Application and Precaution against ARP Deception in Network

Similar documents
A Framework for Optimizing IP over Ethernet Naming System

Ruijie Anti-ARP Spoofing

Implementation and Design of Security Configuration Check Toolkit for Classified Evaluation of Information System

2017 2nd International Conference on Communications, Information Management and Network Security (CIMNS 2017) ISBN:

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Research on Design and Application of Computer Database Quality Evaluation Model

Example: Configuring DHCP Snooping and DAI to Protect the Switch from ARP Spoofing Attacks

The new method to prevent ARP spoofing based on 802.1X protocol. Qinggui Hu

Application of Redundant Backup Technology in Network Security

Configuring Dynamic ARP Inspection

Example: Configuring DHCP Snooping, DAI, and MAC Limiting on an EX Series Switch with Access to a DHCP Server Through a Second Switch

Operation Manual DHCP. Table of Contents

Configuring ARP attack protection 1

Configuring Dynamic ARP Inspection

An Embedded Dynamic Security Networking Technology Based on Quick Jump and Trust

Analyses of Subway BAS System Network Framework and IP Address Allocation Xin-hong YANG 1,* and Yuan GAO 2

Information Security Coding Rule Based on Neural Network and Greedy Algorithm and Application in Network Alarm Detection

Configuring ARP attack protection 1

Design of Coal Mine Power Supply Monitoring System

The Application of CAN Bus in Intelligent Substation Automation System Yuehua HUANG 1, a, Ruiyong LIU 2, b, Peipei YANG 3, C, Dongxu XIANG 4,D

Research and Design of Crypto Card Virtualization Framework Lei SUN, Ze-wu WANG and Rui-chen SUN

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Test Analysis of Serial Communication Extension in Mobile Nodes of Participatory Sensing System Xinqiang Tang 1, Huichun Peng 2

Study on Computer Network Technology of Digital Library

Application of Nonlinear Later TV Edition in Gigabit Ethernet. Hong Ma

An Approach to Addressing ARP Spoof Using a Trusted Server. Yu-feng CHEN and Hao QIN

MTA_98-366_Vindicator930

DHCP Technology White Paper

Shared-network scheme of SMV and GOOSE in smart substation

PUCPR. Internet Protocol. Edgard Jamhour E N G L I S H S E M E S T E R

Framework Research on Privacy Protection of PHR Owners in Medical Cloud System Based on Aggregation Key Encryption Algorithm

Chapter 11: Networks

Configuring NAT for IP Address Conservation

ARP Inspection and the MAC Address Table

Finding Feature Information

The Centralized management method to increase the security of ARP. Qinggui Hu

Network Video Surveillance System Based on Embedded Linux and ARM Technology

IC32E - Pre-Instructional Survey

IP: Addressing, ARP, Routing

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

Analysis of Virtual Local Area Networking Technology. Zheng Zhang

Remote Monitoring System of Ship Running State under Wireless Network

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

Computer Life (CPL) ISSN: Research on the Construction of Network and Information Security. Architecture in Campus

Homework 4 assignment for ECE374 Posted: 04/06/15 Due: 04/13/15

A Compatible Public Service Platform for Multi-Electronic Certification Authority

Network protocols and. network systems INTRODUCTION CHAPTER

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Venusense UTM Introduction

Design of Underground Current Detection Nodes Based on ZigBee

Networking interview questions

Model the P2P Attack in Computer Networks

Configuring DHCP Features and IP Source Guard

Research on Heterogeneous Network Integration in Distribution Communication Network

Research on Software Scheduling Technology Based on Multi-Buffered Parallel Encryption

Understanding and Configuring Dynamic ARP Inspection

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

A Dynamic TDMA Protocol Utilizing Channel Sense

Understanding Networking Fundamentals

The Research of Trusted Security Architecture of MANET Node Based on OPNET Zhen Zhang

The Comparative Study of Machine Learning Algorithms in Text Data Classification*

Comprehensive analysis and evaluation of big data for main transformer equipment based on PCA and Apriority

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Research on the Establishment and Analysis of Small Business Networks

A New Method Of VPN Based On LSP Technology

A Data Classification Algorithm of Internet of Things Based on Neural Network

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Scope and Sequence: CCNA Exploration v4.0

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

Gigabit SSL VPN Security Router

TITLE FIELD OF THE INVENTION BACKGROUND OF THE INVENTION

ARP attack protection commands

Autonomous System Network Topology Discovery Algorithm Based On OSPF Protocol

IP Mobility vs. Session Mobility

Chapter 11: It s a Network. Introduction to Networking

The Capture and Reduction Technology of Image Data based on HTTP Protocol 1

Wireless Attacks and Countermeasures

Study on the Quantitative Vulnerability Model of Information System based on Mathematical Modeling Techniques. Yunzhi Li

International Journal of Advance Engineering and Research Development

Research on Power Quality Monitoring and Analyzing System Based on Embedded Technology

Darknet Traffic Monitoring using Honeypot

Computer Forensics: Investigating Network Intrusions and Cybercrime, 2nd Edition. Chapter 2 Investigating Network Traffic

AC750GW 750Mbps. Dual band Gigabit Wireless Router. Overview DATA SHEET. Highlights

Research on Hybrid Network Technologies of Power Line Carrier and Wireless MAC Layer Hao ZHANG 1, Jun-yu LIU 2, Yi-ying ZHANG 3 and Kun LIANG 3,*

The Study of Intelligent Scheduling Algorithm in the Vehicle ECU based on CAN Bus

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

HP Load Balancing Module

The Analysis and Research of IPTV Set-top Box System. Fangyan Bai 1, Qi Sun 2

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

NETWORK THREATS DEMAN

ARP SPOOFING Attack in Real Time Environment

Configuring DHCP. Information About DHCP. DHCP Server. DHCP Relay Agent. DHCP Snooping

A Low-Overhead Hybrid Routing Algorithm for ZigBee Networks. Zhi Ren, Lihua Tian, Jianling Cao, Jibi Li, Zilong Zhang

Local Area Networks and the Network Protocol Stack

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Chapter 9. Firewalls

International Conference on Automation, Mechanical Control and Computational Engineering (AMCCE 2015)

Hands-On TCP/IP Networking

Research and Implementation of Server Load Balancing Strategy in Service System

Transcription:

Application and Precaution against ARP Deception in Network Zhichao Li 1, Congcong Cui 2 1 Department of Information Engineering, Zhengzhou Institute of Technology, Zhengzhou 450044, China 2 Zhengzhou Institute of Technology, Library, Zhengzhou 450044, China Abstract ARP protocol is a group of important network layer protocol units in TCP/IP protocol stack and is responsible for IP address parsing and MAC address delivery. As an extremely important part of the TCP/IP stack, the foundation for mutual trust in the design and the security in the LAN are the basic conditions for assessing the stability of the system. However, ARP protocol itself can only be transmitted via the MAC address. And ARP protocol in the LAN environment is only the basic unit of network communication. Based on the constraints of multiple factors, ARP protocol is designed to improve transmission efficiency, but it lacks a complete authentication system, resulting in a very weak security. Among many of the most common forms of cyber-attack, ARP protocol has the highest proportion of fraudulent attacks. Therefore, the analysis of the attack mode and prevention mechanism of ARP deception is the process of precaution taking advantage of the vulnerability of ARP protocol itself. To this end, this study analyzes the operation mechanism of ARP protocol and puts forward specific measures to prevent ARP deception in the network environment. Keywords: ARP Deception, Cyberspace, Prevention System, Adaptation Dimension. 1. RESEARCH BACKGROUND 1.1 Literature review ARP is a systematic function designed according to TCP/IP protocol, and within the TCP/IP network architecture, all its hosts are communication conditions of legal IP address. The network environment is developing rapidly, causing the serious shortage of IP resources (Zhang and Li, 2014). Therefore, in the process of alleviating the IP address pressure, some governments or enterprise websites have chosen NAT domain names, whose technology establishment and server access have been carried out on extranet (Luan et al., 2014). Although the risk of resources of intranet interaction can be evaded (Yang and Xu, 2014), operation risks for TCP/IP protocol may rise, and the relatively fuzzy basic trust may lead to many threats to TCP/IP protocol in the open environment. 1.2 Research purposes ARP fraudulent attack is a type of attack generated after using the ARP protocol, and the potential safety hazard generated from the mutual trust among the corresponding hosts is also a series defect of this protocol. Even though the mechanism of ARP deception is very clear, there is no objective uniform standard in coping with the prevention mechanism of ARP deception presently. To further study the prevention strategies of ARP fraudulent attacks, it is necessary to comprehensively consider the essential demands for the precaution of ARP fraudulent attacks in the network environment. Therefore, this study summarizes the building elements of ARP prevention system and classifies them through mathematical models to resolve the current prevention direction of ARP deception based on the domestic and foreign research direction. 2. OVERVIEW AND WORKING PRINCIPLE OF ARP PROTOCOL 2.1 Overview of ARP protocol ARP protocol is a kind of standard address resolution protocol, and its conversion applied to the 32-bit network IP address of terminal computer can convey 48-bit physical MAC address; therefore, it is a very typical data link 387

layer (DLL) (Feng et al., 2014). When Ethernet data frames extend from a host to other host at a port within the network, the corresponding port must be cleared based on a 48-bit Ethernet hardware address rather than the information content expressed by a 32-bit IP address. In the kernel drive, the corresponding hardware address must be clearly defined in order to edit and send relevant data. But in the local network, the actual transmission is in frame, and the MAC address including the target host is also involved (Wang et al., 2014). Therefore, direct communication among hosts in Ethernet must specify the specific MAC address and then the final rendering mode of the address resolution protocol must be learned. The so-called address resolution is also the information transformation method that is completed before the frame is sent to the host, and then the target IP address is translated into the MAC address environment for operation. The basic function of ARP protocol is to implement the address resolution and to ensure the smooth operation of communication. 2.2 Operation mechanism of ARP protocol Each host node has an ARP cache, which is one of the cache space domain values in the host node mapping the IP address of the router to the respective hardware address mapping table; these nodes can identify the final result of the current IP address. The operating mechanism of ARP protocol is shown as follows: ARP request ARP request ARP request ARP request Send request command Feedback request information Reply IP address Figure 1. Flow Diagram of the Operation Mechanism of ARP Protocol First, each host builds an ARP list and an ARP cache region according to other nodes communicating with the network in the past, and all nodes are displayed on the network IP address and MAC address. Second, when the source node needs to send a package to the target node, it first checks if its ARP list has the MAC address corresponding to the target node IP address contained in that package. If there is, the package is sent directly to the MAC address node. Otherwise, the ARP request is sent to the local network segment to send the data package, so that the query of the MAC address of the target node of this IP address is taken as the final command (Yu et al., 2013). Third, all nodes in the network segment receive this ARP request and check that the target IP address in the package is consistent with its own IP address. If opposite command is put forward, the data package will be lost. If the performance is consistent, the list items of the node sender's MAC address and IP address will be added to the list of ARP. On the contrary, if this information is found in the coverage, and then an ARP response packet is sent to the source node, the other party will be notified to complete the task request to find the target node. Finally, after receiving the ARP reply package, the source node will be the IP address of the target node, and the MAC address of the corresponding table item will be added to the ARP list and use that information to start the data transmission. If the ARP reply is not received, the ARP query opportunity will be lost again. 3. RESEARCH APPEALS FOR ARP PREVENTION AGAINST FRAUDULENT ATTACK 3.1 Measurement scope of the prevention system fuzzy set Based on the theoretical basis of mathematical fuzzy sets, set the fuzzy model of ARP model as A, and make use of the fuzzy model to clarify the demand point of the relevant preventive measures, where, the mapping D: F(U) [0, 1] needs to meet five conditions: clarity, ambiguity, monotonicity, symmetry and additivity (Mei et al., 2014). 388

First, clarity is the demand standards for the preventive system. Establishing the friendly user interface in a preventive system of high simplicity is the basis of superior operational performance, and being easy to master for the operator is also an important factor in resolution. The fuzzy degree of its classical set is 0, which can be used as the measure standard of the protective system model for learning and control and is also the appealing direction convenient for operation and realization. Under the condition D(A)=0, when A P(U), it is the expected preventive target this theoretical model can achieve. Second, vagueness is an objective condition for measuring accuracy. The accuracy of the ARP deception preventive system in the research results is also an objective index needing to be improved; only by realizing the ARP data package filtering and capturing functions and clarify and locate the deceptive host can the generation mode of ARP deception be finally solved (Liu et al., 2013). Vagueness is the identification mode emphasizing accuracy; when D(A)=1, the corresponding demand will develop into the form u U, therefore, when A(u)=0.5, the fuzzy set is the vaguest, and otherwise, the degree of standardization will reflect the objective conditions supporting the system perfection. Third, monotonicity can be understood as the corresponding time of the system. As ARP deception occurs, the level of intimacy with time is extremely high, and real-time deception behaviors can be captured, so that the number of attacks in the network environment can be reduced to avoid damage accordingly. When u U, if A(u) B(u) 0.5 or A(u) B(u) 0.5, it proves that the time relationship D(A) D(B) does exist, and the time nodes of the attack can also verify the reduction of the effectiveness and monotonicity of the frequency of occurrence. Finally, symmetry refers to the matching value of the running effect of the system, which can be regarded as the efficiency generation mechanism of ARP in the regular operating environment; when the architecture defense system has become a necessary measure, the effective preventive mechanism is also essential to the solution (Xu et al., 2013). Therefore, when the symmetry appears as the case, it can be regarded as the fuzzy degree of the complementary set, and so on, so as to express the space that the fuzzy subset can be extended, based on which the solution to attacks can be enhanced, and the relative time conditions are satisfied. In addition, additivity is an extension function that the system must have, which is an objective requirement for the transformation or upgrading of the system state. Especially after the system hardware and software has a great space for expansion, the hardware or software expansion and modification cannot cause that the preventive system loses its dominance and specific functions. Then, the design requirements need to be considered at the beginning of the design. The coupling degree is also the ultimate result of overlapping. Its operation formula is as follows: 3.2 Define direction and operation of fuzzy functions D(A B) + D(A B) = D(A) + D(B) (1) Set D as the fuzzy degree function of F(U), and D(A) as the fuzzy degree of the fuzzy set A to be evaluated. There are usually two methods of operation for the possibility of fuzzy existence, and the operation description of finite and infinite domains are conducted respectively: n D(A) = 2/n{ i=1 [A(u i ) A 0.5 (u i ) p ]} 1/p (2) D(A) = + [A(u) A 0.5 (u)]du (3) The parameter value of P>0 in the above formula can be regarded as the ambiguity of the ARP deception prevention model. Under the condition P=1, the ambiguity index can be clarified, and the corresponding fuzzy degree is also the standard for judging the establishment of the preventive mechanism of the system model (Li et al., 2008). On this basis, if the situation P=2 appears, it proves that the Euclidean fuzziness is achieved, and it can be regarded as that the precautionary condition and expected value of the system itself have been exceeded. 3. DESIGN PARADIGM OF ARP DECEPTION ATTACK PREVENTIVE MECHANISM IN NETWORK ENVIRONMENT 389

Although ARP protocol is an effective DLL protocol, it is a LAN protocol established on the mutual trust of each host. Based on the analysis of its working mechanism, the defects of ARP protocol are summarized as follows: On the one hand, ARP protocol is a dynamic working process; in a word, the ARP cache will generate dynamic update based on the received ARP packet, which is one of the most important features of ARP protocol and is also designed as an optimized measure for the safety condition of risk prevention (Liu and Xu, 2016). However, because limited time of normal operation is generated in the continuous update course of the MAC address of the host, the secondary update can modify the existing cache address more easily, incurring threats attacking the equipment, which is the source of loophole causing false attacks or attacks refusing services. On the other hand, ARP protocol has a more distinct broadcast nature, which stems from the fact that ARP request messages are usually sent in broadcast form, while the attacker can disguise itself as ARP response, then it leads the maximum imitation and execution of fake attacks to copy the target node conveyed by a radio host to real communication to the identification subnet host and get access to the cache MAC address after the update (Liu et al., 2016). In addition, ARP protocol has the characteristics of uncontrollability, which is closely related to the state of ARP protocol itself. ARP protocol which does not have the concept of connection cannot respond timely if no request is received, but the reply package of the operator can achieve the relative effectiveness and can refresh its unconditional cache information according to the content of the reply package. The greater security risk, however, is that the ARP protocol does not have an authentication mechanism and does not generate an authentication behavior for the sender and receiver of the data, and only meeting the needs of local area ARP reply packet can be regarded as effective information, so it is very possible for the data information to be refreshed to the local cache and the validity of the data packet will not be inspected in time. Therefore, an attacker can send a virtual ARP package to update the ARP cache on the attack host, and then execute the address to cheat or deny service attacks. The way to run the preventive mechanism is shown in Figure 2. 3.1 Manual detection mechanism Figure 2. Ways to Run a Defense Mechanism Manual detection aims to confirm whether the host is affected by ARP deception, and the following methods can be used for manual detection on the host: on the one hand, the command arp-a can be used. When the command line is in execution, the command is ready to view the local ARP cache. Normally, there is no relevant record of the gateway information after it being removed. When the constraints of a gateway MAC address are viewed, the primary evaluation of the running condition will be formed (Tang et al., 2016), which proves the objective indicators of normal operation. The reverse is also sufficient to prove that the host is under attack by ARP when the gateway does not change the network card. Manual binding of the static IP-MAC address mapping table, on the other hand, is also a preventive mode that is ready to be applied; on the path of effective prevention of ARP deception, this mode can be completed in a small LAN. However, in the case of continuous increase of network hosts, such a mode obviously cannot meet the expansion demand of dynamic change. Especially in the dynamic allocation address of DHCP, there will be more obvious inadaptability. Therefore, the regular use of supplementary static mapping is also a preventive mechanism with a high workload, which has no substantial 390

support for the prevention efficiency. In addition, as ARP deception cannot be implemented across network segments, increasing the number of VLAN unit in the LAN to reduce the proportion of the number of VLAN on the host and to reduce the possibility of ARP deception can also form effective expansion of prevention space. However, such defensive values will increase the cost of management and maintenance, and the relative adaptability is not entirely consistent with the dynamic change standard. 3.2 Dynamic detection mechanism The current dynamic monitoring of ARP deception mechanism mainly includes host detection, server detection and network detection. On a host computer, usually two methods are adopted to detect anomalies within the network: the first one is to actively detect whether there is a suspicious; the second one is to passively check the network broadcast information, which is a commonly-used operation method for detecting malicious failures. Host level detection is active or passive detection: active detection is the host level of host level detection, regularly sending ARP packages to the local LAN, with the machine IP address query (Yang, 2017). If ARP reply package can be received, it proves the fact that the LAN is using the same IP address and host on another host, generating a higher risk of ARP deception. Then report the test results to the host user or manager. In response to ARP broadcast messages, the server detection system checks whether the message's target IP address matches the local IP address to determine whether the broadcast message is sent to the host. In network detection, if a message is sent to the host, the ARP response message is sent simultaneously. However, if the system is interrupted, the required test sender IP address will also be consistent with the local IP address. This kind of situation has an IP address in the network which shares the same host. This error configuration can lead to the result that a simple ARP deception is found, so that the attacker can be detected before resetting the IP address of the attacking host. Therefore, in the actual operation process, it is also important to comprehensively consider the fitness and operating environment of the host detection, server detection and network detection, so as to choose the appropriate way to ensure the safe operation of ARP. 4. CONCLUSIONS In summary, ARP protocol is based on the trust of LAN host, so ARP has a series of security holes such as broadcasting, connection, disorder, invalidation and dynamic. On the basis of analyzing the common ARP attack mode, perfecting the corresponding guard mechanism is also the optimal calculation mode to provide ARP deception attack. When it is composed of ARP header information anomaly detection, ARP attack detection and ARP filtering, the consistency of the information sources can be used for the judgment. When the request is sent after the first time of receiving the response, active detection method can be adopted, such as manual detection and dynamic detection, to test and deal with the ARP data package of all hosts. The algorithm provided in this study is only a theoretical model, which is applicable to the network environment with high security requirements. Further empirical research is needed to provide support for this model, and it is necessary to comprehensively analyze the current network environment in order to improve the feasibility and reliability of the prevention mechanism. REFERENCES Feng D.Q., Shen J.J., Zhu J. (2014). Security analysis of clock synchronization protocol based on colored Petri nets, Control and decision, 29 (12), 2144-2150. Li L., Yi Y.F., Qin J. (2008). ARP deception principle and prevention strategy, Software guide, (07), 185-186. Liu G.D., Zhou M., Wang Y., Li B.M. (2016). A real-time detection of dynamic trust model based on the extended subjective logic of ARP intrusion, Computer fan, (12), 16. Liu Y., Tian K.W., Liu L.F. (2013). Network traffic monitoring system based on SharpPcap, Computer engineering and design, 34 (07), 2328-2332. Liu Y.Y., Xu W. (2016). The research on the automatic login/offline of Web/Portal billing gateway in Linux environment, Computer knowledge and technology, 12 (29), 52-54. Luan G.F., Fan Y., Chang Z. (2014). Analysis on the principle and preventive measures of ARP deception in LAN, Gansu science and technology, 30 (05), 8-9+7. Mei Y.H., Gan Z.Q., Ma C.J. (2014). Implementation of DHCP and Option82 in the access network, Communication technology, 46 (08), 58-60. Tang G.P., Wang J., Xiao G.D. (2016). Design and implementation of simulation experiment of ARP protocol theory, Laboratory research and exploration, 35 (12), 126-129+196. 391

Wang J.J., Meng X.D., Wang J. (2014). The software definition network and the address resolution protocol mechanism of traditional network hybrid scenes, Computer application, 34 (11), 3188-3191+3213. Xu Z.Y., Wu Z.Y., Cai C., Hu P., Quan P., Deng R. (2013). A static mac-ip binding based on Dynamic ARP Inspection - a kind of ARP deception avoidance solution, Measurement and control technology, 32 (10), 93-97. Yang G.Q. (2017). The principle and solution strategy of LAN ARP virus invasion, Digital communication world, (02), 154-155. Yang M. (2014). A brief discussion on the impact of wi-fi, 4G and other wireless networks on the hierarchical protection of important information systems, Police technology, (S1), 73-75. Yang W., Xu X.L. (2014). An improved ARP defense attack with priority and certification, Computer application and software, 31 (05), 316-318+333. Yu Y.G., Pan L.F., Wang J., Du E.F. (2013). The implementation mode of security control of task IP network equipment, Computer application, 33 (S2), 139-141. Zhang Z.Y., Li X.N. (2014). Research on the security strategy model based on F2AP, Intelligence science, 32 (02), 35-38+42. 392

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback