Extending NTOP feature to detect ARP spoofing

Transcription

1 The 10 th International PSU Engineering Conference May 14-15, 2012 Extending NTOP feature to detect ARP spoofing Metha Wangthammang Sangsuree Vasupongayya* Department of Computer Engineering, Faculty of Engineering, Prince of Songkla University, Hat Yai, Songkhla Abstract This work is focusing on developing an add-ons feature to NTOP in order to detect ARP spoofing attacks. The developed system can detect and give information on ARP spoofing attacks by checking the amount of abnormally large amount of ARP packets in the system. The experimental results show that the proposed system can detect the attack, identify the victim and the attacker correctly. The proposed plugin is available as an open-source software for the community. Keywords: Network security, ARP spoofing, NTOP, NtopViewer, NetCut 1. Introduction Computer network technology is now involving in all aspects of life such as education, government, communication, healthcare and entertainment. As a result, preventing some misuses or attacks on the network is an interesting issue. Usually, one important task of the system administrator is to monitoring the network traffic for malicious acts. The task is also listed in the Thai Computer Act 2007 [1]. One of the most popular network monitoring traffic open-source software in Thailand is NTOP [2]. Later, Network Technology Lab National Electronics and Computer Technology Center (NETEC) [3] adopt NTOP and improved the features of NTOP. NECTEC also further developed NtopViewer [4] so that it can handle Thai language and display some analyzed data of the current network. Even though, NTOP has many features, NTOP still miss a lot of attack analysis feature such as detecting ARP spoofing which is the bas ic attack of several serious attacks. For example, ARP spoofing can provide information for and/or produce Phishing attack, Man-in-the-Middle attack, and Denial of Service (DoS) attack. Therefore, this work is focusing on extending the feature of NTOP to detect the ARP spoofing attack. So that, the proposed feature can freely available to the community as open-source addons packet to NTOP. The remaining of this paper is organized as follow: Section 2 gives basic information of ARP spoofing attack, NTOP, NtopViewer and NetCut which will be used as the attack program. Section 3 provides the proposed system design. Section 4 presents results and discussion. Lastly, Section 5 provides conclusions and future works. 2. Literature Review In this section, ARP spoofing attack is described in Section 2.1. Section 2.2 gives information on NTOP features. Section 2.3 presents the features of NtopViewer which is the visualization tool for NTOP. Section 2.4 gives information on NetCut [5] which is used as the attack program in this work. Section 2.5 reviews several available ARP spoofing detection softwares. 2.1 ARP spoofing attack ARP stands for address resolution protocol which is a protocol to resolve the mapping between the Internet Protocol (IP) address and Media Access Control (MAC) address. The ARP starts when the packet arrives at the gateway and the gateway must forward the packet to the machine. However, the gateway does not know the MAC address of the requested IP address shown in the packet. Then, the gateway will broadcast ARP message the request of information to the machines in the network by including the requested IP address. The machine with the IP address then replies to the gateway with its MAC address. The gateway then knows to which machine to forward the packet. ARP spoofing or ARP poisoning [6] is an attack that mainly sends fake ARP messages onto the network. Usually, there are two main purposes of conducting ARP spoofing including denial-of-service attack against one of the machine on the network or man-in-the-middle attack against all machines on the network. For the man-in-the-middle attack, the attacker will send fake ARP messages to convince all machines to believe that his/her machine is the gateway. As a result, all packets will be sent to the attacker's machine. The attacker machine then forwards the packets to the real gateway. Thus, users will not notice any differences. However, the attacker can modify or read all the packets in the network. For the denial-of-service attack, the attacker will send fake APR messages to convince the victim machine to believe that the gateway is a non-existing machine. As a result, the victim machine cannot connect to the internet.

