Address Resolution Protocol Cache Research Articles

Enhancing security in Software-Defined Networks: An approach to efficient ARP spoofing attacks detection and mitigation

The proliferation of Software-Defined Networks (SDNs) has introduced unparalleled flexibility and efficiency to network management, but at the same time, it has introduced new challenges in securing network infrastructures. Among these challenges, Address Resolution Protocol (ARP) spoofing attacks remain a pervasive threat, compromising network integrity and data confidentiality. In this manuscript, we present an approach to ARP spoofing mitigation within SDNs, addressing the limitations of existing methodologies. Our proposed solution employs a multifaceted strategy that combines dynamic ARP cache management, real-time traffic analysis, and adaptive flow rule orchestration. Central to our approach is a dedicated device that continuously monitors the network topology and detects any deviations from established norms. Notably, our solution adapts seamlessly to networks of varying sizes, ensuring scalability and efficacy across diverse infrastructures. One of our key contributions is the integration of a deep learning-based Deep Neural Network (DNN) model to detect and mitigate ARP spoofing attacks. Leveraging a self-generated ARP spoofing dataset from SDN environments, our model demonstrates exceptional accuracy and adaptability, enhancing the network’s capability to identify and counter such threats effectively. Our approach showcases exceptional reliability, achieving 100% accuracy rate in detection of ARP spoofing, which is crucial for sustaining network responsiveness.

Advanced approaches to prevent ARP attacks

Advanced approaches to prevent ARP attacks

Countering ARP spoofing attacks in software-defined networks using a game-theoretic approach

The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

Defending a wireless LAN against ARP spoofing attacks using a Raspberry Pi

The Address Resolution Protocol (ARP) is a protocol that converts Internet Protocol (IP) addresses to Media Access Control (MAC) addresses. Due to a security issue known as "Man in the Middle," identity theft is feasible using the ARP protocol. ARP spoofing is one of the weaknesses in wireless networks when an attacker effectively masquerades as a legitimate one. Spoofing attacks will reduce network performance and break several security measures. In networks that use MAC address-based filtering to verify clients, all a spoofer needs is an actual MAC address from an authorised client to gain an unfair advantage. The research recommends developing a security system recognising and preventing ARP spoofing attacks. This system detects ARP spoofing attempts by comparing the static MAC address of the original router to the router's MAC address in the ARP cache table. After detecting the attack using information collected from the router's MAC address in the ARP cache table, the system will conduct a de-authentication attack against the attacker's MAC address. If the attacker is disconnected from the WLAN, they cannot perform ARP spoofing attacks. This system is operated using a Raspberry Pi Model B. Most ARP spoofing attacks can be detected in 0.93 seconds, and responding takes 3.05 seconds.

ASD: ARP Spoofing Detector Using OpenWrt

The address resolution protocol (ARP) is one of the most important communication protocols in a local area network (LAN). However, since there is no authentication procedure, the ARP is vulnerable to cyberattack such as ARP spoofing. Since ARP spoofing can be connected to critical attacks, including a man-in-the-middle (MITM) attack, detecting ARP spoofing initially without returning false-positive alarms is important. In general, however, existing works for ARP spoofing are unable to distinguish between ARP spoofing and connections from virtual machine (VM) guests, which results in false-positive alarms. In this article, we propose an access point-based ARP Spoofing Detector (ASD) that can detect ARP spoofing attacks without returning a false-positive rate. Our proposed system distinguishes between ARP spoofing and connections from VM guests using three information tables, AssocList, ARP cache table, and DHCP table, which are commonly managed by the access point based on a Linux system. We evaluated the performance of ASD on ARP spoofing attack experiments.

E2BaSeP: Efficient Bayes Based Security Protocol Against ARP Spoofing Attacks in SDN Architectures

Virtual networks, just like classical IP networks, usually face many external threats such as ARP spoofing attacks. These attacks come from Address Resolution Protocol (ARP) vulnerabilities. Indeed, the ARP protocol can allow a virtual machine to be identified by one or more IP-MAC pairs, thus facilitating users’ impersonation and forged IP-MAC pair insertion into the victims’ ARP caches. This type of attack is the beginning of more dangerous attacks such as man-in-the-middle and denial-of-service. Several solutions based on SDN (Software-Defined Network) technology, known for their suitable adaptation to large-scale networks, have been proposed. These solutions use a global ARP cache built into the controller which contains the virtual machines’ IP-MAC pairs, as attacker detection knowledge. The main drawbacks of these methods are the collection and unsecured storage of IP-MAC pairs into the global ARP cache and failure to consider IP address reallocation cases, as well as users’ connection and reconnection scenarios in the attacker detection process. To remedy these shortcomings, we propose an Efficient Bayes Based Security Protocol (E2BaSeP) which detects attackers using a Bayes-based algorithm. This solution works in both dynamically and statically addressing networks. Simulation results show that the E2BaSeP protocol provides effective protection for ARP caches and performs better than those observed in the literature.

Mitigating ARP Cache Poisoning Attack in Software-Defined Networking (SDN): A Survey

Address Resolution Protocol (ARP) is a widely used protocol that provides a mapping of Internet Protocol (IP) addresses to Media Access Control (MAC) addresses in local area networks. This protocol suffers from many spoofing attacks because of its stateless nature and lack of authentication. One such spoofing attack is the ARP Cache Poisoning attack, in which attackers poison the cache of hosts on the network by sending spoofed ARP requests and replies. Detection and mitigation of ARP Cache Poisoning attack is important as this attack can be used by attackers to further launch Denial of Service (DoS) and Man-In-The Middle (MITM) attacks. As with traditional networks, an ARP Cache Poisoning attack is also a serious concern in Software Defined Networking (SDN) and consequently, many solutions are proposed in the literature to mitigate this attack. In this paper, a detailed survey on various solutions to mitigate ARP Cache Poisoning attack in SDN is carried out. In this survey, various solutions are classified into three categories: Flow Graph based solutions; Traffic Patterns based solutions; IP-MAC Address Bindings based solutions. All these solutions are critically evaluated in terms of their working principles, advantages and shortcomings. Another important feature of this survey is to compare various solutions with respect to different performance metrics, e.g., attack detection time, ARP response time, calculation of delay at the Controller etc. In addition, future research directions are also presented in this survey that can be explored by other researchers to propose better solutions to mitigate the ARP Cache Poisoning attack in SDN.

Address resolution protocol spoofing attacks and security approaches: A survey

Address resolution protocol (ARP) is a very popular communication protocol in the local area network (LAN), working under the network layer, as per the open systems interconnection (OSI) model. It is used to associate Internet protocol (IP) address to medium access control (MAC) address; hence, the IP‐MAC addresses are stored in ARP cache of any network host. ARP has weakness in authentication that an attacker can exploit to gain unauthorized access to one's sensitive data. There are some approaches that can be used against ARP spoofing attacks. These provide an efficient and secure way to mitigate ARP attacks and detect ARP poisoning that can reduce the attack. This paper will discuss: various effective approaches, security issues in ARP spoofing, and poisoning attacks.

An Approach to Addressing ARP Spoof Using a Trusted Server

The stateless characteristic of Address Resolution Protocol (ARP) makes it vulnerable to many ARP cache poisoning attacks like MITM (Man in The Middle) attack, most of which generally aim at the gateway. To solve this problem, there have been solutions like using static ARP entries, or using WinPcap libraries or SNMP to detect and rectify poisoned ARP cache. However, the solutions above need manual operation, which is less feasible when the network is large. In this paper, we propose a respondent solution. After a detection of ARP spoof in the gateway, the trusted server will isolate the attacker and then tell all hosts in the network the real IP-to-MAC mappings of the gateway based on the up-to-date information from its storage, thereby automatically rectifying poisoned ARP cache.

Securing ARP/NDP From the Ground Up

The basis for all IPv4 network communication is the address resolution protocol (ARP), which maps an IP address to a device’s media access control identifier. ARP has long been recognized as vulnerable to spoofing and other attacks, and past proposals to secure the protocol have often involved in modifying the basic protocol. Similarly, neighbor discovery protocol (NDP) is the basis for all IPv6 network communication, yet suffers from the same vulnerabilities as ARP. This paper introduces arpsec , a secure ARP/RARP protocol suite which a) does not require protocol modification, b) enables continual verification of the identity of the target (respondent) machine by introducing an address binding repository derived using a formal logic that bases additions to a host’s ARP cache on a set of operational rules and properties, c) utilizes the trusted platform module (TPM), a commodity component now present in the vast majority of modern computers, to augment the logic-prover-derived assurance when needed, with TPM-facilitated attestations of system state achieved at viably low-processing cost, and d) supports IPv6 NDP ( ndpsec ) by extension of our previous work. Using commodity TPMs as our attestation base, we show that arpsec incurs an overhead ranging from 7% to 15.4% over the standard Linux ARP implementation, a comparable overhead against the standard Linux NDP implementation, and provides a first step towards a formally secure and trustworthy networking stack for both IPv4 and IPv6.

PARP-S: A secure piggybacking-based ARP for IEEE 802.11s-based Smart Grid AMI networks

The Smart Grid is expected to utilize a wireless infrastructure for power data collection in its Advanced Metering Infrastructure (AMI) applications. One of the options to implement such a network infrastructure is to use a wireless mesh network based on IEEE 802.11s mesh standard. However, IEEE 802.11s standard relies on MAC-based routing and thus requires the availability of MAC addresses of destinations. Due to large size of AMI networks, this creates a broadcast storm problem when such information is to be obtained via Address Resolution Protocol (ARP) broadcast packets. In this paper, we propose a mechanism to significantly alleviate such broadcast storm problem in order to improve the scalability of 802.11s and thus make it better suited for Smart Grid AMI applications. Our contribution is adapting 802.11s standard for addressing ARP broadcast storm problem in a secure and efficient manner. Specifically, we utilize the proactive Path Request (PREQ) packet and Path Reply (PREP) of layer-2 path discovery protocol of 802.11s, namely HWMP, for piggybacking ARP information. In this way, the MAC address resolution is handled during routing tree creation/maintenance and hence the broadcasting of ARP requests by the smart meters (SMs) to learn the MAC address of the data collector (i.e., the gateway/root node) is completely eliminated. Furthermore, since piggybacking the ARP via PREQ may pose vulnerabilities for possible ARP cache poisoning attacks, the data collector also authenticates the messages it sends to SMs by using Elliptic Curve Digital Signature Algorithm (ECDSA). We have extensively analyzed the behavior and overhead of the proposed mechanism using implementation of IEEE 802.11s in ns-3 simulator. The evaluations for both UDP and TCP show that compared to the original ARP broadcast operations, our approach reduces the end-to-end delay significantly without negatively impacting the packet delivery ratio and throughput.

Collaborative approach to mitigating ARP poisoning-based Man-in-the-Middle attacks

In this paper, we propose a new mechanism for counteracting ARP (Address Resolution Protocol) poisoning-based Man-in-the-Middle (MITM) attacks in a subnet, where wired and wireless nodes can coexist. The key idea is that even a new node can be protected from an ARP cache poisoning attack if the mapping between an IP and the corresponding MAC addresses is resolved through fair voting among neighbor nodes under the condition that the number of good nodes is larger than that of malicious nodes. Providing fairness in voting among the nodes that are heterogeneous in terms of the processing capability and access medium is quite a challenge. We attempt to achieve fairness in voting using the uniform transmission capability of Ethernet LAN cards and smaller medium access delays of Ethernet than for wireless LAN. Although there is another scheme that resolves the same issue based on voting, i.e. MR-ARP, the voting fairness is improved further by filtering the voting reply messages from the too-early responding nodes, and the voting-related key parameters are determined analytically considering the fairness in voting. This paper shows that fairness in voting can be achieved using the proposed approach, overcoming the limitations of other voting-based schemes, and ARP poisoning-based MITM attacks can be mitigated in a more generalized environment through experiments.

ASA: agent-based secure ARP cache management

Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the ‘original’ ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.

Genuine ARP (GARP)

Address Resolution Protocol (ARP) is used to map the network address (IP address) to a physical address (MAC address). Being a stateless protocol and lacking proper authentication mechanism in the ARP messages, ARP is vulnerable for cache poisoning attack. Attacker can perform Man-In-The-Middle (MITM) attack or Denial of Service (DoS) attack and can access sensitive information, modify the contents, or deny the host from getting services. Different techniques for the detection and prevention of ARP cache poisoning attack have been proposed. Detection techniques (such as ARPWatch and Intrusion Detection techniques) generate false positives. Some prevention technique makes change in the switch itself and some uses cryptographic techniques. Secure-ARP and Ticket based ARP (TARP) are cryptographic techniques but suffer from single point failure and ticket flooding attacks respectively. ARP is a stateless protocol and ARP messages lacks the address authentication mechanism. As an ARP reply is unicast, all host systems in the LAN are not aware of the attacker present in the LAN. In this paper, we have proposed a protocol known as "Genuine Address Resolution Protocol (GARP)". Two novel concepts, viz., broadcastbased reply, and the Certifier for proof of IP address ownership have been proposed in GARP. As a reply is broadcast, the host, whose IP the attacker is using for attack, is aware of the attacker and subsequently makes other hosts in the LAN also aware of the attacker. Thus, the protocol prevents possible attack from the same attacker in the future. Statefulness is achieved by two tables, viz., the pending table and the blacklist table. The pending table holds the reply till its genuineness is proved and the blacklist table holds the MAC of attacker. Furthermore, the Certificate Authority is responsible for monitoring the ARP activities, which intervenes with appropriate messages at appropriate instances. The Dynamic Host Configuration Protocol (DHCP) server could be loaded with the additional service of monitoring ARP activities. The protocol has been implemented on Linux operating system. GARP was tested for various possible cases of ARP cache poisoning attack. From the results, it could be inferred that the GARP provides security against ARP cache poisoning attacks.

A Hardware Approach for Detecting the ARP Attack

This paper describes Address Resolution Protocol (ARP) and the ARP cache poisoning (ARP SPOOFING) problem and presents a proposed architecture for detecting the ARP attacks. In addition, it discusses a set of techniques used to detect the ARP poisoning attacks on switched Ethernet networks. A new practical technique by adding external hardware element to the LAN network to work as sniffer is suggested. These external elements are combined in architecture for practical implementation in production network. Results from laboratory and real-world detection experiments using several popular attack tools are also presented. The obtained practical results illustrate that the practical board works successfully for detecting the ARP attack.