An Approach to Addressing ARP Spoof Using a Trusted Server. Yu-feng CHEN and Hao QIN

Transcription

1 2017 2nd International Conference on Communications, Information Management and Network Security (CIMNS 2017) ISBN: An Approach to Addressing ARP Spoof Using a Trusted Server Yu-feng CHEN and Hao QIN School of Mechanical, Electrical & Information Engineering, Shandong University, Weihai, China Keywords: ARP cache poisoning, MITM, Network security. Abstract. The stateless characteristic of Address Resolution Protocol (ARP) makes it vulnerable to many ARP cache poisoning attacks like MITM (Man in The Middle) attack, most of which generally aim at the gateway. To solve this problem, there have been solutions like using static ARP entries, or using WinPcap libraries or SNMP to detect and rectify poisoned ARP cache. However, the solutions above need manual operation, which is less feasible when the network is large. In this paper, we propose a respondent solution. After a detection of ARP spoof in the gateway, the trusted server will isolate the attacker and then tell all hosts in the network the real IP-to-MAC mappings of the gateway based on the up-to-date information from its storage, thereby automatically rectifying poisoned ARP cache. Introduction Address Resolution Protocol (ARP) is used to map logical addresses (IP) to physical addresses (MAC)[1]. It has a simple architecture, which is based on OSI model and used to request for a MAC address. Before sending an ARP request, it should check its cache first [6]. If the IP it requests has an entry in the cache, it does not send this request. Generally, when a host as an attacker wants to poison victim s caches, it could constantly send ARP reply to the victim. And because of the stateless character of ARP, the victims easily take this kind of replies and update their own caches. For this vulnerable character, it can easily be a target of ARP spoof. MITM (man in the middle) [13][14] attack is one of the most common ARP attack on the Internet[11][12]. The attacker would stand in the middle of two victims and steal the secretive information in their communication without notice. Generally, the gateway would be a popular target of ARP spoof, so how to address gateway ARP spoof is an important issue. For the gateway spoof, there are always some obvious characteristics. Generally, a poisoned gateway cache could keep a duplicate MAC address with only one IP, which, given that the IP belongs to the gateway, means someone pretend to act just as the getaway to steal any others information. Obviously, the gateway has been spoofed in the above scenario. However, this behavior is easily detected. The problem is there is no one-stop automatic solution. Nowadays, there have been some researches on ARP spoof and solutions are generally classified into two main streams. The first part is ARP spoof prevention, and the other part is ARP spoof mitigation. And the for the first part, the method to prevent spoof from occurring, can be divided into two parts, which is cryptography based solution [10] and dynamic ARP inspection (DAI) [8][15]. For the second part, the way to mitigate ARP spoof after it occurs, can also be divided into two parts the manual mitigation and the dynamic mitigation. The manual restoration method is now commonly used. A simple way for manual mitigation is to check the identification of IP-to-MAC mappings in computers and routers separately. This solution is effective but can only be used in small-scale LAN. For a larger one, the manual work would be hard to execute. Another method is to use VLAN to limit the victim area. Though both of the manual work can be efficacious in a small-scale LAN, there is a time delay when an ARP spoof occurs due to its non-automatic character, which could cause damage to the whole network. The previous work on dynamic mitigation on this issue has proposed various solutions like using WinPcap libraries or using SNMP so as to mitigate ARP spoof [3][4][5]. The mechanism of these methods is that when a getaway sniffers ARP spoof, it would automatically locate the attackers and 79