2 2.2 NTOP NTOP stands for Network Top which is a program that is monitoring the network traffic. NTOP is an open-source software designed on top of libpcap which is supported on both Windows and Unix. NTOP data can be viewed directly via web browsers. The users can also configure NTOP via the web browser. Figure 1 shows the results reported from NTOP. Even though NTOP has many features for monitoring the network traffics, the analysis and permanent data storing features are still missing. NECTEC recognizes the importance of such features so that NECTEC improves many features of NTOP such as permanently storing network traffic data to MySQL database, handling Thai language, adding several basic attack analysis such as port scanning attacks, host scanning attack and SYN flood attacks. NECTEC also developed the NTOP data displaying feature in the form of web application namely NtopViewer which will be discussed in the next section. internet. This research will use NetCut program as the attack to evaluate the proposed program. Figure 2. NtopViewer results. Figure 1. NTOP results. 2.3 NtopViewer NtopViewer is developed by the researchers at NECTEC to solve the limitation of NTOP opensource software. NtopViewer provides a web application interface to the data collected by NTOP. NtopViewer allows users to search for specific data from the database; classifies output by users and/or applications; stores data into MySQL; displays results in Thai language; presents data in the form of graphs or data files; analyzes attacks and threats. Figure 2 shows the results produced from NtopViewer. 2.4 NetCut NetCut is a program that utilizes the weakness of ARP to attack the victim machine so that the victim cannot connect to the internet. NetCut starts from sending a fake ARP packet to the victim by pretending to be the gateway. At the same time, NetCut also sends a fake ARP packet to the gateway as the victim. As a result, the victim machine will have a fake MAC address of the gateway while the gateway will have a fake MAC address of the victim machine. The victim is then disconnecting from the 2.5 Other S oftware Typically, there are several software to detect ARP spoofing attack such as Anti Netcut [9], Port security [10], and ARP watch [11]. Several administrators monitor their using a packet sniffer such as Wireshark [8] which is an open-source program. Wireshark supports Linux, Windows and OSX. However, the user must personally monitor the network in order to detect ARP spoofing using such packet sniffer tools. Anti Netcut is software to detect ARP spoofing by sending ARP packets to the gateway to frequently evaluate the gateway. Port security is an alternative hardware detecting, however the cost of each equipment maybe too high. ARP watch is program that can be added on Linux. Similar to Wireshark, ARP watch can be use to monitor the ARP packet. However, the user must perform the analysis. Table 1 summarizes advantages and disadvantages of all four software against the proposed system. 3. System Design The proposed system is an add-ons feature that works with NtopViewer and NTOP in order to detect the ARP spoofing attack. The overall system is shown in Figure 3. Therefore, the user must install both NTOP and NtopViewer in order to use the proposed plug-in. The plug-ings uses information stored in the databas e collected by NTOP to analyze the ARP spoofing attack. The idea of the plug-in is to count the number of packet. Since the numbers of ARP packet of the gateway increases abnormally when the DoS attack

3 on a victim occurs, by monitoring the number of ARP packet in the system can be an indication of such attack. Furthermore, the victim machine of such attack usually will have different MAC address during the attack. Therefore, by monitoring the change of MAC address can be an identification of the victim machine. The attacker must send out a lot of fake ARP packets. Therefore, the abnormally large number of ARP packets from a machine can be used as an indication of the attacker. The graphic user interface of the developed plug-ins is shown in Figure 4. The plug-ins can now be downloaded from [7]. Figure 5 shows the configuration page. Table 1. Advantages and disadvantage of all four software against the proposed system. Software Advantages Disadvantages Anti NetCut Port Security ARP watch Proposed system * easy to use * generate too much ARP packets * effective * high cost * easy to install * analysis done manually * not applicable with large amount of data * provide auto & manual detect * provide online & offline detect * must install NTOP to use the plug-in parameter is also provided based on our preliminary study. However, the system administrator can configure this value according to his/her system. For the offline mode of operation, the plug-in will analyze the packets from the database. Figure 6 shows the results during the system operation. Figure 4. The developed plug-ins. Figure 5. Configuration page. NTOP MySQL proposed plug-in NtopViewer Figure 3. The developed plug-ins. The developed plug-in can be incorporated into NTOP as follow. First, the user must modify the Makefile.am to include the plug-in and modify some configurations of the NTOP library. Then, the user can compile the program. The plug-in can be called from the NTOP program. Once the plug-in started, the user is asked to configure the parameters as shown in Figure 5. The parameters include the mode of operations (i.e., real-time or offline), the interval between each analysis, the number of packet threshold, the start and the stop time. The most important parameter is the number of packet threshold because this parameter will be the indicator of the attacks on the system. That is, if any machine sends out the ARP packets more than the threshold the machine will be identified as an attacker. The default Figure 6. Result shown during the analysis process. 4. Results and Discussions The developed system is tested under a real environment in the computer engineering department software laboratory. Two test scenarios are evaluated. First, the system is tested when there are multiple attackers on a single victim. Second, the system is tested when there are a multiple victims. Under the first scenario, there are twenty attackers (i.e., number 1 to 20), one victim, one detecting machine and 20 other machines. The test

4 starts from zero attacker for 5 minutes. After 5 minutes, the first five attackers (i.e., number 1 to 5) are starting to attack the victim machine using NetCut. After 10 minutes, another five attackers (i.e., number 6 to 10) are starting to attack the victim using NetCut while the first five attackers are also continuing their attacks. After 15 minutes another five attackers (i.e., number 11-15) are starting to attack the victim. After 20 minutes, the last five attackers (i.e., number 16-20) are starting to attack the victim. The experimental results show in Table 2 where "DA" means the attacks are detected by the system; "A" means the attacks are not detected by the system; "-" means the attacker does not start attacking the victim at that time. Table 2. Results of detecting multiple attackers Time no. Attackers IP DA DA DA DA DA DA DA DA DA DA DA DA A DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA DA A A DA DA DA DA DA DA Under the second scenario, there are twenty victims (i.e., number 1 to 20 shown in Table 3), one attacker, one detecting machine and 20 other machines. The system starts from no attacker for 5 minutes. After every 5 minutes the attacker attacks 5 victims (i.e., number 1 to 5). The next 5 minutes the attacker attacks 5 more victims (i.e., number 6 to 10). The process repeats until the number of victims reaches 20. The experimental results show in Table 3 where "DV" means the victims are detected by the system; "V" means the victims are not detected by the system; "-" means the attacker does not start attacking the victim at that time. According to the results in Table 2, the proposed system is able to detect most attackers when multiple attackers are presented in the system. The results in Table 3 also show that the proposed system is able to detect most victims when mult iple victims are attacked in the system. Table 3. Results of detecting multiple victim Time no. Victim IP DV DV DV DV DV DV DV DV DV V DV DV DV DV DV DV V DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV DV V DV DV 5. Conclusion This work is focusing on developing an NTOP plug-in in order to detect ARP spoofing attacks. The developed system can detect and give information on ARP spoofing attacks by checking the amount of abnormally large amount of ARP packets in the system. The experimental results show that the proposed system can detect the attacks, identify the victims and the attackers correctly. The proposed plug-in is available as an open-source software for the community. Acknowledgments This work is partially supported by NGI (Next Generation Internet) Research Center. References [1] Ministry of information and communication technology, Thai Computer Act 2007, [available online] [2] [3] [4] NECTEC, NtopViewer wiki page, [available online] Project/NtopViewer [5] Netcut, [available online] netcut.php, Modified: Unknown, Access Date: August 30, 2011 [6] ARP Spoof Vaccination and Surveillance System, [available online] th, Modified: 2008, Access Date: December 5, 2010 [7] Wangthammang M. 2011, the ARP spoofing detection plug-in for NTOP, [available online]

5 1.0.zip [8] [9] [10] catalyst6500/ios/12.2sx/configuration/guide/po rt_sec.html [11]