An Approach to Addressing ARP Spoof Using a Trusted Server. Yu-feng CHEN and Hao QIN

Similar documents
ARP SPOOFING Attack in Real Time Environment

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

Development of IDS for Detecting ARP Attack using DES Model

P-ARP: A novel enhanced authentication scheme for securing ARP

An Efficient and Secure Solution for the Problems of ARP Cache Poisoning Attacks

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. June 18, 2015

A Framework for Optimizing IP over Ethernet Naming System

Satya P Kumar Somayajula et al, / (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 2 (4), 2011,

Research Article DS-ARP: A New Detection Scheme for ARP Spoofing Attacks Based on Routing Trace for Ubiquitous Environments

Configuring DHCP Snooping

Configuring the DHCP Relay

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

Cache poisoning in S-ARP and Modifications

IP/MAC Address Translation

A Survey on ARP Poisoning and Techniques for Detection and Prevention

Keywords: ARP Protocol; ARP Cache; ARP Spoofing Attack; Reverse ARP Poisoning, Active IP Probing

Internetwork Expert s CCNA Security Bootcamp. Mitigating Layer 2 Attacks. Layer 2 Mitigation Overview

Two Methods for Active Detection and Prevention of Sophisticated ARP-Poisoning Man-in-the-Middle Attacks on Switched Ethernet LANs

Title : Cross-validation based man-in-the-middle attack protection

Detecting and Preventing Network Address Spoofing

Towards Layer 2 Authentication: Preventing Attacks based on Address Resolution Protocol Spoofing

Configuring Dynamic ARP Inspection

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

CCNP Switch Questions/Answers Securing Campus Infrastructure

Configuring DHCP Features and IP Source Guard

The Centralized management method to increase the security of ARP. Qinggui Hu

Computer Network Routing Challenges Associated to Tackle Resolution Protocol

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

Understanding and Configuring Dynamic ARP Inspection

Operation Manual ARP H3C S5500-SI Series Ethernet Switches. Table of Contents

Foundations of Network and Computer Security

Operation Manual DHCP. Table of Contents

The new method to prevent ARP spoofing based on 802.1X protocol. Qinggui Hu

Network Model. Why a Layered Model? All People Seem To Need Data Processing

Configuring Dynamic ARP Inspection

Configuring DHCP Features and IP Source Guard

Understanding and Troubleshooting DHCP in Catalyst Switch or Enterprise Networks

Detecting the Auto-configuration Attacks on IPv4 and IPv6 Networks

DHCP Server MIB. Finding Feature Information. Prerequisites for the DHCP Server MIB

Configuring DHCP. About DHCP Snooping, page 2 About the DHCPv6 Relay Agent, page 8

Configuring DHCP Features

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

Improvement of Address Resolution Security in IPv6 Local Network using Trust-ND

Network Security. The Art of War in The LAN Land. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, September 27th, 2018

@IJMTER-2016, All rights Reserved ,2 Department of Computer Science, G.H. Raisoni College of Engineering Nagpur, India

Practice MAC Address Me ia Access Control address uniquely Data Link Cont n r t o r l Logical Link Control Media Access Control

Using a Fuzzy Logic Controller to Thwart Data Link Layer Attacks in Ethernet Networks

AN INTRODUCTION TO ARP SPOOFING

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Identifier Binding Attacks and Defenses in Software-Defined Networks

Securing ARP and DHCP for mitigating link layer attacks

Configuring DHCP Features and IP Source Guard

Configuration Examples for DHCP, on page 37 Configuration Examples for DHCP Client, on page 38 Additional References for DHCP, on page 38

Ruijie Anti-ARP Spoofing

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

BootP and DHCP. Flexible and Scalable Host Configuration 2005/03/11. (C) Herbert Haas