2 cut off its connection, thereby mitigating the spread of the spoof. These methods have some advantages in automatically detecting and locating compared with the manual one. However, it is half-automatic and still needs manual rehabilitation. The paper is organized as follows. Section II describes the main methodology and gives an example to explain it. Section III presents the results of simulating experiments on a real system. Section IV summarizes our contributions and concludes the paper. Methodology The Main Idea To address some issues of these existing methods, this paper introduces a new device trusted server. Each LAN has such a server and it is used to keep a database, which contains all MAC address to IP address mappings (<IP, MAC>) in a LAN. It is worth noting that we try to make these mappings always up-to-date. Once the ARP spoof is detected in the gateway, the trusted server will help the gateway and all the hosts in this LAN to get the right IP-MAC mappings. Actually, the trusted server itself does not need to have a MAC address and IP address. We suppose all hosts IP addresses are given by DHCP server[7], which is the most common condition. (In the real cases there is a high possibility that there is no DHCP server on a LAN, but at least every LAN contains one DHCP relay agent and they are similar in essence. So we just use DHCP server to refer to these two different devices.) Thus, we insert a trusted server in the position where a router is linked to the LAN, as shown in Figure. 2. Figure 2. The position of the trusted server. What a trusted server needs to do to make its information latest is to check and note all packets of DHCPACK, DHCPNACK and DHCPRELEASE. The algorithm is as follows. Algorithm 1: Input: A packet passing through the trusted server Output: The latest IP-MAC mapping stored in the trusted serverforthe packet BEGIN 01 if (the packet type is DHCPACK) 02 { 03 if (IP is contained in database) 04 update database with its MAC 05 else 06 store this mapping into database 07 } 08 if (the packet type is DHCPNACK or DHCPRELEASE) 09 { 10 if (IP is contained in database) 11 delete this mapping from database 12 } END So, why this algorithm can make all information in a database up-to-date? First, in the process of getting an IP address from DHCP server, it is only the packets of DHCPACK that determine the final IP address which will be used by the host who wants to apply an IP address. 80

3 Second, although all the DHCP servers who receive DHCPDISCOVER will reply DHCPOFFER to a source host, there is only one DHCP server replying DHCPACK to this host. Third, DHCP clients will get a lease period as they get an IP address from DHCP servers, so when they want to discontinue using their current IP addresses or they hope to update their lease periods, packets of DHCPNACK or DHCPRELEASE also need to be considered.[8] Apart from this, a trusted server also needs to do two more things. First, it needs to communicate with the gateway (the router) in the same LAN. Second, a trusted server is also supposed to broadcast ARP reply to all the hosts in this LAN when necessary. The Automatically Respondent Approach When ARP spoof is detected in a gateway, the most common condition is that in a cache of a gateway, one MAC address is matched by two or more IP address, the following four steps should be taken. (1) The gateway sends ARP requests to its trusted server to get the authentic mappings. (2) This trusted server sends ARP replies to the gateway with authentic <IP, MAC> mappings. (3) The trusted server broadcasts an ARP reply to tell all the hosts the authentic MAC address of the gateway. (4) The gateway adds the attacker s MAC address in its own black list and denies receiving its ARP packets (packets will be dropped directly by the gateway if their source IP addresses are on the black list). Example Figure 3. An example of the mechanism. The following example is to explain the approach above. We suppose that a LAN originally includes two hosts (HostA and HostB) but later an attacker intercepts, and this is shown in the Figure. 3. The IP address and MAC address of each device are shown in Table1. Table 1. IP-MAC mappings of each device. IP address MAC address Host A AA-AA-AA-AA-AA-AA Host B BB-BB-BB-BB-BB-BB Attacker CC-CC-CC-CC-CC-CC Router DD-DD-DD-DD-DD-DD Due to ARP spoof, the cache of the router and HostA and HostB are changed to Table2. Table 2. The cache of the router and HostA and HostB. IP address MAC address The router CC-CC-CC-CC-CC-CC CC-CC-CC-CC-CC-CC CC-CC-CC-CC-CC-CC The HostA CC-CC-CC-CC-CC-CC The HostB CC-CC-CC-CC-CC-CC (1) For the router, ARP spoof is detected. The gateway thus sends three ARP requests to its trusted server: I am , and my MAC address is DD-DD-DD-DD-DD-DD. I want to know the MAC address of the host whose IP address is / /

4 (2) This trusted server sends three ARP replies to the gateway: I am / / , and my MAC address is AA-AA-AA-AA-AA-AA / BB-BB-BB-BB-BB-BB / CC-CC-CC-CC-CC-CC. (3) The trusted server broadcasts an ARP reply: I am , and my MAC address is DD-DD-DD-DD-DD-DD. (4) The gateway adds the MAC address CC-CC-CC-CC-CC-CC in its own black list and denies receiving its ARP packets. Now, the hosts and the router have got the right IP-MAC mappings in their caches, and they can communicate not through the attacker. Besides, all packets from the attacker will not be received by the gateway, so ARP spoof caused by this attacker will not appear again. Experiment To verify the effectiveness and correctness of the proposed method, we use C# to simulate it on a PC. Our experiment includes two parts. Verification of the Latest Information in the Trusted Server First, we need to confirm that a trusted server can keep the database which contains the latest IP-MAC mappings information by filtering some specific DHCP packets. The result of the program is shown in Figure. 4. Figure 4. The latest information in the Trusted Server. Now we are going to explain what happens in this condition. After getting IP addresses of and from the DHCP server, when the lease period expires (0.5T), HostA and HostB need to request for updating the lease period if they want. (We assume every time the lease period expires, the host wants to continue using its IP address. However, in the real case, there is a possibility that the host does not do that.) However, their requests are both rejected. Thus, they have to stop using their current IP addresses immediately and start to apply for new ones. Meanwhile, their current IP-MAC mappings are deleted from the cache of the trusted server. Then, they get their new IP addresses of and successfully from the DHCP server. Verification of the Effectiveness of the Trusted Server Second, we need to verify that the trusted server can help to solve ARP spoof effectively by taking the four steps mentioned above. The result of the program is shown in Figure 5. Figure 5. The effectiveness of the Trusted Server. We can find from this figure that the IP-MAC mappings in the cache of the gateway are not correct after ARP spoof. However, by executing our algorithm, these mappings are corrected. 82

5 Conclusion and Future Work This paper analyzes the theory of ARP spoof and compares several existing methods which represent how to address ARP spoof after detected. We also propose a new technique to mitigate it efficiently. In our method, a trusted server is needed, which is used to keep the up-to-date information of IP-to-MAC mappings coming from a DHCP server. When an ARP spoof is detected, this server can inform the gateway and all the other hosts of the correct IP to MAC mappings, and thus the attacker will be discovered and isolated by the gateway. As a result, without manual intervention, the existing ARP spoof will be solved automatically and safely. Future work includes using a mechanism of authentication like using digital signature to make trusted servers more robust. As the efficiency of a network may suffer, it is supposed to use it only when necessary to lessen the impact to the efficiency of the network. References [1] D. C. Plummer. An ethemet address resolution protocol, IETF RFC 826, November [2] D. Bruschi, A. Ornaghi and E. Rosti. S-ARP: a Secure Address Resolution Protocol, In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003). [3] Wu Xiaopin, Zhou Jianzhon, Fang Xiaohui An active defense ARP spoofing solution based on SNMP, In Journal of Huazhong Normal University (Vol.41 No.4). [4] Qinfenglin, Duan Haixin, Guo Ruting Overview of ARP spoofing detection and prevention techniques, In Application Research of Computers(Vol.26, No.1). [5] Chen Hui, Tao Yang, ARP spoofing detection and recovery based on WinPcap, In Computer Applications (Vol.24, No.10). [6] Douglas E. Comer Internetworking With TCP/IP Vol I: Principles, Protocols, and ArchitectureSixth Edition. [7] R. Droms. Dynamic Host Configuration Protocol, IETF RFC 2131, March [8] Cisco Systems. Configuring Dynamic ARP Inspection, MITM Qo.S. chapter 39, pp. 39: 1-39:22. Catalyst 6500 Series Switch Cisco lossofware Configuration Guide, ReleaseI2.2SX. [9] Raviya Rupal D., Dhaval Satasiya, Hiresh Kumar, Archit Agrawal, Detection and Prevention of ARP Poisoning in Dynamic IP configuration. [10] Wesam Lootah, William Enck, and Patrick McDaniel, TARP: Ticket-based Address Resolution Protocol, Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005) /05 $ IEEE. [11] A. Ornaghi and M. Valleri. (2003). Man in the middle attacks Demos. Blackhat. [Online]. Available: presentations/bh-europe-03/bh-europe-03-valleri.pdf [12] S. M. Bellovin, Security problems in the TCP/IP protocol suite, ACM SIGCOMM Comput. Commun. Rev., vol. 19, no. 2, pp , Apr [13] L. Senecal, Understanding and preventing attacks at layer 2 of the OSI reference model, in Proc. 4th Annu. Commun. Netw. Services Res. Conf. (CNSR), May 2006, pp [14] S. Whalen. (2001). An Introduction to ARP Spoof- ing, accessed on Apr [Online]. Available: [15] B. Issac. Secure AP and Secure DHCP Protocols to Mitigate Security Attacks. International Journal of Network Security, 8: , March