defence aginst ARP Spoofing, Papers of Information Security and Markup Languages

defence aginst ARP Spoofing attacks by implementation semi static table

Typology: Papers

2020/2021

Uploaded on 01/21/2021

hamzah-alattab
hamzah-alattab 🇾🇪

1 document

1 / 16

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
The Defense Against ARP Spoofing Using
Semi-Static ARP Cache Table
Hamzah Abdulkareem Al-attab "ID: 19_0119"
Ahmed Mohammed Al-sharafi "ID: 19_0056"
Submitted to—
D/ Malik Al-Jabry
1
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff

Partial preview of the text

Download defence aginst ARP Spoofing and more Papers Information Security and Markup Languages in PDF only on Docsity!

The Defense Against ARP Spoofing Using

Semi-Static ARP Cache Table

Hamzah Abdulkareem Al-attab "ID: 19_0119" Ahmed Mohammed Al-sharafi "ID: 19_0056" Submitted to— D/ Malik Al-Jabry

Contents

  • ABSTRACT
  • INTRODUCTION
  • ARP SPOOFING ATTACK
    • ARP Request Spoofing
    • ARP Reply Spoofing
  • SEMI-STATIC ARP CACHE TABLE
  • IMPLEMENTATION
  • RESULT
  • CONCLUSION
  • REFERENCES

I. INTRODUCTION

Internet becomes an important tool in our daily life. About 4.2 billion people or about 54.2% human population actively use the internet today. Most of those users use the internet for communication and sharing information. Therefore, securing the user’s data that pass through the internet is a very important challenge until today. Internet use packet switching communication model. It breaks down the data into smaller chunks then sent it in the form of a discrete packet that follows different channels in a sequence over time and rejoins at the final destination node. One of the threats to this architecture is the attacks on the data link layer such as ARP spoofing attack or ARP poisoning. This attack exploits the vulnerability of ARP protocol that translates logical address to the physical address of a device. For decades, many research proposed several approaches to mitigate the ARP spoofing attacks. There are five categories of this mitigation approaches:  Modifying ARP using cryptographic techniques;  Patching the operating system’s kernel;  Securing switch ports;  ARP spoofing attack detection and protection using external software; and  Manually configuring static ARP cache table. The first solution protects the ARP protocol by adding a cryptographic function. The major drawback of this approach is the incompatibility with the standard ARP protocol and affect the ARP protocol performance. The second solution adds some patches to the operating system kernel to prevent the ARP spoofing attack. However, not all operating system can implement this solution. It also may incompatible with the standard ARP protocol. The third solution prevents the ARP spoofing attack by modifying the switch devices using switch port security or Dynamic ARP Inspections (DAI). This solution is costly because the network provider should replace all old switches. The fourth solution use external software to detect and protect clients. However, some researchers argue that this solution may ineffective against the ARP spoofing attack. The fifth solution is the most basic but effective way to prevent ARP spoofing attack by manually adding the MAC address to the static ARP cache table. But this solution is a laborious job and not all network administrator willing to do it This research proposed a method to improve the static ARP cache table solution. Our purposes are removing the laborious process of adding the static ARP cache table manually and adding the ARP validation function to manage the static ARP cache table automatically.

II. ARP SPOOFING ATTACK

All devices that connected to the internet has two types of address, IP address, and MAC address. The IP address is a logical address of a device. IP address used to identify the location of a device that connected to the internet. It will change dynamically every time the user connects to the internet at a different location. On the other hand, the MAC address is a physical address that stored inside the network interface card. In theory, the MAC address is unique and unchangeable. MAC address is necessary for the internet protocol. MAC address used to identify the location of a device in a Local Area Network (LAN), When sending a frame of data in a local arena network, the sender must know the MAC address of the receiver. The sender uses the ARP protocol to translate the IP destination inside the frame to a MAC address of the destination device. ARP protocol comprised of two type of messages, they are ARP request and ARP reply. ARP request specifies the IP address of the target host MAC address. ARP reply specifies ARP spoofing is a type of attack that forging fake ARP request or ARP reply. Usually, the attacker faking the MAC address of the gateway. The attacker convinces the victim to send the frame destined for the gateway to the other address instead [8]. Fig. 1 illustrate the common pattern of ARP spoofing attack in Ethernet. The attacker utilizes ARP spoofing attack for many purposes. For example, NetCut attack uses ARP spoofing to monopolizing the bandwidth by cutting the communication of all other devices. One type Man in the Middle (MiTM) attack also uses ARP spoofing to eavesdrop the communication between the victim and the gateway ARP is a stateless protocol; it does not correlate between replies with requests. ARP accept a reply even without issued any request. In addition, there are no authentication methods in the standard ARP protocol. There is no way to verify the eligibility of the sender. The ARP spoofing attack utilizes this behavior to poison the victim by manipulating the ARP packets. There are two basic spoofing techniques utilizing the vulnerability of the ARP protocol. The first technique is spoofing ARP request packet and the second technique is spoofing ARP reply packet

B. ARP Reply Spoofing Spoofing using ARP reply packet has a similar effect with spoofing using ARP request. The only difference is the type of the ARP packet. As illustrated in Fig. 3, the attacker directly send ARP reply to the victim even though the victim never requests it. However, sometimes this type of attack is easily noticeable by the Intrusion Detection System (IDS) because it is very unusual for a host received an ARP reply without sending ARP request. Fig. 3. ARP Reply Spoofig

III. SEMI-STATIC ARP CACHE TABLE

This research proposes a method to mitigate the ARP spoofing attack based on static ARP cache table technique. The main purposes of this method are to remove the laborious process of adding the static ARP cache table manually and adding the ARP validation function to manage the static ARP cache table automatically. We implement this method in the application layer of the internet layer stack. Thus, it does not require any modification of the standard ARP protocol. The proposed method consists of three major procedure. The first procedure is listing the IP and MAC address that already cached in ARP cache table. The second procedure is validating these IP and MAC address. The last procedure is set valid IP and MAC address as a static record in the ARP cache table. Operating system cached the IP and MAC address inside the ARP cache table to minimize broadcast message of ARP protocol. Most of the operating system, such as Linux and Microsoft Windows, allows the user to create static records in this table. We utilized this feature to create a semi-static ARP cache table that proposed in this research.

Scenario 1

In this scenario, we set up the LAN by defining the nodes as CSMA devices and assigning them same subnet IP addresses using CSMA helper class defined in ns3. Just as the graph show, there are three hosts in the LAN. The first node with IP address 10.1.1. and MAC address 00.00.00.00.00.00 is installed with UdpClientApp acting as a UDP server. The second node with IP address 10.1.1.2 and MAC address 00.00.00.00.00.01 is installed with UdpServerApp acting as a UDP client who accepts the UDP packets. The UdpClientApp and UdpServerApp are the classes defined in ns3. The client app class periodically makes a UDP packet, adds headers to it and sends it to the server app. The details are configured as following: Number of packets will be sent 3 Interval between each packet 1000 ms Propagation delay 200 ms Server start time 5 ms Client start time 50 ms In this case, the third node with IP address 10.1.1.3 is not doing anything in the simulation

Scenario In this scenario, the LAN, the first and the second node are set up and configured same way as they are in scenario 1. In addition to that, the third node with IP address 10.1.1.3 and Mac address 00.00.00.00.00.02 is installed with ARP attacker application we designed. With this application, the node sends a fake ARP reply periodically. If the victim picks up the reply. message, the following UDP packets will be redirected to the attacker. The behaviour of the attacker is configured as following:

Number of packets will be sent 7

Interval between each packet 1000 ms Attacker start time 5 ms

V. RESULT

This is the output of the results of the simulation in Pcap files.

Scenario 1

UDP client: As it is shown in the Pcap file, there UDP packets was properly sent to the server

Scenario 2

UDP client: In this case, the first UDP packet is sent immediately after the first broadcasted fake ARP reply. Indicating the client accepted the fake ARP reply and sent a packet to the attacker. UDP server: The server is still getting the packets from the client. This will be explained later. Attacker: The three Pcap files show result here. Because the hosts are by nature ns-3 objects, their behaviours are set by ns3. It looks like the attacker becomes the ARP proxy for the UDP client and the UDP server. After it received the first UDP packet, it broadcasts a request

to ask for the correct MAC address of the UDP server and redirected the packet to the server. The two sequential UDP packets are also redirected by the attacker to the server. That explains why the server is still getting the packets and why the attacker has Pcap messages for each UDP packets.

Result Conclusion

Based on simulation of ARP spoofing, we can conclude.

  • ARP is vulnerable
  • Even with state ARP, it is harder to poison the ARP cache
  • Most attacks are launched in the same LAN
  • Attacker can be man in the middle

VI. CONCLUSION

We successfully proved the effectiveness of our proposed method. Our proposed method can protect the hosts against all type of ARP spoofing attacks, including the MiTM attack. It does not need any modification of existing ARP protocol standard and devices. It also easy to implement in every host. One minor weakness of this proposed method is it cannot protect other hosts. We need to develop a communication protocol between hosts. So it can warn the other hosts if there are an ARP spoofing attack inside the network.

VII. Future Work

At present, the most effective way to protect ARP spoofing in LANs is through bidirectional binding of IP and MAC addresses between clients. However, this method still cannot effectively prevent ARP attacks on LANs. The most significant reason is that when we discovered the ARP spoofing and set up two-way binding, it had already changed the MAC address of the local computer resulting in invalid binding. On the other hand, it is human-made destruction. For example, if someone floods the ARPresponse in a LAN like our scenario, it will lead to a decrease in network performance. Inspired by the related research work, we can implement the two following methods of protecting the LAN from ARP spoofing:

REFERENCES

[1] Statista, “Global digital population as of July 2018 (in millions),” The Statistics Portal, 2018. [Online]. Available: https://www.statista.com/statistics/617136/digital-populationworldwide/. [Accessed: 30-Jul-2018]. [2] D. Srinath, S. P. S.Panimalar, A. J. Simla, and J. D. J.Deepa, “Detection and Prevention of ARP spoofing using Centralized Server,” Int. J. Comput. Appl., vol. 113, no. 19, pp. 26–30, Mar. 2015. [3] J. Singh and V. Grewal, “A Survey of Different Strategies to Pacify ARP Poisoning Attacks in Wireless Networks,” Int. J. Comput. Appl., vol. 116, no. 11, pp. 25–28, 2015. [4] M. A. Carnut and J. J. C. Gondim, “ARP spoofing detection on switched Ethernet networks,” in the 5th Simpósio Segurança em Informática, 2003. [5] R. K. Bijral, A. Gupta, and L. Sen Sharma, “Study of Vulnerabilities of ARP Spoofing and its detection using SNORT,” Int. J. Adv. Res. Comput. Sci., vol. 8, no. 5, pp. 2074–2077, 2017. [6] T. Kiravuo, M. Sarela, and J. Manner, “A Survey of Ethernet LAN Security,” IEEE Commun. Surv. Tutorials, vol. 15, no. 3, pp. 1477– 1491, 2013. [7] M. Al-Hemairy, S. Amin, and Z. Trabelsi, “Towards more sophisticated ARP Spoofing detection/prevention systems in LAN networks,” in 2009 International Conference on the Current Trends in Information Technology (CTIT), 2009, pp. 1–6. [8] S. Shukla and I. Yadav, “An innovative method for detection and prevention against ARP spoofing in MANET,” Int. J. Comput. Sci. Inf. Technol. Secur., vol. 5, no. 1, pp. 207–214, 2015. [9] M. Conti, N. Dragoni, and V. Lesyk, “A Survey of Man In The Middle Attacks,” IEEE Commun. Surv. Tutorials, vol. 18, no. 3, pp. 2027– 2051, 2016. [10] Sudhakar and R. K. Aggarwal, “A survey on comparative analysis of tools for the detection of ARP poisoning,” in 2017 2nd International Conference on Telecommunication and Networks (TEL-NET), 2017, pp. 1–6. [11] L. Allen, T. Heriyanto, and S. Ali, Kali Linux – Assuring Security by Penetration Testing. Packt Publishing, 2014.