Haider Salim,Zhitang Li,Hao Tu,Zhengbiao Guo

DOI: https://doi.org/10.1109/dcabes.2012.71

2012-01-01

Abstract:Owing to its great need for mapping an IP address to the corresponding MAC address over an Ethernet topology, Address Resolution Protocol (ARP) has been, and still is, capable of accomplishing this task efficiently. At the same time, it suffers from some security shortcomings, because of the malicious hosts have the possibility of poisoning the ARP cache for another host on the same LAN. In this paper, by gratuitous ARP request packets, we propose a solution to the problem of ARP poisoning. Our suggested mechanism which is named a Gratuitous Decision Packet System (GDPS) seeks to achieve two main goals: (1) Detection of suspicious ARP packets, by implementing a real-time analyzing for received ARP packets. (2) The distinction between a legitimate and malicious host through sending a modified request packet of the gratuitous ARP packets. Furthermore, the experiments show that the presented design has the efficiency and accuracy, as well as it does not require any additional software or hardware.

Haider Salim,Zhitang Li,Hao Tu,Zhengbiao Guo

DOI: https://doi.org/10.1007/978-3-642-31020-1_30

2012-01-01

Abstract:Address Resolution Protocol (ARP) is the network part that is responsible for identifying a Media Access Control (MAC) address of each other, through mapping an IP address to the corresponding MAC address. Unfortunately, ARP is a stateless protocol, the weakness in ARP effects directly on the security standards of the network and especially in Ethernet. In this paper, we propose a new architecture; named a CSIDS Client/Server based Intrusion Detection System designed to detection and defense against ARP spoofing attacks. The main idea behind this approach is to implement a real-time analyzing for received ARP packets and in case of detection a suspicious ARP packet a resolution message will be exchanged between system parts on the same network. This system is resilience by making at most two objects (client/server) to work efficiently; on the other hand, just one client is capable of defending on himself.

Dalia Nashat,Sabah M. Morsy

DOI: https://doi.org/10.1109/ACCESS.2022.3172329

IF: 3.9

IEEE Access

Abstract:Nowadays, cyber-attack is a severe criminal violation, and it is one of the most active fields of research. Man-in-the-middle attack (MITM) is a type of cyber-attack in which an unauthorized third party secretly accesses the communication between two hosts in the same network to read=modify the transferred data between them. ARP spoofing-based MITM attack exploits ARP protocol weakness where the attacker associates its MAC address with the IP address of an intended legitimate host. Although there are many defense approaches for ARP spoofing based-MITM attacks, these methods are uncompleted or have a performance overhead since they modify the original ARP protocol. Also, some of these approaches depend on the centralized server which leads to a single point of failure. This paper presents a detection scheme for ARP spoofing-based MITM attack called D-ARP which is compatible with the original ARP protocol. The main idea of D-ARP is to send an ARP packet signed with a key in parallel with the original ARP packets to make a correlation between requests and replies. Each host records the signed ARP packets whether it is a request or a reply in a log file. Based on this correlation, D-ARP matches the injected key to detect ARP spoofing if there is a duplicate or conflict in the MAC address. For more reliability, D-ARP uses the DHCP server and the Nmap feature to detect the MAC addresses of MITM attackers. Moreover, this scheme also offers a module for Admin to create a trusted list of hosts. The experimental results show that D-ARP is very effective to detect and prevent ARP spoofing with zero false positives and zero false negative probabilities without any modifications in the original ARP protocol.

Computer Science

R. Chaisricharoen,Mayoon Yaibuates

DOI: https://doi.org/10.1109/ECTIDAMTNCON48261.2020.9090760

2020-03-01

Abstract:Internet Control Message Protocol (ICMP) is very useful when diagnostic network problem. ICMP is being used and turns on automatically by an Operating System. For security reason, this protocol can be at ease turn off temporary or permanently by security administrators such as an event of preventing, delaying attackers from incorrectly identifying devices. The ICMP disabling leads to a fundamental problem in the previous model– identifying Dynamic Host Configuration Protocol (DHCP) malicious request by implementing ICMP. To overcome this specific problem, the proposed model will be implementing Address Resolution Protocol (ARP) in conjunction with ICMP for identifying malicious IP address request through DHCP.

Computer Science,Engineering

Fabrice Mvah,Vianney Kengne Tchendji,Clémentin Tayou Djamegni,Ahmed H. Anwar,Deepak K. Tosh,Charles Kamhoua

DOI: https://doi.org/10.1016/j.cose.2023.103696

IF: 5.105

2024-01-06

Computers & Security

Abstract:The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

computer science, information systems

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Yang Liu,Ke Dong,Liang Dong,Bin Li

2008-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon is seriously threaten the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

Haider Salim,Zhitang Li

DOI: https://doi.org/10.1109/mitp.2019.2956131

2021-01-01

IT Professional

Abstract:Internet protocol (IP) is a part of the Transmission Control Protocol (TCP) /IP suite that operates below the network layer of the Open Systems Interconnection (OSI) reference model and is employed as an interface between the network and data link layer. The address resolution protocol (ARP) is a protocol used by IP for mapping an IP address to the corresponding media access control address that is a hardware address harnessed to identify the source and destination of each frame sent on the Ethernet. The man-in-the-middle (MITM) attack is a kind of the Ethernet attack that can be carried out depending on ARP cache-memory poisoning to intercept communications between two systems on Ethernet, and it could, without difficulty, be applied when the attacker is in control of a router along normal point of traffic. To secure systems on Ethernet as well as to prevent ARP cache-memory poisoning, it is necessary to have a good prevention model of MITM attacks. In this article, using the client/server-based intrusion detection system (CSIDS), a precise model to prevent ARP poisoning attacks is proposed and implemented. Our analysis is adequately characterized by implementing a real-time analysis for the received ARP packets, and in the case of detection of a suspicious ARP packet, a resolution message will be exchanged between system parts on the same network. To evaluate the ability of detection and prevention of CSIDS, we design and implement a novel protocol. At the same time, we compare the performance between CSIDS with the standard operations of ARP. Our experimental results reveal that our methodology completely protects hosts against cache poisoning attacks. We further show the effectiveness of our technique in identifying the abnormal ARP packets.

SONG Wei-Jia,ZHOU Chang-Ling,CUI Jian,SHANG Qun,ZHANG Bei

2008-01-01

Periodical of Ocean University of China

Abstract:ARP protocol is vulnerable to ARP Cache Poisoning, which fosters a variety of security issues such as Man-In-The-Middle attack. There are pros and cons of existing approaches to this issue.Based on the characteristics of ARP Cache Poisoning attacks,we combine the ARP inspection function of switches with dynamic IP-MAC binding algorithms to design a new solution to ARP Cache Poisoning.Our solution is flexible and deployment-friendly to large-scale networks.Experiment demonstrates the effectiveness of the solution.

Guang-jia Song,Zhen-zhou Ji

DOI: https://doi.org/10.1631/fitee.1500382

IF: 2.526

2016-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Address-resolution protocol (ARP) is an important protocol of data link layers that aims to obtain the corresponding relationship between Internet Protocol (IP) and Media Access Control (MAC) addresses. Traditional ARPs (address-resolution and neighbor-discovery protocols) do not consider the existence of malicious nodes, which reveals destination addresses in the resolution process. Thus, these traditional protocols allow malicious nodes to easily carry out attacks, such as man-in-the-middle attack and denial-of-service attack. To overcome these weaknesses, we propose an anonymous-address-resolution (AS-AR) protocol. AS-AR does not publicize the destination address in the address-resolution process and hides the IP and MAC addresses of the source node. The malicious node cannot obtain the addresses of the destination and the node which initiates the address resolution; thus, it cannot attack. Analyses and experiments show that AS-AR has a higher security level than existing security methods, such as secure-neighbor discovery.

Laurent Patrice,Ramadhani Sinde,Judith Leo

DOI: https://doi.org/10.1109/access.2024.3409679

IF: 3.9

2024-06-15

IEEE Access

Abstract:Address Resolution Protocol (ARP) spoofing has been a long-standing problem with no clear remedy until now. The attacks can be launched easily utilizing an enormous number of publicly available tools on the web; however, they are extremely tough to counterattack due to ARP's stateless nature for not authenticating ARP replies for a subsequent request. Previous studies have demonstrated significant efforts to counterattack these assaults in Software-Defined Networks (SDN); however, much effort has been focused solely on detecting the assaults, with little effort being made to address performance bottlenecks, scalability, and Single Point of Failure (SPOF) issues in large-scale networks. In this study, we focus on developing ARP spoofing attacks detection mechanism in large-scale SDN that is immune to SPOF and provides enhanced network performance and scalability. The main purpose is to enable controllers to intercept and analyze all incoming ARP packets, learn address mappings, and store them in the application's memory to be used as a basis for ongoing ARP cache comparisons while maintaining a global cache in a controller. To achieve the goal of this study, a simulation experiment in a closed network environment was undertaken to precisely monitor network traffic and result patterns. Mininet and the Open Network Operating System were used to implement the data plane and OpenFlow controllers. The results show that, the proposed solution is resistant to ARP spoofing attacks, with an average detection and mitigation time of 4.3 and 26.19 milliseconds, respectively. Further significant improvements have been observed in alleviating SPOF and performance bottlenecks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

Sixian Sun,Xiao Fu,Bin Luo,Xiaojiang Du

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162965

2020-01-01

Abstract:Cloud computing is making a greater impact on internet industry, medical industry, insurance industry, and so on. Due to its influence, cloud computing networking is in great need of security, and protecting cloud environment from diverse attacks has been a hot issue. On the other hand, Software Defined Network (SDN) separates the control plane from the data plane and makes networks programmable, which promotes the centralized management of network devices. Compared to traditional networks, SDN increases the utilization efficiency of resources, increases the flexibility of network services, and reduces the cost of maintenance. Therefore, in this paper, we apply SDN to protect cloud computing networking from Address Resolution Protocol (ARP) attacks. In the proposed approach, a cluster of controllers detects ARP packets that hosts send, in order to find out the forged ones and to prevent ARP spoofing attacks. Also, controllers monitor statistical data of ARP packets once in a while to detect ARP flooding attacks. Once an attack is detected, controllers install flow entries on corresponding switches, to block flow for a specific time. Finally, we conduct experiments to show that our approach is useful to detect and mitigate ARP attacks in SDN-based cloud environment.

Abhishek Samvedi,Sparsh Owlak,Vijay Kumar Chaurasia

DOI: https://doi.org/10.48550/arXiv.1406.2930

2014-06-11

Abstract:In this paper, an improved secure address resolution protocol is presented where ARP spoofing attack is prevented. The proposed methodology is a centralised methodology for preventing ARP spoofing attack. In the proposed model there is a central server on a network or subnet which prevents ARP spoofing attack.

Cryptography and Security

Salim M. Ali,Ammar A. Shareef

DOI: https://doi.org/10.31987/ijict.1.1.175

2021-12-15

Abstract:DHCP is an important aspect in small and large networks, since it facilitates the IP configuration of computers. However, DHCP is vulnerable to different attacks; therefore, the essential objective of this paper is to propose solutions against DHCP attacks. The paper gives an explanation about how DHCP works and understand the handshake mechanism and give a brief summary about DHCP attack, how they occur and how they affect the security of the enterprise since a leakage of sensitive Information could happen, which threatens the enterprise's security or a denial of service that immobilizes the network. Three effective countermeasures are looked up and tested against DHCP attacks, and each one successfully prevented the attack.

Lei Yang,Lejun Chi,Dongjie Zhu,Chengwen Tang,Kun Wang

2006-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon seriously threatens the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

XING Jinge,LIU Yang

DOI: https://doi.org/10.3969/j.issn.1005-9369.2012.08.016

2012-01-01

Abstract:Attackers using ARP spoofing attack network segment host In the LAN,which threaten the LAN security seriously.This paper analyzed the common tricks such as monitor,intercept,and malicious attacks which attackers used,and summarized the IP matched methods based on ARP cheat theory,data frame detection method,Echo time method,ARP response analysis method,tools detection method and so on.A prevent ARP spoofing algorithm is proposed in this paper,which made use of ARP cache update policy,switching equipment control and other strategies to prevent ARP spoofing.This algorithm can reject ARP spoofing,achieve the goals of maintaining network security.

Abdulaziz Abdulghaffar,S. Paul,A. Matrawy

DOI: https://doi.org/10.1109/BSC57238.2023.10201458

2023-07-04

Abstract:A large number of devices use the Dynamic Host Control Protocol (DHCP) protocol to obtain network configurations like IP address, gateway, Domain Name System (DNS) address, etc. However, the security aspect was not considered thoroughly during its design phase. As a result, it has several very lucrative vulnerabilities to many attackers. In this analysis, we discuss the major vulnerabilities of the DHCP protocol that can result in different attacks. These vulnerabilities include a lack of authentication, confidentiality, and integrity. We also explain different attacks that can be performed by exploiting these vulnerabilities, like rogue DHCP server attacks, DHCP starvation attacks, or replay attacks. Furthermore, we summarize the countermeasures proposed by the researchers to nullify and mitigate these attacks. Moreover, the advantages and drawbacks of the countermeasures are also discussed in this paper.

Computer Science

Hui Xie,Min Xiao,Mei Guo

DOI: https://doi.org/10.1088/1757-899X/452/4/042025

2018-12-13

IOP Conference Series: Materials Science and Engineering

Abstract:The continuous development and wide application of computer technology are conducive to the realization of the sharing of social resources and information, and provide greater convenience for the development and improvement of all walks of life in society [1]. However, with the development of society, computer network security has also received more attention. Today, computer network security has become an important area of the computer network engineering technology. A major security threat to network security is the ARP attack. This paper describes the principle, working process, attack hazards, and performance of attacks after ARP. Protection against ARP attacks.

Physics,Computer Science

Ehab R. Mohamed,Heba M. Mansour,Osama M. El-Komy,,,

DOI: https://doi.org/10.54216/fpa.120101

2023-01-01

Abstract:In this paper, to protect software-defined networks (SDN) from various ARP attacks, we implement a three-dimensional algorithm (TDA). The main objective of TDA is to limit the methods by which attackers can breach SDN privacy and to prevent the three main types of ARP attacks, such as ARP flooding, ARP spoofing, and ARP broadcasting. This work discusses the three different ARP attack types, which are broken down into five different scenarios, and how the proposed solution detects and mitigates each one. We simulated the five attack scenarios by creating five Python scripts utilizing the Scapy library. And then we applied an efficient TDA to restrict the five scenarios of ARP attacks more efficiently and faster than existing methods. TDA provides the Ryu controller with a modified module to detect and mitigate these types of attacks, using a three-dimensional secure channel to analyze incoming ARP packets, which works as a filter that analyzes and filters incoming ARP packets from malicious ones, and then giving the controller the choice to forward or drop the packet. To simulate our investigation and apply our proposed solution, we used a Mininet emulator. To evaluate TDA, we calculated the delay times, accuracy controller's throughput, bandwidth, and other metrics. The results that we showed after applying TDA 100 times on our test scenarios indicate that the accuracy is 99.9% for the three stages and that the detection and mitigation times are very short compared to the existing solutions, which are that the minimum detection time is only from 0.1ms to 3.6ms, and the minimum mitigation time is only from 0.3ms to 2.9ms. We evaluated our algorithm by other important metrics such as controller bandwidth, which ranged from 18 GB/sec to 17.7 GB/sec in the cases before and after the attack and 16.5GB/sec in the case of attack; controller throughput, which recorded 1.72GB/sec in the case under the attack and reached 2.11GB/sec in the case after defense; and CPU utilization, which recorded 30.4% during the attack and reduced to 0.3% after mitigation. These metrics proved that our algorithm achieved the highest efficiency compared to other work in this field.