Dalia Nashat,Sabah M. Morsy

DOI: https://doi.org/10.1109/ACCESS.2022.3172329

IF: 3.9

IEEE Access

Abstract:Nowadays, cyber-attack is a severe criminal violation, and it is one of the most active fields of research. Man-in-the-middle attack (MITM) is a type of cyber-attack in which an unauthorized third party secretly accesses the communication between two hosts in the same network to read=modify the transferred data between them. ARP spoofing-based MITM attack exploits ARP protocol weakness where the attacker associates its MAC address with the IP address of an intended legitimate host. Although there are many defense approaches for ARP spoofing based-MITM attacks, these methods are uncompleted or have a performance overhead since they modify the original ARP protocol. Also, some of these approaches depend on the centralized server which leads to a single point of failure. This paper presents a detection scheme for ARP spoofing-based MITM attack called D-ARP which is compatible with the original ARP protocol. The main idea of D-ARP is to send an ARP packet signed with a key in parallel with the original ARP packets to make a correlation between requests and replies. Each host records the signed ARP packets whether it is a request or a reply in a log file. Based on this correlation, D-ARP matches the injected key to detect ARP spoofing if there is a duplicate or conflict in the MAC address. For more reliability, D-ARP uses the DHCP server and the Nmap feature to detect the MAC addresses of MITM attackers. Moreover, this scheme also offers a module for Admin to create a trusted list of hosts. The experimental results show that D-ARP is very effective to detect and prevent ARP spoofing with zero false positives and zero false negative probabilities without any modifications in the original ARP protocol.

Computer Science

Haider Salim,Zhitang Li,Hao Tu,Zhengbiao Guo

DOI: https://doi.org/10.1109/dcabes.2012.71

2012-01-01

Abstract:Owing to its great need for mapping an IP address to the corresponding MAC address over an Ethernet topology, Address Resolution Protocol (ARP) has been, and still is, capable of accomplishing this task efficiently. At the same time, it suffers from some security shortcomings, because of the malicious hosts have the possibility of poisoning the ARP cache for another host on the same LAN. In this paper, by gratuitous ARP request packets, we propose a solution to the problem of ARP poisoning. Our suggested mechanism which is named a Gratuitous Decision Packet System (GDPS) seeks to achieve two main goals: (1) Detection of suspicious ARP packets, by implementing a real-time analyzing for received ARP packets. (2) The distinction between a legitimate and malicious host through sending a modified request packet of the gratuitous ARP packets. Furthermore, the experiments show that the presented design has the efficiency and accuracy, as well as it does not require any additional software or hardware.

Haider Salim,Zhitang Li

DOI: https://doi.org/10.1109/mitp.2019.2956131

2021-01-01

IT Professional

Abstract:Internet protocol (IP) is a part of the Transmission Control Protocol (TCP) /IP suite that operates below the network layer of the Open Systems Interconnection (OSI) reference model and is employed as an interface between the network and data link layer. The address resolution protocol (ARP) is a protocol used by IP for mapping an IP address to the corresponding media access control address that is a hardware address harnessed to identify the source and destination of each frame sent on the Ethernet. The man-in-the-middle (MITM) attack is a kind of the Ethernet attack that can be carried out depending on ARP cache-memory poisoning to intercept communications between two systems on Ethernet, and it could, without difficulty, be applied when the attacker is in control of a router along normal point of traffic. To secure systems on Ethernet as well as to prevent ARP cache-memory poisoning, it is necessary to have a good prevention model of MITM attacks. In this article, using the client/server-based intrusion detection system (CSIDS), a precise model to prevent ARP poisoning attacks is proposed and implemented. Our analysis is adequately characterized by implementing a real-time analysis for the received ARP packets, and in the case of detection of a suspicious ARP packet, a resolution message will be exchanged between system parts on the same network. To evaluate the ability of detection and prevention of CSIDS, we design and implement a novel protocol. At the same time, we compare the performance between CSIDS with the standard operations of ARP. Our experimental results reveal that our methodology completely protects hosts against cache poisoning attacks. We further show the effectiveness of our technique in identifying the abnormal ARP packets.

Lei Yang,Lejun Chi,Dongjie Zhu,Chengwen Tang,Kun Wang

2006-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon seriously threatens the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

Yang Liu,Ke Dong,Liang Dong,Bin Li

2008-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon is seriously threaten the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

B. Issac

DOI: https://doi.org/10.48550/arXiv.1410.4398

2014-10-16

Abstract:For network computers to communicate to one another, they need to know one another's IP address and MAC address. Address Resolution Protocol (ARP) is developed to find the Ethernet address that map to a specific IP address. The source computer broadcasts the request for Ethernet address and eventually the target computer replies. The IP to Ethernet address mapping would later be stored in an ARP Cache for some time duration, after which the process is repeated. Since ARP is susceptible to ARP poisoning attacks, we propose to make it unicast, centralized and secure, along with a secure design of DHCP protocol to mitigate MAC spoofing. The secure protocol designs are explained in detail. Lastly we also discuss some performance issues to show how the proposed protocols work.

Cryptography and Security

Laurent Patrice,Ramadhani Sinde,Judith Leo

DOI: https://doi.org/10.1109/access.2024.3409679

IF: 3.9

2024-06-15

IEEE Access

Abstract:Address Resolution Protocol (ARP) spoofing has been a long-standing problem with no clear remedy until now. The attacks can be launched easily utilizing an enormous number of publicly available tools on the web; however, they are extremely tough to counterattack due to ARP's stateless nature for not authenticating ARP replies for a subsequent request. Previous studies have demonstrated significant efforts to counterattack these assaults in Software-Defined Networks (SDN); however, much effort has been focused solely on detecting the assaults, with little effort being made to address performance bottlenecks, scalability, and Single Point of Failure (SPOF) issues in large-scale networks. In this study, we focus on developing ARP spoofing attacks detection mechanism in large-scale SDN that is immune to SPOF and provides enhanced network performance and scalability. The main purpose is to enable controllers to intercept and analyze all incoming ARP packets, learn address mappings, and store them in the application's memory to be used as a basis for ongoing ARP cache comparisons while maintaining a global cache in a controller. To achieve the goal of this study, a simulation experiment in a closed network environment was undertaken to precisely monitor network traffic and result patterns. Mininet and the Open Network Operating System were used to implement the data plane and OpenFlow controllers. The results show that, the proposed solution is resistant to ARP spoofing attacks, with an average detection and mitigation time of 4.3 and 26.19 milliseconds, respectively. Further significant improvements have been observed in alleviating SPOF and performance bottlenecks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Mingchun Zheng,Shoubao Yang,Xianglan Piao,Weifeng Sun

DOI: https://doi.org/10.1007/978-3-319-15554-8_18

2015-01-01

Abstract:A detective strategy with multi-layer modules and algorithm on ARP spoof attacks are proposed after some researches against the security problem of ARP. By the research of ARP and ARP attacks, and the consideration of resources and efficiency, the structure of the detective strategy is divided into mainly four modules, ARP spoof prediction module, head information detection, refusing ARP reply packets without request module and sending RARP request module. And there is also an extension module for extending. The result shows with the cooperation among the modules, many APR spoof attacks can be detected and prevented, and there are almost no mistakes.

XING Jinge,LIU Yang

DOI: https://doi.org/10.3969/j.issn.1005-9369.2012.08.016

2012-01-01

Abstract:Attackers using ARP spoofing attack network segment host In the LAN,which threaten the LAN security seriously.This paper analyzed the common tricks such as monitor,intercept,and malicious attacks which attackers used,and summarized the IP matched methods based on ARP cheat theory,data frame detection method,Echo time method,ARP response analysis method,tools detection method and so on.A prevent ARP spoofing algorithm is proposed in this paper,which made use of ARP cache update policy,switching equipment control and other strategies to prevent ARP spoofing.This algorithm can reject ARP spoofing,achieve the goals of maintaining network security.

Fabrice Mvah,Vianney Kengne Tchendji,Clémentin Tayou Djamegni,Ahmed H. Anwar,Deepak K. Tosh,Charles Kamhoua

DOI: https://doi.org/10.1016/j.cose.2023.103696

IF: 5.105

2024-01-06

Computers & Security

Abstract:The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

computer science, information systems

Cai Hongmin,Li Qinglong,Huang Jun,Li Huaji

DOI: https://doi.org/10.3969/j.issn.1000-386X.2012.02.085

2012-01-01

Abstract:With the development of campus networks,the users' number of campus networks is greatly increased,meanwhile the ARP spoofing attacks in LAN impact the internet surfing quality of campus networks users significantly as well.In the paper,we read ARP table of routers and switches by SNMP to detect the ARP spoofing attacks,and quickly locate the ARP spoofing attacker in conjunction with DCBI networks managing system with perfect effect.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Abhishek Samvedi,Sparsh Owlak,Vijay Kumar Chaurasia

DOI: https://doi.org/10.48550/arXiv.1406.2930

2014-06-11

Abstract:In this paper, an improved secure address resolution protocol is presented where ARP spoofing attack is prevented. The proposed methodology is a centralised methodology for preventing ARP spoofing attack. In the proposed model there is a central server on a network or subnet which prevents ARP spoofing attack.

Cryptography and Security

秦丰林,段海新,郭汝廷

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.01.008

2009-01-01

Abstract:Up to now,many schemes have been proposed to protect against ARP spoofing which can be classified into three categories as detecting,preventing and avoiding techniques according to their functions.This paper summarized and analyzed each of these schemes,identified their advantages and weaknesses,presented some factors that have to be considered in improving ARP protocol.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

SONG Wei-Jia,ZHOU Chang-Ling,CUI Jian,SHANG Qun,ZHANG Bei

2008-01-01

Periodical of Ocean University of China

Abstract:ARP protocol is vulnerable to ARP Cache Poisoning, which fosters a variety of security issues such as Man-In-The-Middle attack. There are pros and cons of existing approaches to this issue.Based on the characteristics of ARP Cache Poisoning attacks,we combine the ARP inspection function of switches with dynamic IP-MAC binding algorithms to design a new solution to ARP Cache Poisoning.Our solution is flexible and deployment-friendly to large-scale networks.Experiment demonstrates the effectiveness of the solution.

Guanding Yu

2005-01-01

Abstract:A distributed IP spoof detection system in Intranet is proposed, which can efficiently detect IP spoof behaviors in Intranet. Current techniques of defending IP spoof are analyzed. Aimed at characteristics of Intranet, the design of the system is introduced in detail. The determination method of IP spoof and the design of the monitor, which is a key component of the system, are presented. The implementation of data capture model is also presented. From the experimentation result, it is concluded that the system has the characteristics of high accuracy and real-time performance, but little data traffic. It can be generalized in Intranet of different scales and in other network security systems.

Yuxiang Lin,Yi Gao,Bingji Li,Wei Dong

DOI: https://doi.org/10.1145/3536423

2022-01-01

ACM Transactions on Sensor Networks

Abstract:The broadcast nature of wireless media makes WLANs easily attacked by rogue Access Points (APs) . Rogue AP attacks can potentially cause severe privacy leakage and financial loss. Hardware fingerprinting is the state-of-the-art technology to detect rogue APs since an attacker would find it difficult to set up a rogue AP with specific hardware fingerprints. However, existing hardware fingerprints not only depend on the AP but also depend on the client, significantly limiting their application scenarios. In this work, we investigate two novel client-agnostic fingerprints, which can be extracted using commercial off-the-shelf WiFi devices, to detect rogue APs. One is the power amplifier non-linearity fingerprint and the other is the frame interval distribution fingerprint . These two fingerprints remain consistent over time and space for the same AP but vary across different APs even with the same brand, model, and firmware. We use the fingerprint similarity between the candidate AP and the authorized AP for device authentication in typical indoor environments. We have also proposed a threshold-improved authentication scheme to improve the robustness of our system in dynamic environments. Our schemes can be implemented without modifying the infrastructural APs and can work well with new clients without rebuilding the fingerprint database. We evaluate our scheme in both in-lab and field scenarios, by analyzing 18 million WiFi packets. Results show that our scheme achieves an overall 96.55% positive detection rate and a 4.31% false alarm rate. Moreover, the threshold-improved authentication scheme can further reduce the false alarm rate by 13.0%-44.8% for dynamic environments.

Sixian Sun,Xiao Fu,Bin Luo,Xiaojiang Du

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162965

2020-01-01

Abstract:Cloud computing is making a greater impact on internet industry, medical industry, insurance industry, and so on. Due to its influence, cloud computing networking is in great need of security, and protecting cloud environment from diverse attacks has been a hot issue. On the other hand, Software Defined Network (SDN) separates the control plane from the data plane and makes networks programmable, which promotes the centralized management of network devices. Compared to traditional networks, SDN increases the utilization efficiency of resources, increases the flexibility of network services, and reduces the cost of maintenance. Therefore, in this paper, we apply SDN to protect cloud computing networking from Address Resolution Protocol (ARP) attacks. In the proposed approach, a cluster of controllers detects ARP packets that hosts send, in order to find out the forged ones and to prevent ARP spoofing attacks. Also, controllers monitor statistical data of ARP packets once in a while to detect ARP flooding attacks. Once an attack is detected, controllers install flow entries on corresponding switches, to block flow for a specific time. Finally, we conduct experiments to show that our approach is useful to detect and mitigate ARP attacks in SDN-based cloud environment.

Dr. Timur Mirzoev,Stacey White

DOI: https://doi.org/10.48550/arXiv.1404.2172

2014-04-08

Abstract:This study investigates the role of the client isolation technology Public Secure Packet Forwarding (PSPF) in defending 802.11 wireless (Wi-Fi) clients, connected to a public wireless access point, from Address Resolution Protocol (ARP)cache poisoning attacks, or ARP spoofing. Exploitation of wireless attack vectors such as these have been on the rise and some have made national and international news. Although client isolation technologies are common place in most wireless access points, they are rarely enabled by default. Since an average user generally has a limited understanding of IP networking concepts, it is rarely enabled during access point configurations. Isolating wireless clients from one another on unencrypted wireless networks is a simple and potentially effective way of protection. The purpose of this research is to determine if a commonly available and easily implementable wireless client isolation security technology, such as PSPF, is an effective method for defending wireless clients against attacks.

Networking and Internet Architecture,Cryptography and Security