Yuwen Xiong,Cong Wang,Chuang Chen,Jiawen Xu,Maode Ma,Tong Zhou

DOI: https://doi.org/10.1007/978-981-97-5609-4_42

2024-01-01

Abstract:Cache Poisoning Attack is a major threat in NDN, impacting network performance. Current solutions are costly and don't fully address router single point failures or repeated router evaluations with producer mobility. To tackle these, we introduce CPA-BT, a Blockchain-based Trust Model. It integrates blockchain, enabling edge routers connected to data producers to operate under a consensus mechanism, treating their evaluation as blockchain transactions. With 2/3 consensus, a leader edge router records the transactions, addressing the mentioned challenges. Simulations show CPA-BT effectively isolates malicious and faulty producers, reducing cache poisoning risks and outperforming other trust models in task failure rate reduction.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Haider Salim,Zhitang Li,Hao Tu,Zhengbiao Guo

DOI: https://doi.org/10.1109/dcabes.2012.71

2012-01-01

Abstract:Owing to its great need for mapping an IP address to the corresponding MAC address over an Ethernet topology, Address Resolution Protocol (ARP) has been, and still is, capable of accomplishing this task efficiently. At the same time, it suffers from some security shortcomings, because of the malicious hosts have the possibility of poisoning the ARP cache for another host on the same LAN. In this paper, by gratuitous ARP request packets, we propose a solution to the problem of ARP poisoning. Our suggested mechanism which is named a Gratuitous Decision Packet System (GDPS) seeks to achieve two main goals: (1) Detection of suspicious ARP packets, by implementing a real-time analyzing for received ARP packets. (2) The distinction between a legitimate and malicious host through sending a modified request packet of the gratuitous ARP packets. Furthermore, the experiments show that the presented design has the efficiency and accuracy, as well as it does not require any additional software or hardware.

B. Issac

DOI: https://doi.org/10.48550/arXiv.1410.4398

2014-10-16

Abstract:For network computers to communicate to one another, they need to know one another's IP address and MAC address. Address Resolution Protocol (ARP) is developed to find the Ethernet address that map to a specific IP address. The source computer broadcasts the request for Ethernet address and eventually the target computer replies. The IP to Ethernet address mapping would later be stored in an ARP Cache for some time duration, after which the process is repeated. Since ARP is susceptible to ARP poisoning attacks, we propose to make it unicast, centralized and secure, along with a secure design of DHCP protocol to mitigate MAC spoofing. The secure protocol designs are explained in detail. Lastly we also discuss some performance issues to show how the proposed protocols work.

Cryptography and Security

Haider Salim,Zhitang Li,Hao Tu,Zhengbiao Guo

DOI: https://doi.org/10.1007/978-3-642-31020-1_30

2012-01-01

Abstract:Address Resolution Protocol (ARP) is the network part that is responsible for identifying a Media Access Control (MAC) address of each other, through mapping an IP address to the corresponding MAC address. Unfortunately, ARP is a stateless protocol, the weakness in ARP effects directly on the security standards of the network and especially in Ethernet. In this paper, we propose a new architecture; named a CSIDS Client/Server based Intrusion Detection System designed to detection and defense against ARP spoofing attacks. The main idea behind this approach is to implement a real-time analyzing for received ARP packets and in case of detection a suspicious ARP packet a resolution message will be exchanged between system parts on the same network. This system is resilience by making at most two objects (client/server) to work efficiently; on the other hand, just one client is capable of defending on himself.

Boyang Zhou,Gaoning Pan,Chunming Wu,Kai Zhu,Wei Ruan

DOI: https://doi.org/10.1007/s11432-019-9921-7

2020-01-01

Science China Information Sciences

Abstract:Dear editor, Recently, crossfire attack has been witnessed as a new distributed denial-of-service (DDoS) weapon that can effectively cut off the data connections between the chosen target area (wd) of servers and the end hosts (H).The attack is launched by a network of bot (botnet) to drain bandwidth of persistent routes (PRs) in the indirect and lowrate data flooding towards the decoys that are located in upstream to the target, where the PRs are probed by the adversary who sends Internet control message protocol (ICMP) packets with different time-to-live (TTL) values, e.g., using traceroute [1].Such flooding is hard to be detected by firewalls or IDSes.

Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

Fabrice Mvah,Vianney Kengne Tchendji,Clémentin Tayou Djamegni,Ahmed H. Anwar,Deepak K. Tosh,Charles Kamhoua

DOI: https://doi.org/10.1016/j.cose.2023.103696

IF: 5.105

2024-01-06

Computers & Security

Abstract:The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

computer science, information systems

WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

Lei Yang,Lejun Chi,Dongjie Zhu,Chengwen Tang,Kun Wang

2006-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon seriously threatens the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

Yang Liu,Ke Dong,Liang Dong,Bin Li

2008-01-01

Abstract:During the network communication process, attacker carry on ARP spoofing by using the disadvantage of the ARP(Address Resolution Protocol) protocol, this phenomenon is seriously threaten the LAN security. This paper will introduce the commonly used ARP spoofing methods such as internal/external network sniffing, interception, malicious attack and so on. It presents the Matching IP method, Data monitor method, Echo time method, ARP response analysis method, software tools detecting method as well as the new method of ARP cache updating, using switching equipment to control and other strategy and presents the algorithm to keep ARP spoofing away and maintain network security.

Dalia Nashat,Sabah M. Morsy

DOI: https://doi.org/10.1109/ACCESS.2022.3172329

IF: 3.9

IEEE Access

Abstract:Nowadays, cyber-attack is a severe criminal violation, and it is one of the most active fields of research. Man-in-the-middle attack (MITM) is a type of cyber-attack in which an unauthorized third party secretly accesses the communication between two hosts in the same network to read=modify the transferred data between them. ARP spoofing-based MITM attack exploits ARP protocol weakness where the attacker associates its MAC address with the IP address of an intended legitimate host. Although there are many defense approaches for ARP spoofing based-MITM attacks, these methods are uncompleted or have a performance overhead since they modify the original ARP protocol. Also, some of these approaches depend on the centralized server which leads to a single point of failure. This paper presents a detection scheme for ARP spoofing-based MITM attack called D-ARP which is compatible with the original ARP protocol. The main idea of D-ARP is to send an ARP packet signed with a key in parallel with the original ARP packets to make a correlation between requests and replies. Each host records the signed ARP packets whether it is a request or a reply in a log file. Based on this correlation, D-ARP matches the injected key to detect ARP spoofing if there is a duplicate or conflict in the MAC address. For more reliability, D-ARP uses the DHCP server and the Nmap feature to detect the MAC addresses of MITM attackers. Moreover, this scheme also offers a module for Admin to create a trusted list of hosts. The experimental results show that D-ARP is very effective to detect and prevent ARP spoofing with zero false positives and zero false negative probabilities without any modifications in the original ARP protocol.

Computer Science

XING Jinge,LIU Yang

DOI: https://doi.org/10.3969/j.issn.1005-9369.2012.08.016

2012-01-01

Abstract:Attackers using ARP spoofing attack network segment host In the LAN,which threaten the LAN security seriously.This paper analyzed the common tricks such as monitor,intercept,and malicious attacks which attackers used,and summarized the IP matched methods based on ARP cheat theory,data frame detection method,Echo time method,ARP response analysis method,tools detection method and so on.A prevent ARP spoofing algorithm is proposed in this paper,which made use of ARP cache update policy,switching equipment control and other strategies to prevent ARP spoofing.This algorithm can reject ARP spoofing,achieve the goals of maintaining network security.

Sixian Sun,Xiao Fu,Bin Luo,Xiaojiang Du

DOI: https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162965

2020-01-01

Abstract:Cloud computing is making a greater impact on internet industry, medical industry, insurance industry, and so on. Due to its influence, cloud computing networking is in great need of security, and protecting cloud environment from diverse attacks has been a hot issue. On the other hand, Software Defined Network (SDN) separates the control plane from the data plane and makes networks programmable, which promotes the centralized management of network devices. Compared to traditional networks, SDN increases the utilization efficiency of resources, increases the flexibility of network services, and reduces the cost of maintenance. Therefore, in this paper, we apply SDN to protect cloud computing networking from Address Resolution Protocol (ARP) attacks. In the proposed approach, a cluster of controllers detects ARP packets that hosts send, in order to find out the forged ones and to prevent ARP spoofing attacks. Also, controllers monitor statistical data of ARP packets once in a while to detect ARP flooding attacks. Once an attack is detected, controllers install flow entries on corresponding switches, to block flow for a specific time. Finally, we conduct experiments to show that our approach is useful to detect and mitigate ARP attacks in SDN-based cloud environment.

Laurent Patrice,Ramadhani Sinde,Judith Leo

DOI: https://doi.org/10.1109/access.2024.3409679

IF: 3.9

2024-06-15

IEEE Access

Abstract:Address Resolution Protocol (ARP) spoofing has been a long-standing problem with no clear remedy until now. The attacks can be launched easily utilizing an enormous number of publicly available tools on the web; however, they are extremely tough to counterattack due to ARP's stateless nature for not authenticating ARP replies for a subsequent request. Previous studies have demonstrated significant efforts to counterattack these assaults in Software-Defined Networks (SDN); however, much effort has been focused solely on detecting the assaults, with little effort being made to address performance bottlenecks, scalability, and Single Point of Failure (SPOF) issues in large-scale networks. In this study, we focus on developing ARP spoofing attacks detection mechanism in large-scale SDN that is immune to SPOF and provides enhanced network performance and scalability. The main purpose is to enable controllers to intercept and analyze all incoming ARP packets, learn address mappings, and store them in the application's memory to be used as a basis for ongoing ARP cache comparisons while maintaining a global cache in a controller. To achieve the goal of this study, a simulation experiment in a closed network environment was undertaken to precisely monitor network traffic and result patterns. Mininet and the Open Network Operating System were used to implement the data plane and OpenFlow controllers. The results show that, the proposed solution is resistant to ARP spoofing attacks, with an average detection and mitigation time of 4.3 and 26.19 milliseconds, respectively. Further significant improvements have been observed in alleviating SPOF and performance bottlenecks.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haider Salim Hmood,Zhitang Li,Hasan Khalaf Abdulwahid,Yang Zhang

DOI: https://doi.org/10.1093/comjnl/bxu023

2014-01-01

The Computer Journal

Abstract:It is well known that the domain name system (DNS) is responsible for translating domain names to the corresponding IP addresses. It plays a fundamental role in running efficiently all Internet application, such as web browsing, email, multimedia applications and other projects. However, using the technique of the DNS cache poisoning attack, an attacker can effectively introduce forged DNS information to the cache memory of the domain name resolvers, with the goal of manipulating the resolver data so as to make then unavailable or divert traffic to the wrong destination, which is considered a real threat to Internet users today. Thus, in this paper, we present a new prevention methodology called Adaptive-Cache of DNS (ACDNS). Our proposed solution relies on a caching mechanism to prevent these kinds of attacks. Conversely, domain name system security extension has been presented as a conclusive solution to overcome weaknesses in the DNS protocol, but from that time up to now it still has not been deployed on a large scale. ACDNS is designed to be backward compatible with the current standards of DNS and completely appropriate with the basic protocol processes and infrastructure. In particular, our modifications are only in caching-timing in case of the need to store a new mapping. To this end, we design and implement a novel protocol for extensively simulating our approach. At the same time, we compare the performance of the ACDNS with the DNS. We show that our methodology completely protects domain name resolvers against cache-poisoning attacks.

秦丰林,段海新,郭汝廷

DOI: https://doi.org/10.3969/j.issn.1001-3695.2009.01.008

2009-01-01

Abstract:Up to now,many schemes have been proposed to protect against ARP spoofing which can be classified into three categories as detecting,preventing and avoiding techniques according to their functions.This paper summarized and analyzed each of these schemes,identified their advantages and weaknesses,presented some factors that have to be considered in improving ARP protocol.

Guang-jia Song,Zhen-zhou Ji

DOI: https://doi.org/10.1631/fitee.1500382

IF: 2.526

2016-01-01

Frontiers of Information Technology & Electronic Engineering

Abstract:Address-resolution protocol (ARP) is an important protocol of data link layers that aims to obtain the corresponding relationship between Internet Protocol (IP) and Media Access Control (MAC) addresses. Traditional ARPs (address-resolution and neighbor-discovery protocols) do not consider the existence of malicious nodes, which reveals destination addresses in the resolution process. Thus, these traditional protocols allow malicious nodes to easily carry out attacks, such as man-in-the-middle attack and denial-of-service attack. To overcome these weaknesses, we propose an anonymous-address-resolution (AS-AR) protocol. AS-AR does not publicize the destination address in the address-resolution process and hides the IP and MAC addresses of the source node. The malicious node cannot obtain the addresses of the destination and the node which initiates the address resolution; thus, it cannot attack. Analyses and experiments show that AS-AR has a higher security level than existing security methods, such as secure-neighbor discovery.

Mingchun Zheng,Shoubao Yang,Xianglan Piao,Weifeng Sun

DOI: https://doi.org/10.1007/978-3-319-15554-8_18

2015-01-01

Abstract:A detective strategy with multi-layer modules and algorithm on ARP spoof attacks are proposed after some researches against the security problem of ARP. By the research of ARP and ARP attacks, and the consideration of resources and efficiency, the structure of the detective strategy is divided into mainly four modules, ARP spoof prediction module, head information detection, refusing ARP reply packets without request module and sending RARP request module. And there is also an extension module for extending. The result shows with the cooperation among the modules, many APR spoof attacks can be detected and prevented, and there are almost no mistakes.

Haider Salim,Zhitang Li

DOI: https://doi.org/10.1109/mitp.2019.2956131

2021-01-01

IT Professional

Abstract:Internet protocol (IP) is a part of the Transmission Control Protocol (TCP) /IP suite that operates below the network layer of the Open Systems Interconnection (OSI) reference model and is employed as an interface between the network and data link layer. The address resolution protocol (ARP) is a protocol used by IP for mapping an IP address to the corresponding media access control address that is a hardware address harnessed to identify the source and destination of each frame sent on the Ethernet. The man-in-the-middle (MITM) attack is a kind of the Ethernet attack that can be carried out depending on ARP cache-memory poisoning to intercept communications between two systems on Ethernet, and it could, without difficulty, be applied when the attacker is in control of a router along normal point of traffic. To secure systems on Ethernet as well as to prevent ARP cache-memory poisoning, it is necessary to have a good prevention model of MITM attacks. In this article, using the client/server-based intrusion detection system (CSIDS), a precise model to prevent ARP poisoning attacks is proposed and implemented. Our analysis is adequately characterized by implementing a real-time analysis for the received ARP packets, and in the case of detection of a suspicious ARP packet, a resolution message will be exchanged between system parts on the same network. To evaluate the ability of detection and prevention of CSIDS, we design and implement a novel protocol. At the same time, we compare the performance between CSIDS with the standard operations of ARP. Our experimental results reveal that our methodology completely protects hosts against cache poisoning attacks. We further show the effectiveness of our technique in identifying the abnormal ARP packets.