A Hardware Approach for Detecting the ARP Attack

Document Type : Original Article

Authors

1 Dept. of Computer Science and Eng., Faculty of Elect., Eng., Minufiya University

2 Faculty of Computers and Information, Minufiya University.

Abstract

This paper describes Address Resolution Protocol (ARP) and the ARP cache poisoning (ARP SPOOFING) problem and presents a proposed architecture for detecting the ARP attacks. In addition, it discusses a set of techniques used to detect the ARP poisoning attacks on switched Ethernet networks. A new practical technique by adding external hardware element to the LAN network to work as sniffer is suggested. These external elements are combined in architecture for practical implementation in production network. Results from laboratory and real-world detection experiments using several popular attack tools are also presented. The obtained practical results illustrate that the practical board works successfully for detecting the ARP attack.

References

[1]            D. Plummer. An ethernet address resolution protocol, Nov. 1982. RFC 826.
[2]           R. W. Stevens. TCP/IP Illustrated, Volume 1: The Protocols. Addison–Wesley Professional Computing Series, January 1994.
[3]           Cristina L. Abad and Rafael I. Bonilla. An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks IEEE 2007
[4]           R. W. Stevens. TCP/IP Illustrated, vol 1. Addison Wesley,2001.
[5]           M. Tripunitara and P. Dutta. A middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning. In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC’99), Dec. 1999.
[6]           D. Bruschi, A. Ornaghi, E. Rosti.. S-arp: a secure arp. http://security.dico.unimi.it/en/doctools/tools.html , 2003.
[7]           L. N. R. Group. arpwatch, the ethernet monitor program; for keeping track of ethernet/ip address pairings. <ftp://ftp.ee.lbl.gov/arpwatch.tar.gz>, (Last accessed April 17, 2006)
[8]           Snort Project, The. Snort: The open source network intrusion detection system,  006. <http://www.snort.org>. (Last accessed April 17, 2006).
[9]           M. Carnut and J. Gondim. ARP spoofing detection on switched Ethernet networks: A feasibility study. In Proceedings of the 5th Nov.2003.
[10]       ARP-Guard. <http://www.arp-guard.com>. (Last accessed April 17, 2006).
[11]       T. Demuth and A. Leitner. ARP spoofing and poisoning: Traffic tricks. Linux Magazine, 56:26–31, July 2005.
[12]       Wesam Lootah, William Enck, and Patrick McDaniel. TARP: Ticket-based Address Resolution Protocol. 2005 IEEE
[13]       D. Song. dsniff. <http://monkey.org/˜dugsong/dsniff/>. (Last accessed April 17, 2006).
[14]       http://www.olimex.com/dev/index.html

Files

Share

How to cite

Statistics