Article Preview
TopIntroduction
Although every machine on the Internet has one (or more) IP (Internet Protocol) addresses, these cannot be used for sending and receiving packets at the hardware level. IP addresses are administratively assigned logical addresses and are thus not understood by the network hardware. Nowadays, most computers are attached to a Local Area Network (LAN) through a network interface card (NIC) that only understands physical addresses. For instance, every Ethernet NIC ever manufactured comes equipped with a 48-bit physical Ethernet address. In order to avoid address conflicts, manufacturers of Ethernet NICs are assigned unique blocks of physical addresses by a central address allocation authority to ensure that no two NICs will ever have the same address. NICs send and receive frames based solely on 48-bit Ethernet addresses, without any knowledge of the IP protocol.
Network applications, on the other hand, use IP addresses for communication, so a fundamental question now arises: How does an IP address get mapped to the physical address, such as an Ethernet address? The protocol which gives an answer to this question is called ARP (Address Resolution Protocol) and defined in RFC 826 (Plummer, 1982). It is implemented and run in almost every machine as an essential component of communication in open wide and local area networks to ensure unique identification of the network interface cards such as those encountered in Ethernet LAN environments. ARP provides a mechanism to translate logical network addresses into physical Media Access Control (MAC) addresses which are required for the exchange of packets on a local area network.
ARP is a stateless protocol designed without security in mind, which makes it an ideal means for launching DoS and MitM attacks on a LAN. By sending spoofed MAC addresses in ARP reply packets, a malicious host can poison the ARP cache of other hosts on the local network and thereby easily redirect network traffic.
To mitigate the danger of ARP-based attacks on local networks, multiple techniques have been proposed to detect and prevent attacks by malicious hosts. Detection of ARP poisoning is usually performed by specialized network tools, such as arpwatch (LBNL Network Research Group), or Intrusion Detection Systems.Carnut and Gondim (2003) and Trabelsi and Shuaib (2007) proposed delegating the detection to specialized detection or test stations with digital forensic capabilities.
For prevention of ARP-based attacks, a simple solution consists of using static ARP entries in the ARP cache. This solution, however, does not scale well especially in heterogeneous networks with dynamic IP addressing. Other solutions include use of cryptography for authenticating ARP traffic (Bruschi, Ornaghi, & Rosti, 2003; Goyal & Tripathy, 2005; Limmaneewichid & Lilakiatsakun, 2011; Lootah, Enck, & McDaniel, 2007), artificial intelligence (Trabelsi & El-Hajj, 2007), or hardware support for dynamic ARP inspection (Cisco Systems, 2009; Ortega, Marcos, Chiang, & Abad, 2009).
We have developed two methods for detection and prevention of ARP-poisoning-based MitM attacks. For simplicity and convenience, we call these Method1 and Method2, respectively. Our motivation was to find ways to cope with increasingly sophisticated MitM attack tools, while still maintaining backward compatibility with existing ARP implementations. Our methods feature several important advantages compared to the aforementioned approaches: