we will review many existing technique to secure ARP proto-

col. We mainly focus on details of non-cryptographic techniques. Cryptographic

techniques provide the stronger protection. They can solve the problem of ARP

spoofing but these techniques suffer from higher processing, computational cost

and single point failure problem.

3.1.1 Non-Cryptographic Techniques for Securing ARP

Spoofing

Embedded IDS to monitor and Prevent MITM attack on wired LAN

Belenguer et al. [11] has implemented a low cost embedded IDS system which

can detect and prevent the MITM attack. The basic concept of this technique

is to refresh the mapping in ARP cache before they time out. Refresh is done

by sending ICMP or ARP request packet. If reply for generated request pack-

ets doesn’t received by sender of request packet then sender will consider the

target host of request packet as down and remove its entry from the ARP cache.

Belenguer et al. has developed two security mode depending on the avail-

ability of port mirroring1:

1replicate data from all ports of switch onto a single port.

19



1. Reactive security mode

2. Proactive security mode

Reactive security mode : Port mirroring at switch is essential for this security

mode. A device is attached to the mirrored port of switch. The attached device

maintains a list of ARP cache entries and their lifetime. This device pings(ICMP

echo request) the host whose lifetime has expired from cache to check the active

host. System will delete the entries from its ARP cache who didn’t generate

reply for ICMP echo request. Suppose there is n active host then extra packet

generated will be order of n.

System stores all the ARP request in a buffer. This buffer enables the device

to detect those ARP replies which are not related to an ARP request. If device

finds that attacker is trying to do MITM attack then combat MITM module

will repair the the cache of victim host by telling him correct mapping. Say for

example, attacker attempted to poison the cache of host B by sending him fake

ARP request/reply packet for IP A(<IP A , MAC attacker>), associating his

own MAC address. Then the embedded device will send ARP reply to host B

with source mapping <IP A , MAC A> in ARP header. So latency will be lessthan RTT.

Proactive security mode : This mode is applicable for switches LAN where

no special mirroring port is available. Embedded device is connected to regular

port. Embedded device will work to refresh the important mappings like Inter-

net gateway router by sending corrective ARP request.

For a example, to refresh the cache of gateway and host A, device will send a

unicast ARP Request with source mapping in ARP header as <IP A , MAC A>.

Then gateway will send ARP reply to host with source mapping <IP gateway

, MAC gateway>. Thus ARP cache of both entities get refreshed.

20



Detection of sniffer using trap ARP request packet

This technique by Trabelsi and Rahmani [12], based on ARP cache poisoning

attack, a test host first corrupts the cache of all the hosts that are running

in promiscuous mode by sending ARP request packet at fake broadcast ad-

dress (FF:FF:FF:FF:FF:FE) with fake IP. FF:FF:FF:FF:FF:FE is considered

as fake broadcast address because in same paper, it is found that many op-

erating system accept the frame with ethernet destination address equal to

FF:FF:FF:FF:FF:FE as a broadcast frame. In the next step test host establish

TCP connection to host. Sniffing host reply back with TCP SYN/ACK or RST

packet and normal host reply back with ARP request.

1. Setting the fake mapping in host running in promiscuous mode :

Figure 3.1: Fake ARP Request (ARP Header)

Figure 3.2: Fake ARP Request (Ethernet Header)

In this phase, the test host wants to corrupt the ARP cache of host that

are running in promiscuous mode with a fake mapping <IP-X , MAC-

X>. So the test host broadcasts the trap ARP request, see figure 3.1 and

figure 3.2, but the trap ARP request uses FF:FF:FF:FF:FF:FE instead of

FF:FF:FF:FF:FF:FF in ethernet header destination MAC address entry.

It is done because test host only wants to corrupt the host in promiscuous

mode otherwise all the host get corrupted with this fake mapping. Now

all the host running in promiscuous mode will have <IP-X , MAC-X> as

21



MITM-Resistant Address Resolution Protocol (MR-ARP)

Figure 3.4: Four MR-ARP enabled machine deployed in LAN

MITM-Resistant Address Resolution Protocol [13] employs a long term IP/MAC

mapping table, as well as the ARP cache used in existing ARP to retain IP/MAC

mapping for alive machine over long periods. In order to avoid losing the map-

ping for alive hosts, source keep sending ARP request before timeout happen

for any entry in long term cache and if reply came then host refresh the entry

for IP/MAC association. If any host get ARP request or reply from any new

IP then host request voting from neighbors to judge the correctness of IP/MAC

association.

MR-ARP resolved the problem of ARP spoofing by solving the two subprob-

lems. First, in case when the MAC conflict occurs because a host, say host B,

received new MAC address for IP A and in ARP cache host is associated with

MAC A. If host A is alive then priority is given to MAC A for the IP A and to

check the activity of host A, 50 unicast ARP request is sent to host A. If host

B received one or more than one ARP reply from host A, then mapping <IP A

, MAC A> is retained in the ARP cache.

Second, if host receives the ARP request or reply from new IP address, IP

address for which receiver doesn’t have mapping in ARP cache and long term

table, then it is very difficult to verify the sender of ARP request/reply packet.

To resolve this problem voting based technique is used. See figure 3.4, four

23



MR-ARP enabled machine deployed in the LAN (M1, M2, M3 and M4). When

any of the MR-ARP enabled host receives any ARP request or reply from newIP, say IP A then that host will broadcast voting request for IP A. Then those

MR-ARP enabled host which contain mapping for IP A will respond with 50

ARP voting reply with IP/MAC pair. Host B accept first N votes. Then host B

calculate he MAC address that received over 0.5N votes and accept that MAC

address as associated with IP A.

First the host will generate n (number of host in LAN) packet as a request

for voting and then each MRP enabled host (k) will vote with traffic rate ri. So

total extra traffic generated will be n + ri*k and latency will be for only voting

process.

Voting scheme of MR-ARP works correctly when the voters have the approx-

imately same traffic rate. If there is dissimilar traffic rates ,e.g. 802.11 LAN,

then it will result in unfair voting. Dissimilarity in traffic rate arises because

some host are connected to wired network and some are wireless connected.

Think of scenario when MR-ARP enabled host connected to LAN using wire-

less and attacker is using wired connection then attacker can win the voting,due to dissimilarity in traffic rate attacker can vote more in his favor. So this

limitation of MR-ARP overcome by NAM et al. [14] by using computational

puzzles.

See figure 3.5 , in EMP-ARP there are two puzzles. First is solved by sender

of voting request and other is solved by neighboring EMP-ARP host. The first

puzzle ensures that any EMP-ARP host can’t perform DoS attack by continu-

ous sending voting request to neighboring EMP-ARP hosts. The second puzzle

provides the fairness among the hosts in voting.

First puzzle is solved by sender of voting request, computes:

ms = M AC A || T s (3.1)

where MACA is MAC address of sender and Ts is local time of sender and send

it to target host.

24



Figure 3.5: Enhanced MR-ARP technique

Sender transforms the ms by :

cs = F m(ms) (3.2)

where Fm is transformation function

Fm defined as :

F m(x) = f m(f m−1(...f 1(x))) (3.3)

where f ı is defined as modular exponentiation.

In figure 3.5 we can see that each receiver computes and send :

mr = M AC A || M AC R || P (3.4)

where MACA is sender MAC address, MACR is receiver’s MAC address and P

is parameter of second puzzle send by sender of vote request host.

Sender of vote request computes:

P = H (K || M AC A || T s) (3.5)

25



where H is publicly known hash function, K is secret known only to sender,

MACA is MAC address of sender and Ts is local time of sender and send it toneighbor nodes.

Receiver of voting request transforms mr using transformation function Fm

and it is transformed into cr and sent to sender of voting request host i.e.

cr= Fr(mr) , after solving this puzzle EMR-ARP node send the MAC address

of queried IP address. Sender can verify the correctness of each answer by

computing mr using transformation function Gm. In their experiments, it is

found that processing power of any host is not significantly different. So each

host will take approximately equal time for solving the puzzle. This will result

in a fair voting even in the dissimilar traffic rates.

Self Confirming Engine (SCE)

Figure 3.6: Flow Diagram for Self Confirming Engine (SDE) (when ARP cachedoesn’t have mapping for source IP in ARP request/reply packet)

Figure 3.7: Flow Diagram for Self Confirming Engine (SDE) (when ARP cachehave mapping for source IP in ARP request/reply packet)

Self Confirming Engine [6] uses ARP packet as confirmation packet to cor-

rect address mapping violations leading to MITM attack. See figure 3.6 and

figure 3.7, whenever there is change in information of ARP cache, SCE will

26



generate a unicast ARP request2 packet to the previous Ethernet address cor-

responding to IP address of altered entry. This will result in either response orno response from previous Ethernet address. If ARP reply is received then we

update the ARP cache with previous <IP , MAC> mapping, meaning previous

MAC address still alive and an attempt has been made to corrupt the ARP

cache. If we don’t receive an ARP reply then we can say that mapping has been

changed to new MAC address from previous one for that IP address.

See figure 3.6, whenever host A does not have mapping for received IP ad-

dress(here IP B) in his cache then host A will directly update its cache without

any confirmation. So an attacker can send false ARP packets in such situation

and can get entry in ARP cache of host A. This is serious drawback of SCE. By

seeing figure 3.7 we can say two extra ARP packet is generated as a cost and

the detection will complete in less than 2*RTT.

Main requirement of SCE is that ARP cache of any host must contain correct

MAC address for received IP address so that SCE can send confirmation packet

to correct host and get updated correctly. If ARP cache doesn’t hold the correct

mapping for that IP then attacker can perform poisoning successfully by sendingfake packets.

Spoof Detection Engine (SDE)

Figure 3.8: Flow Diagram for Spoof Detection Engine (SDE)

See figure 3.8, in this technique [1], there is a sniffing host in the LAN which

2Destination MAC address in Ethernet header for ARP request will contain the MACaddress of host instead of broadcast MAC address (FF:FF:FF:FF:FF:FF)

27



sniffs entire ARP traffic, and whenever sniffing host finds any ARP packet mis-

matched with its database they directly generate fake alarm otherwise in caseon new information for its database, the mapping is confirmed by sending con-

firmation packet to the host. Suppose Host B sends an ARP request with source

entry in ARP header <IP B , MAC B> to host A, requesting for MAC address

of IP B and sniffing host A doesn’t have entry for IP B in his cache. Then Host

A will send TCP SYN packet as a confirmation packet to host B, TCP SYN

packet is sent to IP B with destination MAC address equal to the MAC B. It

is assumed that protocol stack is correct. Therefore if the TCP SYN/ACK or

TCP RST is received by host A in response of TCP SYN packet to host B then

no ARP spoofing has been done by host B otherwise in case of no response

we can say ARP spoofing has been done because we don’t get reply packet for

confirmation packet and possible reason must be packet drop at the host due to

mismatch of IP address.

This technique is effective only in case of weak script kiddies but it is not

effective in case of intelligent attacker. In case of intelligent attacker, who has

customized protocol stack, paper claimed that they can detect spoofing but

can’t identify the attacker. One major drawback of this technique is that it hassingle point of failure.

Suspected host is confirmed by sending the TCP-SYN packet, so extra traffic

will be TCP-SYN packet and its response. Its latency will be of 2*RTT.

3.1.2 Cryptographic Techniques for ARP

The following techniques has used the cryptographic primitives to achieve the

defense against ARP spoofing :

Secure ARP [8] uses asymmetric cryptography. Any SARP enabled host

identified by its own IP address and has a public/private key pair. There is

a trusted third party, Authoritative Key Distributor(AKD), that is contacted

to get the public key of a host so that ARP replies can be authenticated by

28



verifying the appended signature.

Ticket Based address resolution protocol (TARP [9]) implements security by

distributing centrally generated IP/MAC address mapping attestation, called

ticket, and signed by Local Ticket Agent (LTA). Host attach this ticket to ARP

replies so that the receiver can verify the validity of the address association.

Secure Unicast ARP (SUARP [15]) extends DHCP protocol to handle its

packets. DHCP+ server can be configured have the MAC-to-IP address map-

ping or vice versa for all the computers under its domain. If host want to com-

municate with another host and it does not have its MAC address then host

sends unicast SUARP request packet to DHCP+ server. DHCP+ server reply

back with requested MAC address addition of message integrity code (MIC).

Host then uses the MIC to judge the correctness of message and respond back

with acknowledgement.

In Goyal and Tripathy [16] scheme , two components of ARP reply were

identified they are the <IP address, MAC address> mapping and the recency of

the <IP address, MAC address> mapping. The <IP,MAC> mapping requiresa digital signature since the <IP,MAC> mapping must be authentic and its

authenticity must be publicly verifiable. The second component requirement

fulfilled by one time password in the ARP reply. By including one time password

we can indicate recency of <IP address, MAC address> mapping and this will

eliminate the chances of misuse of digital signature of legitimate user by the

attacker. Here a digital signature containing the IP address to MAC address

mapping, the clock time and tip of a hash chain3 used for verifying one time

passwords. Each host maintain five tuple entry <IP, MAC, n , Hn (K||R), t>

for any host Hj to whom host Hi want to communicate, n is the time period of

20 minutes from time t, K is secret of host H j , R is random number selected by

Hj , H is hash function. After ith cache time out period host Hj recompute its

signature and (i-1)th one pass key and send as ARP reply. Host Hi uses public

3Hash chain can be defined as series of hash, e.g. Hn+1(k) = H(Hn(k)) where H is anyone way hash function like MD5.

29



key of Hj to get one pass key and compute hash on one pass key to verify the

reply and if it is correct then host Hi updates its cache with new one pass keyand refresh the <IP,MAC> mapping.

3.1.3 Some other Techniques

In Trabelsi and Shuaib scheme of detection [17] first detects the host that have

enabled IP packet routing4. Test host generates trap ICMP echo request packet

to given target host in a network. Hosts that have enabled IP route responds

back and other host drop the ICMP echo request packet. Then test host cor-

rupts the ARP cache of all the hosts that respond to ICMP request packet and

collects the packets forwarded by them. After analyzing the packets, one can

discriminate the suspicious host. It generates n-1 trap ICMP packet and test

host will get response from m IP forwarding enabled hosts. After that test host

will send ARP packets to corrupt the cache of suspected host. so total extra

packet generated will be (n-1) + m + (m*no. of packet required to corrupt the

cache).

El Hazz and Trabelsi [3] used the mechanism of stateful ARP cache and

Fuzzy Logic to prevent ARP cache poisoning. ARP reply of sent ARP Request

is verified by sending an unicast ARP request to sender MAC address of ARP

reply packet for which ARP request has been sent. If reply for unicast ARP re-

quest is received then that MAC address is possibility for requested IP address.

So for each received ARP request ARP request is sent back to sender of ARP

request. It causes two extra ARP packets in total ARP traffic.

Suppose more than one MAC address responded for that IP, say IP B then

mapping is resolved using Fuzzy Logic Controller. Each host maintain some

previous knowledge about the hosts whom he communicated previously. When

a host multiple response for any ARP request then which host should be trusted

4IP routing is the process of forwarding a packet based on the destination IP address. IPuses a routing table to determine the next-hop IP address and interface for a packet beingsent or forwarded.

30



is decided by two factor : Trust Level (TL) and Importance (Im).

SecurityLevel = F (T rustLevel, Importance) (3.6)

Trust Level, it indicates how much the host is trusted in term of trusted,

highly trusted or not trusted at all. Importance factor indicate the importance

of a system e.g. router is more important than internal server and internal server

is more important than laptop. These two values combined and the host in state

of confusion use this information to resolve the mapping in case of multiple ARP

reply for ARP request. Fuzzy logic used to combine the effect of TL and Im.

But here, problem is that a host with high security level can impersonate as

lower security level host easily because he has higher security level.

In Wang and Zhou [7] approach, instead of stateless ARP cache stateful ARP

cache is implemented in order to manage and secure the ARP cache. There is

difference in response frequency of malicious host and legitimate host because

attacker wants to associate his MAC address to respective IP in target host’s

ARP cache so he will send ARP response more frequent than normal host. So

host with higher frequency of response will be declared to attacker. If the re-

sponse frequency is not very different then the victim host, who is resolving

the mapping, will send large amount of refuse packets to LAN. Monitoring the

response time one can differentiate between legitimate and malicious reply be-

cause response time of legitimate host related to normal distribution function

while response time of malicious host are abnormal because it accepts lot of

refuse packet and take more time to response. It takes N timeout of latency.

In middleware approach [18] two queues are maintained called requestedQ

and respondedQ. When a host send ARP request packet that is memorized by

recording the target IP in the requestedQ. When host receive a reply then re-

questQ checked for whether request is outstanding. If request is outstanding

then its entry updated to respondQ and if it is not present in the requestQ

then it is checked in reqpondQ. If respondQ already have entry then respond

is considered as duplicate and cache is checked. If entry found in cache then it

is refreshed if not then alarm is raised and entry for that IP is flushed. As it

31



is using stateful ARP cache and updates ARP cache with only ARP request,

therefore if receiver of ARP request want to communicate with sender thenagain he has to send ARP request packet.

3.2 Attacking Model

Attacker is malicious user who is generating fake packets in-order to exploit

ARP protocol. As we have seen anyone in LAN can perform ARP cache poi-

soning attack simply by generating a fake packets. Many of paper discussed

about ARP cache poisoning but they don’t give clear picture of attacking mod-

els. Many proposed techniques only discuss how the ARP cache poisoning can

be avoided but they don’t mention motives and behavior of attacker. In paper

by Ramachandran [1] give the clear separation between two types of attackers

that are weak attacker and strong attacker. We are using these two attacking

behavior of attackers.

• Weak Attacker : This category of attacker can generate spoofed packets

using any software (e.g. arp-sk 5, cain and abel2). But they don’t have

compromised protocol stack. Protocol stack will work correctly. Protocol

stack will generate correct reply for any of request packets sent to the

host. Weak attacker posses power of generating fake packets but he cant

stop or control other host or network devices from doing their usual job.

Attacker can’t control the other host from generating response or other

packets similarly attacker can’t control the networking devices in their fa-

vor.

• Strong Attacker : This category of attackers are more powerful than weak

attacker because the can generate fake packets similar to weak attackers

but they have one more power over weak attacker that they have com-

5http://sid.rstack.org/arp-sk/

2http://www.oxid.it/cain.html

32



promised protocol stack. For any detection system it is very difficult to

identify strong attacker as compared to weak attacker because a strongattacker modifies his protocol stack according to the detection technique,

while weak attacker has correct protocol stack so detection technique can

easily identify the weak attacker.

3.3 Comparison of Existing Techniques

In following table, we compared the existing techniques. We did comparison of

existing techniques by considering them in weak and strong attacking model.

We also listed the number of extra packet generated and time taken by these

techniques to resolve the correct mapping since receiving an ARP request/reply.

Following variables are used in table :

• Y - Listed technique is effective for the respective attacking model.

• Y - Listed technique is not effective for the respective attacking model.

• n - Number of host in the network.

• m - Number of suspicious host.

• ri - Reply traffic rate.

• k - Number of MR-ARP enabled host.

• RTT - Round trip time

In table 3.1, we analyzed the existing cryptographic techniques. Abad et.

al. [10] gave some performance analysis for cryptographic techniques and weincluded his results in table 3.1. We can see cryptographic techniques are good

solution for the intelligent attacker but main drawback of cryptographic tech-

niques are is that they are taking processing time and the are centralized so-

lution. If the centralized systems get compromised then whole technique will

crash.

33



Table 3.1: Comparison of Existing Techniques

ApproachWeakAttacker

StrongAttacker

No. of Packet Latency

Cryptographic Techniques

SARP [8] Y Y n+2 2*RTT + 2*de-cryption time

TARP [9] Y Y n RTT + decryp-tion time

SUARP [15] Y Y Decrease 9.22times

RTT + decryp-tion time

Goyal andTripathyscheme [16]

Y Y Less than 1%degradation of performancedegradation

RTT + time forcalculating hash

Non-cryptographic Techniques

EmbeddedIDS [11]

Y N Number of ac-tive host

Less than RTT

Fuzzy LogicScheme [3]

Y Y Two extra ARPpacket for eachgenerated ARPrequest

–

Sniffer Detec-tion [12]

Y N 3*(n-1) Less than1.5*RTT

MR-ARP [13] Y N n + ri*k Voting timeSCE [6] Y N Two ARP

packet for eachreceived update

2 * RTT

SDE [1] Y N Two TCP pack-ets for eachmapping conflict

2*RTT

Trabelsiand ShuaibScheme [17]

Y N m + (n-1) +m*no. of packetto corrupt ARPcache

–

Wang and ZhouScheme [7]

N N Packet taken forsample

N time out

Middleware ap-proach [18]

N N More than ARP –

34



We can see in table 3.1 that all non-cryptographic techniques can’t identify

attacker in strong attacking environment, except fuzzy logic scheme [3].

35



Chapter 4

Proposed Technique

Any probe packet based technique, e.g. SCE [6], SDE [1] etc. works on assump-

tion that hosts in the LAN including attacker would have correctly running pro-

tocol stack. These techniques assumed that hosts can’t modify their protocol

stack. These techniques can correctly identify the weak type of attacker because

a weak attacker only use some kind of software to generate spoofed packet and

his protocol stack is correct. Hence any probe packet based technique can take

advantage of correct protocol stack of suspected host to ensure the IP to MAC

mapping by sending a query packet to suspect. ARP request, TCP SYN, ICMP

packets can be used as query packets. In case of weak attacker, if suspect is

legitimate host then suspects can generate appropriate reply for query packets

otherwise if suspect is attacker then query packets get dropped at suspect be-

cause some mismatches in IP address or MAC address. Therefore suspect can’t

generate response for query packets and can be identified as attacker.

But an intelligent attacker can evade such probe packet based techniques by

generating the appropriate response for the query packet. For example, in case

of weak attacking environment SDE [1] uses TCP SYN packet as query packet

to confirm that suspected host is true or attacker. So if an attacker generate

TCP ACK packet for the query TCP SYN packet then test host would believe

that attacker is legitimate host.

36



4.1 Assumptions

We assumed that an intelligent attacker, termed as strong attacker, can modify

his protocol stack and it is not necessary for him to follow flow sequence of

packets in any protocol (e.g. BackTrack OS1).At the same time, a legitimate

host has correct protocol stack. A strong attacker works in promiscuous mode

meaning he can sniff all the packets coming to his network interface.

We are considering a adversary who can’t control the network devices or

communication channel. An attacker can impersonate as different host but he

can’t stop real host from replying to ARP request for them because ARP requestis broadcasted over LAN so it is received by real host as well as by attacker.

Then, real host will reply back for the ARP request.

We assumed that attacker doesn’t want to be out of communication over

LAN for a long time. Here out of communication means that other host over

LAN can’t communicate with that host. If any host wants to be remain com-

municated in LAN then he must generate ARP reply for received ARP request

otherwise he can’t communicate. So every host will generate response for the

ARP request for its own IP address.

As above it has been discussed that strong attacker has power to bring

changes to his protocol stack and he can manipulate the flow of packets. There-

fore if an intelligent attacker has any clue that he is under some test, in other

words if attacker finds that target of ARP Spoofing using some type of technique

to validate the attacker then attacker will act appropriately and he will evade

the detection technique.

1www.backtrack-linux.org

37



4.2 Rules in Proposed Technique

Proposed technique works on following rules :

• Rule A : “The network interface card of a host working in non-promiscuous

mode will accept only those packets which are sent to its MAC address,

Broadcast address and subscribed multicast addresses. In promiscuous

mode network interface card of host will accept each and every packet

strikes to network interface and push the captured packets to upper layer

of protocol stack.”

• Rule B : “If a test host receives ARP request/reply and mapping for

source IP address in the received ARP header is present in test host’s

ARP cache then broadcast an ARP request for the source IP in received

ARP request/reply packet.”

• Rule C : “If a test host receives ARP request/reply and it doesn’t has

mapping for received IP address in his ARP cache then test host broad-

casts many ARP requests for each possible IP address in LAN.” This rule

requires further discussion and we will see it in section 4.5.

4.3 Working of Proposed Technique

The detailed working of proposed technique is shown in algorithm 1 (ARP spoof-

ing detection module) and algorithm 2 (broadcast test). The above rules are

used to identify the attacker. According to rule A, whenever a test host receives

ARP packet then it accepts only those packets which are sent to its MAC ad-

dress, broadcast address or subscribed multicast address. This rule is derived

from the normal behavior or correct host. Received ARP packet and state of

ARP cache will decide which rule will be applicable to identify the correct IP

to MAC address mapping.

When a test host receives ARP packet, then there will be two possibility for

source <IP , MAC> mapping either mapping is present in ARP cache of test

38



host or not. These condition are handled by rule B and rule C by following

ways:

• IP to MAC address mapping present in ARP cache According to rule B,

if source <IP , MAC> mapping of received ARP packet present in the

ARP cache of test host then test host will broadcast ARP request for

the source IP address in received ARP packet. For example, if test host

receives <IP A , MAC B> mapping of source in ARP request/response

packet and test host has mapping <IP A , MAC A> mapping in his cache.

Then test host will send a broadcast ARP request packet for IP A.

• IP to MAC address mapping not present in ARP cache According to rule

C, if source <IP , MAC> mapping of received ARP packet doesn’t present

in the ARP cache of test host then test host will go for broadcast test. In

broadcast test test host will generate broadcast ARP request packet for

each IP address in the LAN. Test host move to promiscuous mode and

collect the ARP reply coming within the time out period of ARP request

reply communication. We will see the further detail of broadcast test in

section 4.5.

4.4 Identification of Attacker

Figure 4.1: Confirmation of Legitimate host in case of weak attacker

The basic idea to identify attacker is shown in figure 4.1. If a host receives

ARP request/reply packet and source <IP , MAC> mapping in ARP packet

get mismatched with the mapping present in the ARP cache of host. Then

39



Algorithm 1 ARP spoofing detection module

Description : Algorithm for Enhanced technique to correctly identify the mapping between IP address and mac address at a given host.Input : ARP request/reply packet from any otherhost.

1: if Mismatch in information of received ARP packet with ARP cache or ARPrequest/reply from IP address that doesn’t have entry in ARP cache then

2: if Source IP address in ARP header has entry in ARP cache then3: Generate Broadcast ARP request for source IP in received ARP packet.

- - - - (Rule B)4: if Got a ARP response from previous MAC address of that IP then5: update the ARP cache with entry such that previous MAC address

corresponds to that IP.6: else7: Go for broadcast test() - - - -(Rule C)8: end if 9: else

10: Go for broadcast test() - - - -(Rule C)11: end if 12: else13: Don’t do anything14: end if

Algorithm 2 Broadcast test()

Description : Algorithm to perform broadcast test so that test host can identify correct mapping of IP address to MAC address

1: Generate broadcast ARP request packets with mean µ and variance of σ2

for all the possible IP address in the LAN.2: Record all the ARP reply that comes within valid time for the sent ARP

request.3: if Test host got two or more reply from same MAC address then

4: MAC address belongs to attacker who wants to spoof for some IP address.Remove the mappings from ARP cache corresponding to attacker’s MACaddress.

5: else6: Update the ARP table for the IP address with the MAC address who

responds for only single ARP request.7: end if

40



receiving host of ARP packet will send confirmation packet, here in proposed

technique ARP request packet is confirmation packet, for source IP address inARP header in received ARP packet. A legitimate host will generate response

for the confirmation packet. Thus we can identify correct mapping for IP ad-

dress.

Above test is sufficient for a weak attacker and similarly existing tech-

niques [1] [4] [3] [12] used the approach to identify attacker. But in case of

strong attacker, he can deceive the probe packet based techniques by gener-

ating appropriate response for the probe packets. Here in this section we are

explaining how one can identify the attacker in a situation when the attacker is

intelligent.

When a host, say host A, receives an ARP packet then each received ARP

packet would have source mapping, say <IP B , MAC B>. It is also possible

that host receives multiple ARP request ARP request/reply packet. The source

<IP , MAC> mapping not necessarily present in ARP cache of host A. So the

following cases arise :

• Host A has mapping in his ARP cache for IP B (Mapping present in ARP

cache of test host).

• Host A doesn’t have mapping in his ARP cache for IP B (Mapping doesn’t

present in ARP cache of test host).

4.4.1 Mapping present in ARP cache of test host

Figure 4.2 shows the detail of the case when test host has mapping for source

IP address in received ARP packet in his ARP cache. If an attacker, say host C,

sends spoof ARP request with source mapping <IP B , MAC C> to host A and

host A has IP B mapped to MAC B in its ARP cache. There is a chance that

host B has changed his MAC address from MAC B to MAC C. Then in-order

to find out correct mapping for IP B host A will broadcast ARP request for

IP B. So host B will response back with ARP reply packet corresponding to

ARP request packet for IP B.

41



Figure 4.2: Identification of attacker when host A has correct mapping in hisARP cache

Attacker, host C, can’t stop host B from generating reply for ARP request

packet and attacker can’t control the communication channel so ARP reply

reach to host A and MAC address in the ARP cache of host A corresponding

to IP B is matched with the source mapping in reply from host B. If previous

MAC address corresponding to IP B is same as the source MAC address from

host B then we can say host B is legitimate host and MAC C will be declared

as attacker because he attempted to associated IP B with his MAC address.

One important thing to notice is that we used broadcast ARP request while

several existing technique [6] [3] [13] has used unicast ARP packet for confir-

mation of precious MAC address corresponding to source IP address in ARP

request is alive or not. We used broadcast because unicast ARP request is not a

conventional ARP packet. Some IDS like snort2 will generate alarm for unicast

ARP request. At other point of view a unicast ARP packet will help an intelli-

gent attacker to identify the host which are running some defense technique for

ARP spoofing.

42



Figure 4.3: Confirmation of Legitimate host

Figure 4.4: Confirmation of attacker

4.4.2 Mapping doesn’t present in ARP cache of test host

Figure 4.3 and figure 4.4 shows the details of the case when test host doesn’t

have mapping for source IP address in received ARP packet in his ARP cache.

Previously we have mapping in ARP cache of test so that it can be used to

verify the response by giving priority to MAC address present in ARP cache of

test host. That is the reason we have to generate ARP request for all IP address

in the LAN.

So whenever a test host, host A, receives ARP packet and host A doesn’t

have mapping for source IP address in ARP packet then host A will generate aflood of ARP request with all possible IP in the LAN. Host in LAN will generate

response for the ARP request which are corresponding to their IP address. So

each legitimate host will claim for single IP address.

2http://www.snort.org

43



Strong attacker, say host C, must generate reply for ARP request for his own

IP address and victim IP address, IP B. As host C want to perform ARP cachepoisoning over host A and wants to associate his MAC address MAC C with

IP B. So host A will have two response for IP B, one from host B (legitimate

host) and another from host C (attacker) but we know that single IP address

can’t be assigned to more that one host or MAC address. So we can say that

someone is trying to poison the ARP cache of host A. Meanwhile, host C will

generate response for his own IP address, IP C. If host C remain silent for that

interval of time (time when the broadcast test is running) for ARP requests

for his own IP address then he will loose communication with others for that

interval of time.

By analyzing the response we can identify attacker and legitimate host. A

legitimate host will generate ARP reply corresponding to ARP request for only

his own IP address. At the same time, attacker will generate response for two

ARP request. So we can easily identify the attacker.

An intelligent attacker can sniff the flood of ARP request, then he can draw

inference that a test is conducted by test host. Now attacker can evade the testby not generating response for his own IP address. Because this action will lead

test host in dilemma to choose MAC address for IP for which test is conducted.

So it is very important to hide the flood of ARP request so that attacker can’t

notice the test conducted on attacker. Suppose attacker knows about the test

and after that he is trying to evade the technique by not generating response

for ARP request for his own IP then attacker has to pay the cost of loss of

communication for sufficient long time.

In the following section we will discuss how we hide the ARP request traffic

from the attacker.

44



4.5 Hiding the traffic pattern : in case of Probe

Packets

The type of attacker who has power to generate fake packets and has compro-

mised protocol stack are come under the category of strong attacker. Many

techniques are limited to only weak type of attacker, in some research paper [1]

they tried to deal with the strong type of attacker. But they are limited to only

the detection of attacker. It is very difficult to identify the strong attacker.

It is important to determine the correct IP address and MAC address pair,

in case a attacker generate appropriate reply for the probe packets, so in such

cases the victim host will receive two or more MAC address corresponding to

some IP, one from a correct host and other from attacker. So in such scenario

the test host can’t proceed communication as he doesn’t know about correct

mapping hence it is important to resolve the mapping and to identify the cor-

rect IP address to MAC address mapping.

If we want to correctly identify the mapping of IP address to true host then

we have to generate traffic of probe packets such a way that attacker can’t dif-ferentiate between the normal ARP request traffic and request packet that are

generated because of verification test that is running by test host. If suppose

test host inject the probe packets directly to the network then attacker can sniff

the traffic and from such sudden rise in traffic attacker can draw an inference

that a test is conducted by test to resolve correct mapping and if he generates

reply for the ARP request made for his own IP address and IP address that he

wants to spoof then attacker can be caught.

So attacker will bypass this verification test by not generating the ARP re-

ply for his own IP address and due to this he has to pay loss of communication

for the period of verification test. If we don’t want that attacker can’t bypass

the verification test then the test host must generate the ARP Request traffic

similar to normal host present in the LAN.

45



In-order to generate ARP request traffic similar to the normal ARP traffic

we will analyze the LAN traffic and test host will decide mean (µ) and variance(σ2) and use these parameters to schedule the traffic for verification test.

calculation of mean and variance for normal ARP traffic

sample mean variance

sample01 µ1 σ12

sample02 µ2 σ22

sample03 µ3 σ32

sample04 µ4 σ42

sample05 µ5 σ52

sample06 µ6 σ62

sample07 µ7 σ72

sample08 µ8 σ82

sample09 µ9 σ92

sample10 µ10 σ102

In above table see, test host has taken 10 sample for ARP Request traffic in-

order to calculate the parameters for generation of probe packets to the attacker

so that attacker can’t identify the probe packets.

µ =µ1 + µ2 + ...... + µ10

10(4.1)

σ2 =σ2

1+ (µ − µ1)2 + σ2

2+ (µ − µ2)2 + ......σ2

10+ (µ − µ10)2

10(4.2)

Now the test host has parameters to generate the probe packets at the rate

of normal ARP Request traffic in the LAN. But here the test host doesn’t has

schedule to generate packets. The packet generation can be easily scheduled

using the following equation. The following equation follow the distribution

such a way that its mean will be µ and variance will be σ2 :

x = µ + σ ∗ random fun(0, 1) (4.3)

46



where x will give the number of ARP Request generated at unit time, µ and σare calculated values and random fun(0,1) will generate n random number with

µ=1 and σ2=0 e.g. suppose we have µ=1.382 and σ2=203.097 then we gener-

ated the following schedule using the above equation for 186 seconds (suppose

there is 256 host in LAN) because within 186 seconds we can generate 256 ARP

request with µ=1.382, see figure 4.5.

Figure 4.5: Generated schedule (number of ARP request packet generated per

second)

If attacker sniffs whole the traffic then he can know that test host has gen-

erated the probe packets to resolve the mapping and in such situation stronger

attacker can take a benefit because in each probe packet at the ethernet source

and at ARP header source MAC address is marked with the MAC address of

test host. So we will choose 20 randomly generated MAC address and use these

MAC address to send probe packets so that attacker can’t know that presence

of verification test.

47



Chapter 5

Experiment and Results

5.1 Experimental setup

We did experiment over switched LAN (see figure 5.1). The LAN consist of

20 machines and one system working as gateway. In figure 5.1, we focused

three system : gateway, host A as victim (running windows XP) and third host

(ubuntu11.10) works as attacker. IP address and MAC address of respective

host is given in the figure 5.1.

Figure 5.1: Experiment setup

Following libraries and software are used for the implementation of code base

and experiments:

48



1. Wireshark1 (for analysis of network packets)

2. libpcap2 (for capturing the network packets)

3. libnet3 (for injecting packet into network)

4. ’C’ programming language

Figure 5.2 shows the trace of simple ARP protocol’s packets. First trace

shows that host A transmitted a broadcasted ARP request packet to know MAC

address of 10.100.57.40. Then another host corresponding to 10.100.57.40 will

reply back to host A its MAC address and the state of ARP cache is reflected

in the ARP cache, figure 5.4.

Figure 5.2: Simple ARP Protocol

Figure 5.3, shows that a single spoofed ARP reply can be used to poison the

cache of host A. Attacker send ARP reply to host A with fake source mapping in

ARP Reply < 10.100.57.2 , 00:1f:e2:5c:45:ad>. Then host A updates his ARP

cache for 10.100.57.2 and changes are reflected in ARP cache, figure 5.4.

Figure 5.3: Spoofed ARP reply from attacker to host A

Figure 5.4: State of ARP cache at host A

1http://www.wireshark.org2http://www.tcpdump.org3http://www.packetfactory.net/libnet

49



Figure 5.5 shows the basic concept of proposed technique. In the first trace

of figure 5.5, attacker sent an ARP reply with fake source mapping < 10.100.57.2, 00:1f:e2:5c:45:ad>. So host A will generates two ARP request in-order to iden-

tify the attacker one for 10.100.57.2 and another for 10.100.57.40. Gateway will

generate ARP reply for the ARP request for 10.100.57.2. As attacker wants to

associate his MAC address corresponding to 10.100.57.2 in the host A’s cache

that’s why attacker generate ARP reply for ARP request for 10.100.57.2.

Now host A generates ARP request for 10.100.57.40. Then attacker will gen-

erate ARP reply for ARP request for 10.100.57.40 otherwise if attacker denies

from generating ARP reply then attacker will be out of communication. We can

caught attacker by seeing ARP reply from him for two IP addresses.

Figure 5.5: Basic scheme to identify the attacker

Here we saw that, host A directly generated ARP request for 10.100.57.40.

But actually it is very difficult to guess the IP address for checking purpose.

So in actual algorithm we used Broadcast test() to generate ARP request for

all the IP. It is also important to hide probe packets from attacker’s knowledge

and this is done in Broadcast test().

5.2 Measure of generated ARP traffic

Figure 5.6 shows the normal ARP request packet traffic in normal ARP proto-

col. Figure 5.7 represents the ARP request traffic generated by the any probe

based techniques to correctly identify a weak attacker. Figure 5.8 represents

the ARP request packet traffic generated by our proposed technique. Here we

50



Figure 5.6: ARP request traffic in normal ARP protocol

used ARP request packet as probe packet. Every probe based technique willgenerate a probe packet whenever the test host is uncertain about the IP ad-

dress to MAC address mapping and reply of probe packet is used to resolve

the mapping. The probe packet based techniques only works for weak type of

attacker, they have correct protocol stack. So probe packet based techniques

take advantage of correct protocol stack of hosts to identify the correct mapping.

Here in simulation of a generalized probe packet based technique for weak

attacker, whenever conflict arises related to IP address to MAC address mapping

then ARP Request packet is sent to respective MAC address and mapping is

resolved using the response of probe packet. We plot the graph (figure 5.7) to

represent the traffic that will cost if we will deploy probe packet based techniques

in the local LAN.

Figure 5.7: ARP request traffic in case of weak attacker

51



We simulated the proposed technique over experimental setup and we recorded

the number of ARP request packets. Figure 5.8 is plot of number of ARP re-quest packet generated by a test host, who is running our proposed technique.

In proposed technique, test host generates 256 ARP request, each for all 256

possible IP address over LAN, whenever test host receive ARP request/reply

from source host for which test host doesn’t have mapping in its ARP cache or

test host is in state of confusion because some other MAC address claiming for

same IP address. Otherwise priority is given to existing mapping in ARP cache

and the confirmation of this mapping is done by generating a broadcast ARP

request for respective IP address.

Figure 5.8: ARP request traffic in case of strong attacker (proposed technique)

By comparing the traffic generated by proposed technique with normal ARP

protocol (figure 5.6), probe packet based technique (figure 5.7) and proposed

techniques (figure 5.8), we can say that proposed technique can be deployed

over the LAN and this increased ARP traffic is cost of securing LAN against

strong attacker.

5.3 Reducing number of probe packet (ARP Re-

quest packet)

In identifying the attacker with compromised protocol stack, we are generating

the number of ARP request packet to the order of size of LAN e.g. if there is

1000 host in LAN then we have to generate 1000 ARP request packets, when-

52



ever we receive a new mapping from ARP packet that is not present in the

ARP cache. So in identification of stronger attacker we have to pay this muchof communication cost.

We can reduce the number of generated packet but this will decrease the ac-

curacy of broadcast test, see figure 5.9. We can draw analogy between birthday

attack problem and number of generated packet to identify the attacker and

this will infer the accuracy of test. Actually we are in search of two different IP

address which have same MAC address. We used the following equation (equa-

tion for computing probability in birthday problem) and plot the probability

distribution (assuming LAN has 1000 host) with the number of ARP request

packet generated to find the attacker.

q (n, d) = 1 −

d − 1

d

n(5.1)

where q(n,d) is probability for the accuracy of broadcast test in LAN size of d

host and n probe packets.

In figure 5.9, we can see that number of probe packets and accuracy of

proposed technique is directly proportional to each other. We are choosing a

random IP address from the LAN and send ARP request packet using any ran-

domly generated MAC address. From the calculation on above equation we get

to know that by sending 693 ARP request packets we can find the attacker with

probability 0.5.

We are generating many ARP request packets as our probe packet and in-

order to collect the response of each ARP request packet the test host must gointo promiscuous mode because each ARP request packet marked with random

MAC address so that attacker can’t identify the probe packets. So test host

doesn’t want to drop response of probe packets and test host will use response

packet to resolve the IP address to MAC address mapping. Because attacker

will generate two response for to IP address, one for his IP address own and an-

other for IP address whom he want to spoof and a legitimate host will generate

53



Figure 5.9: probability distribution over number of probe packet sent

response for only his own IP address.

5.4 System Load in promiscuous mode

System goes into promiscuous mode during period of broadcast test. The figure

5.10 and figure 5.11 are two snapshot of system with core-2 processor showing

that system will have little higher load in promiscuous mode than non promiscu-

ous. In single core processor we found that load increased to 10% in promiscuous

mode as compared to non-promiscuous mode. So running test host in promis-

cuous mode for the period of broadcast test is not a significant issue.

54



Figure 5.10: System load in non-promiscuous mode (core-2 processor)

Figure 5.11: System load in promiscuous mode (core-2 processor)

55



Chapter 6

Conclusion

We proposed enhanced version of detection technique. Approximately all probe

based techniques can’t identify the strong attacker. An intelligent attacker can

easily bypass many non-cryptographic techniques. The proposed technique is

not limited to detection of ARP spoofing but it can detect and identify both

the weak and strong attacker.

Proposed technique is not based on any cryptographic primitives and central

server so it doesn’t have any complexity and single point failure problem. The

key feature of technique is to hide the probe packets from the attacker. Attacker

is identified by analyzing his response during Broadcast test().

This technique is backward compatible because we haven’t added any new

field in ARP header. There is no requirement to bring changes at the host be-

cause we are not modifying the ARP protocol. This technique can be deployed

at any host. It doesn’t require to change the configuration of LAN.

We are paying some amount of traffic overhead in this detection technique

but traffic is not significantly high. We simulated the proposed technique in test

bed and proof of correctness is recorded.

56



Bibliography

[1] V. Ramachandran and S. Nandi, “Detecting arp spoofing: an active tech-

nique,” in Proceedings of the First international conference on Information Systems Security , ICISS’05, (Berlin, Heidelberg), pp. 239–250, Springer-

Verlag, 2005.

[2] D. C. Plummer, “An Ethernet Address Resolution Protocol. ARPA RFC -

826,” Nov. 1982.

[3] W. El-Hajj and Z. Trabelsi, “Using a fuzzy logic controller to thwart data

link layer attacks in ethernet networks,” in WCNC , pp. 2547–2552, 2007.

[4] N. Hubballi, S. Roopa, R. Ratti, F. A. Barbhuiya, S. Biswas, A. Sur,

S. Nandi, and V. Ramachandran, “An active intrusion detection sys-

tem for lan specific attacks,” in Proceedings of the 2010 international

conference on Advances in computer science and information technology ,

AST/UCMA/ISA/ACN’10, (Berlin, Heidelberg), pp. 129–142, Springer-

Verlag, 2010.

[5] T. DEMUTH and A. LEITNER, “Arp spoofing and poisoning traffic

tricks,” July 2005.

[6] K. Masataka, K. Takashi, and Y. Suguru, “A self-confirming engine for pre-

venting man-in-the-middle attack(security)(internet technology iv),” IE-

ICE transactions on communications , vol. 87, no. 3, pp. 530–538, 2004-03-

01.

[7] Z. Wang and Y. Zhou, “Monitoring arp attack using responding time and

state arp cache,” in ISNN (4), pp. 701–709, 2009.

57



[8] D. Bruschi, A. Ornaghi, and E. Rosti, “S-arp: a secure address resolution

protocol,” in Proceedings of the 19th Annual Computer Security Applica-tions Conference , ACSAC ’03, (Washington, DC, USA), pp. 66–, IEEE

Computer Society, 2003.

[9] W. Lootah, W. Enck, and P. McDaniel, “Tarp: Ticket-based address reso-

lution protocol,” Comput. Netw., vol. 51, pp. 4322–4337, Oct. 2007.

[10] C. L. Abad and R. I. Bonilla, “An analysis on the schemes for detecting

and preventing arp cache poisoning attacks,” in Proceedings of the 27th

International Conference on Distributed Computing Systems Workshops ,

ICDCSW ’07, (Washington, DC, USA), pp. 60–, IEEE Computer Society,

2007.

[11] J. Belenguer and C. T. Calafate, “A low-cost embedded ids to monitor and

prevent man-in-the-middle attacks on wired lan environments,” in Proceed-

ings of the The International Conference on Emerging Security Informa-

tion, Systems, and Technologies , SECUREWARE ’07, (Washington, DC,

USA), pp. 122–127, IEEE Computer Society, 2007.

[12] Z. Trabelsi and H. Rahmani, “Detection of sniffers in an ethernet network,”

in ISC , pp. 170–182, 2004.

[13] S. Y. Nam, D. Kim, and J. Kim, “Enhanced arp: preventing arp poisoning-

based man-in-the-middle attacks,” Comm. Letters., vol. 14, pp. 187–189,

Feb. 2010.

[14] S. Y. Nam, S. Jurayev, S.-S. Kim, K. Choi, and G. S. Choi, “Mitigating

arp poisoning-based man-in-the-middle attacks in wired or wireless lan,”

EURASIP J. Wireless Comm. and Networking , vol. 2012, p. 89, 2012.

[15] B. Issac, “Secure arp and secure dhcp protocols to mitigate security at-

tacks,” I. J. Network Security , vol. 8, no. 2, pp. 107–118, 2009.

[16] V. Goyal and R. Tripathy, “An efficient solution to the arp cache poison-

ing problem,” in Proceedings of the 10th Australasian conference on Infor-

mation Security and Privacy , ACISP’05, (Berlin, Heidelberg), pp. 40–51,

Springer-Verlag, 2005.

58



[17] Z. Trabelsi and K. Shuaib, “Spoofed arp packets detection in switched lan

networks,” in SECRYPT , pp. 40–47, 2006.

[18] M. V. Tripunitara and P. Dutta, “A middleware approach to asynchronous

and backward compatible detection and prevention of arp cache poisoning,”

in Proceedings of the 15th Annual Computer Security Applications Confer-

ence , ACSAC ’99, (Washington, DC, USA), pp. 303–, IEEE Computer

Society, 1999.

[19] W. R. Stevens, TCP/IP Illustrated, Volume 1: The Protocols . Addison-

Wesley, 1994.

ARP Report

Documents

Transcript of ARP Report