DHCP & NAT. Module : Computer Networks Lecturer : Lucy White Office : 324

Configuring DHCP. Finding Feature Information

Inter-domain routing validator based spoofing defence system

Chapter 7. IP Addressing Services. IP Addressing Services. Part I

Configuring DHCP Snooping

Configuring DHCP. Information About DHCP. DHCP Server. DHCP Relay Agent. DHCP Snooping

Laboratory (03) DHCP service

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

DHCP. Computer Networks and Communicaton Protocols

by Douglas Comer, Purdue University

ICS 451: Today's plan

Module 1: Allocating IP Addressing by Using Dynamic Host Configuration Protocol

DHCP Client. Finding Feature Information. Restrictions for the DHCP Client

DHCP Basics (Dynamic Host Configuration Protocol) BUPT/QMUL

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

DOMAIN NAME SECURITY EXTENSIONS

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

Configuring DHCP Features

Step by Step DHCP Server Installation & configuration on Microsoft Windows Server 2016

Lab - Configuring & Troubleshooting Basic DHCPv4 on a Router

Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces

Configuring DHCP Services for Accounting and Security

Dynamic Host Configuration

Sniffing HTTPS Traffic in LAN by Address Resolution Protocol Poisoning

Configuring DHCP. Finding Feature Information. Information About DHCP. DHCP Server. DHCP Relay Agent

Configuring the Cisco IOS DHCP Server

Chapter 5 Reading Organizer After completion of this chapter, you should be able to:

CS 161 Computer Security

Defeating All Man-in-the-Middle Attacks

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

White Paper. Ruijie DHCP Snooping. White Paper

CSC 5930/9010 Offensive Security: Lateral Movement

Chapter 5: Ethernet. Introduction to Networks - R&S 6.0. Cisco Networking Academy. Mind Wide Open

Configuring ARP attack protection 1

ARP Spoofing And Mitigations

CSc Outline. Basics. What is DHCP? Why DHCP? How does DHCP work? DHCP

PUCPR. Internet Protocol. Edgard Jamhour E N G L I S H S E M E S T E R

CIT 380: Securing Computer Systems. Network Security Concepts

SDN-based Defending against ARP Poisoning Attack

Extending NTOP feature to detect ARP spoofing

DHCP Overview. Information About DHCP. DHCP Overview

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Transcription:

2017 2nd International Conference on Communications, Information Management and Network Security (CIMNS 2017) ISBN: 978-1-60595-498-1 An Approach to Addressing ARP Spoof Using a Trusted Server Yu-feng CHEN and Hao QIN School of Mechanical, Electrical & Information Engineering, Shandong University, Weihai, China Keywords: ARP cache poisoning, MITM, Network security. Abstract. The stateless characteristic of Address Resolution Protocol (ARP) makes it vulnerable to many ARP cache poisoning attacks like MITM (Man in The Middle) attack, most of which generally aim at the gateway. To solve this problem, there have been solutions like using static ARP entries, or using WinPcap libraries or SNMP to detect and rectify poisoned ARP cache. However, the solutions above need manual operation, which is less feasible when the network is large. In this paper, we propose a respondent solution. After a detection of ARP spoof in the gateway, the trusted server will isolate the attacker and then tell all hosts in the network the real IP-to-MAC mappings of the gateway based on the up-to-date information from its storage, thereby automatically rectifying poisoned ARP cache. Introduction Address Resolution Protocol (ARP) is used to map logical addresses (IP) to physical addresses (MAC)[1]. It has a simple architecture, which is based on OSI model and used to request for a MAC address. Before sending an ARP request, it should check its cache first [6]. If the IP it requests has an entry in the cache, it does not send this request. Generally, when a host as an attacker wants to poison victim s caches, it could constantly send ARP reply to the victim. And because of the stateless character of ARP, the victims easily take this kind of replies and update their own caches. For this vulnerable character, it can easily be a target of ARP spoof. MITM (man in the middle) [13][14] attack is one of the most common ARP attack on the Internet[11][12]. The attacker would stand in the middle of two victims and steal the secretive information in their communication without notice. Generally, the gateway would be a popular target of ARP spoof, so how to address gateway ARP spoof is an important issue. For the gateway spoof, there are always some obvious characteristics. Generally, a poisoned gateway cache could keep a duplicate MAC address with only one IP, which, given that the IP belongs to the gateway, means someone pretend to act just as the getaway to steal any others information. Obviously, the gateway has been spoofed in the above scenario. However, this behavior is easily detected. The problem is there is no one-stop automatic solution. Nowadays, there have been some researches on ARP spoof and solutions are generally classified into two main streams. The first part is ARP spoof prevention, and the other part is ARP spoof mitigation. And the for the first part, the method to prevent spoof from occurring, can be divided into two parts, which is cryptography based solution [10] and dynamic ARP inspection (DAI) [8][15]. For the second part, the way to mitigate ARP spoof after it occurs, can also be divided into two parts the manual mitigation and the dynamic mitigation. The manual restoration method is now commonly used. A simple way for manual mitigation is to check the identification of IP-to-MAC mappings in computers and routers separately. This solution is effective but can only be used in small-scale LAN. For a larger one, the manual work would be hard to execute. Another method is to use VLAN to limit the victim area. Though both of the manual work can be efficacious in a small-scale LAN, there is a time delay when an ARP spoof occurs due to its non-automatic character, which could cause damage to the whole network. The previous work on dynamic mitigation on this issue has proposed various solutions like using WinPcap libraries or using SNMP so as to mitigate ARP spoof [3][4][5]. The mechanism of these methods is that when a getaway sniffers ARP spoof, it would automatically locate the attackers and 79

