ASA: Agent-based secure ARP cache management

Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the `original` ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.

[1]  Jin-Wook Chung,et al.  Network Security Management Using ARP Spoofing , 2004, ICCSA.

[2]  Danilo Bruschi,et al.  S-ARP: a secure address resolution protocol , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[3]  Wassim El-Hajj,et al.  Preventing ARP Attacks Using a Fuzzy-Based Stateful ARP Cache , 2007, 2007 IEEE International Conference on Communications.

[4]  Thawatchai Chomsiri Architecture and Protocols for Secure LAN , 2008 .

[5]  Zhiping Jiang,et al.  The detection and prevention for ARP Spoofing based on Snort , 2010, 2010 International Conference on Computer Application and System Modeling (ICCASM 2010).

[6]  Patrick D. McDaniel,et al.  TARP: ticket-based address resolution protocol , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[7]  Santosh Biswas,et al.  An Active Intrusion Detection System for LAN Specific Attacks , 2010, AST/UCMA/ISA/ACN.

[8]  Cristina L. Abad,et al.  Preventing ARP cache poisoning attacks: A proof of concept using OpenWrt , 2009, 2009 Latin American Network Operations and Management Symposium.

[9]  Chin-Tser Huang,et al.  A secure address resolution protocol , 2003, Comput. Networks.

[10]  Roney Philip Securing Wireless Networks from ARP Cache Poisoning , 2007 .

[11]  Barry W. Boehm,et al.  Act one - the poems , 1989, RFC.

[12]  Vipul Goyal,et al.  An Efficient Solution to the ARP Cache Poisoning Problem , 2005, ACISP.

[13]  Z. Li,et al.  Mitigating application layer distributed denial of service attacks via effective trust management , 2010, IET Commun..

[14]  Andrew R. Baker,et al.  Snort 2.1 intrusion detection , 2004 .

[15]  Patrick D. McDaniel,et al.  TARP: Ticket-based Address Resolution Protocol , 2005, ACSAC.

[16]  Sanjeev Kumar,et al.  Impact of Distributed Denial of Service (DDoS) Attack Due to ARP Storm , 2005, ICN.

[17]  W. Lilakiatsakun,et al.  P-ARP: A novel enhanced authentication scheme for securing ARP , 2011 .

[18]  Yunlan Zhao,et al.  Research on the Defense Against ARP Spoofing Attacks Based on Winpcap , 2010, 2010 Second International Workshop on Education Technology and Computer Science.

[19]  Sukumar Nandi,et al.  Detecting ARP Spoofing: An Active Technique , 2005, ICISS.

[20]  T. Chomsiri,et al.  Architecture and Protocols for Secure LAN by Using a Software-Level Certificate and Cancellation of ARP Protocol , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[21]  Dongwon Kim,et al.  Enhanced ARP: preventing ARP poisoning-based man-in-the-middle attacks , 2010, IEEE Communications Letters.

[22]  Santosh Biswas,et al.  An Active Host-Based Detection Mechanism for ARP-Related Attacks , 2011 .