cut off its connection, thereby mitigating the spread of the spoof. These methods have some advantages in automatically detecting and locating compared with the manual one. However, it is half-automatic and still needs manual rehabilitation. The paper is organized as follows. Section II describes the main methodology and gives an example to explain it. Section III presents the results of simulating experiments on a real system. Section IV summarizes our contributions and concludes the paper. Methodology The Main Idea To address some issues of these existing methods, this paper introduces a new device trusted server. Each LAN has such a server and it is used to keep a database, which contains all MAC address to IP address mappings (<IP, MAC>) in a LAN. It is worth noting that we try to make these mappings always up-to-date. Once the ARP spoof is detected in the gateway, the trusted server will help the gateway and all the hosts in this LAN to get the right IP-MAC mappings. Actually, the trusted server itself does not need to have a MAC address and IP address. We suppose all hosts IP addresses are given by DHCP server[7], which is the most common condition. (In the real cases there is a high possibility that there is no DHCP server on a LAN, but at least every LAN contains one DHCP relay agent and they are similar in essence. So we just use DHCP server to refer to these two different devices.) Thus, we insert a trusted server in the position where a router is linked to the LAN, as shown in Figure. 2. Figure 2. The position of the trusted server. What a trusted server needs to do to make its information latest is to check and note all packets of DHCPACK, DHCPNACK and DHCPRELEASE. The algorithm is as follows. Algorithm 1: Input: A packet passing through the trusted server Output: The latest IP-MAC mapping stored in the trusted serverforthe packet BEGIN 01 if (the packet type is DHCPACK) 02 { 03 if (IP is contained in database) 04 update database with its MAC 05 else 06 store this mapping into database 07 } 08 if (the packet type is DHCPNACK or DHCPRELEASE) 09 { 10 if (IP is contained in database) 11 delete this mapping from database 12 } END So, why this algorithm can make all information in a database up-to-date? First, in the process of getting an IP address from DHCP server, it is only the packets of DHCPACK that determine the final IP address which will be used by the host who wants to apply an IP address. 80

Second, although all the DHCP servers who receive DHCPDISCOVER will reply DHCPOFFER to a source host, there is only one DHCP server replying DHCPACK to this host. Third, DHCP clients will get a lease period as they get an IP address from DHCP servers, so when they want to discontinue using their current IP addresses or they hope to update their lease periods, packets of DHCPNACK or DHCPRELEASE also need to be considered.[8] Apart from this, a trusted server also needs to do two more things. First, it needs to communicate with the gateway (the router) in the same LAN. Second, a trusted server is also supposed to broadcast ARP reply to all the hosts in this LAN when necessary. The Automatically Respondent Approach When ARP spoof is detected in a gateway, the most common condition is that in a cache of a gateway, one MAC address is matched by two or more IP address, the following four steps should be taken. (1) The gateway sends ARP requests to its trusted server to get the authentic mappings. (2) This trusted server sends ARP replies to the gateway with authentic <IP, MAC> mappings. (3) The trusted server broadcasts an ARP reply to tell all the hosts the authentic MAC address of the gateway. (4) The gateway adds the attacker s MAC address in its own black list and denies receiving its ARP packets (packets will be dropped directly by the gateway if their source IP addresses are on the black list). Example Figure 3. An example of the mechanism. The following example is to explain the approach above. We suppose that a LAN originally includes two hosts (HostA and HostB) but later an attacker intercepts, and this is shown in the Figure. 3. The IP address and MAC address of each device are shown in Table1. Table 1. IP-MAC mappings of each device. IP address MAC address Host A 192.168.0.1 AA-AA-AA-AA-AA-AA Host B 192.168.0.2 BB-BB-BB-BB-BB-BB Attacker 192.168.0.3 CC-CC-CC-CC-CC-CC Router 192.168.0.4 DD-DD-DD-DD-DD-DD Due to ARP spoof, the cache of the router and HostA and HostB are changed to Table2. Table 2. The cache of the router and HostA and HostB. IP address MAC address The router 192.168.0.1 CC-CC-CC-CC-CC-CC 192.168.0.2 CC-CC-CC-CC-CC-CC 192.168.0.3 CC-CC-CC-CC-CC-CC The HostA 192.168.0.4 CC-CC-CC-CC-CC-CC The HostB 192.168.0.4 CC-CC-CC-CC-CC-CC (1) For the router, ARP spoof is detected. The gateway thus sends three ARP requests to its trusted server: I am 192.168.0.4, and my MAC address is DD-DD-DD-DD-DD-DD. I want to know the MAC address of the host whose IP address is 192.168.0.1 / 192.168.0.2 / 192.168.0.3. 81

(2) This trusted server sends three ARP replies to the gateway: I am 192.168.0.1 / 192.168.0.2 / 192.168.0.3, and my MAC address is AA-AA-AA-AA-AA-AA / BB-BB-BB-BB-BB-BB / CC-CC-CC-CC-CC-CC. (3) The trusted server broadcasts an ARP reply: I am 192.168.0.4, and my MAC address is DD-DD-DD-DD-DD-DD. (4) The gateway adds the MAC address CC-CC-CC-CC-CC-CC in its own black list and denies receiving its ARP packets. Now, the hosts and the router have got the right IP-MAC mappings in their caches, and they can communicate not through the attacker. Besides, all packets from the attacker will not be received by the gateway, so ARP spoof caused by this attacker will not appear again. Experiment To verify the effectiveness and correctness of the proposed method, we use C# to simulate it on a PC. Our experiment includes two parts. Verification of the Latest Information in the Trusted Server First, we need to confirm that a trusted server can keep the database which contains the latest IP-MAC mappings information by filtering some specific DHCP packets. The result of the program is shown in Figure. 4. Figure 4. The latest information in the Trusted Server. Now we are going to explain what happens in this condition. After getting IP addresses of 192.168.0.1 and 192.168.0.2 from the DHCP server, when the lease period expires (0.5T), HostA and HostB need to request for updating the lease period if they want. (We assume every time the lease period expires, the host wants to continue using its IP address. However, in the real case, there is a possibility that the host does not do that.) However, their requests are both rejected. Thus, they have to stop using their current IP addresses immediately and start to apply for new ones. Meanwhile, their current IP-MAC mappings are deleted from the cache of the trusted server. Then, they get their new IP addresses of 192.168.0.3 and 192.168.0.4 successfully from the DHCP server. Verification of the Effectiveness of the Trusted Server Second, we need to verify that the trusted server can help to solve ARP spoof effectively by taking the four steps mentioned above. The result of the program is shown in Figure 5. Figure 5. The effectiveness of the Trusted Server. We can find from this figure that the IP-MAC mappings in the cache of the gateway are not correct after ARP spoof. However, by executing our algorithm, these mappings are corrected. 82

Conclusion and Future Work This paper analyzes the theory of ARP spoof and compares several existing methods which represent how to address ARP spoof after detected. We also propose a new technique to mitigate it efficiently. In our method, a trusted server is needed, which is used to keep the up-to-date information of IP-to-MAC mappings coming from a DHCP server. When an ARP spoof is detected, this server can inform the gateway and all the other hosts of the correct IP to MAC mappings, and thus the attacker will be discovered and isolated by the gateway. As a result, without manual intervention, the existing ARP spoof will be solved automatically and safely. Future work includes using a mechanism of authentication like using digital signature to make trusted servers more robust. As the efficiency of a network may suffer, it is supposed to use it only when necessary to lessen the impact to the efficiency of the network. References [1] D. C. Plummer. An ethemet address resolution protocol, IETF RFC 826, November 1982. [2] D. Bruschi, A. Ornaghi and E. Rosti. S-ARP: a Secure Address Resolution Protocol, In Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003). [3] Wu Xiaopin, Zhou Jianzhon, Fang Xiaohui An active defense ARP spoofing solution based on SNMP, In Journal of Huazhong Normal University (Vol.41 No.4). [4] Qinfenglin, Duan Haixin, Guo Ruting Overview of ARP spoofing detection and prevention techniques, In Application Research of Computers(Vol.26, No.1). [5] Chen Hui, Tao Yang, ARP spoofing detection and recovery based on WinPcap, In Computer Applications (Vol.24, No.10). [6] Douglas E. Comer Internetworking With TCP/IP Vol I: Principles, Protocols, and ArchitectureSixth Edition. [7] R. Droms. Dynamic Host Configuration Protocol, IETF RFC 2131, March 1997. [8] Cisco Systems. Configuring Dynamic ARP Inspection, MITM Qo.S. chapter 39, pp. 39: 1-39:22. Catalyst 6500 Series Switch Cisco lossofware Configuration Guide, ReleaseI2.2SX. [9] Raviya Rupal D., Dhaval Satasiya, Hiresh Kumar, Archit Agrawal, Detection and Prevention of ARP Poisoning in Dynamic IP configuration. [10] Wesam Lootah, William Enck, and Patrick McDaniel, TARP: Ticket-based Address Resolution Protocol, Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC 2005) 1063-9527/05 $20.00 2005 IEEE. [11] A. Ornaghi and M. Valleri. (2003). Man in the middle attacks Demos. Blackhat. [Online]. Available: http://www.blackhat.com/ presentations/bh-europe-03/bh-europe-03-valleri.pdf [12] S. M. Bellovin, Security problems in the TCP/IP protocol suite, ACM SIGCOMM Comput. Commun. Rev., vol. 19, no. 2, pp. 32-48, Apr. 1989. [13] L. Senecal, Understanding and preventing attacks at layer 2 of the OSI reference model, in Proc. 4th Annu. Commun. Netw. Services Res. Conf. (CNSR), May 2006, pp. 6-8. [14] S. Whalen. (2001). An Introduction to ARP Spoof- ing, accessed on Apr. 2017. [Online]. Available: http://rootsecure.net/content/downloads/pdf/arp_spoofing_intro.pdf [15] B. Issac. Secure AP and Secure DHCP Protocols to Mitigate Security Attacks. International Journal of Network Security, 8:107 118, March 2009. 83

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback