Address Resolution Protocol Research Articles

Analysis of neural network detectors for network attacks

While network attacks play a critical role in many advanced persistent threat (APT) campaigns, an arms race exists between the network defenders and the adversary: to make APT campaigns stealthy, the adversary is strongly motivated to evade the detection system. However, new studies have shown that neural network is likely a game-changer in the arms race: neural network could be applied to achieve accurate, signature-free, and low-false-alarm-rate detection. In this work, we investigate whether the adversary could fight back during the next phase of the arms race. In particular, noticing that none of the existing adversarial example generation methods could generate malicious packets (and sessions) that can simultaneously compromise the target machine and evade the neural network detection model, we propose a novel attack method to achieve this goal. We have designed and implemented the new attack. We have also used Address Resolution Protocol (ARP) Poisoning and Domain Name System (DNS) Cache Poisoning as the case study to demonstrate the effectiveness of the proposed attack.

Enhancing security in Software-Defined Networks: An approach to efficient ARP spoofing attacks detection and mitigation

The proliferation of Software-Defined Networks (SDNs) has introduced unparalleled flexibility and efficiency to network management, but at the same time, it has introduced new challenges in securing network infrastructures. Among these challenges, Address Resolution Protocol (ARP) spoofing attacks remain a pervasive threat, compromising network integrity and data confidentiality. In this manuscript, we present an approach to ARP spoofing mitigation within SDNs, addressing the limitations of existing methodologies. Our proposed solution employs a multifaceted strategy that combines dynamic ARP cache management, real-time traffic analysis, and adaptive flow rule orchestration. Central to our approach is a dedicated device that continuously monitors the network topology and detects any deviations from established norms. Notably, our solution adapts seamlessly to networks of varying sizes, ensuring scalability and efficacy across diverse infrastructures. One of our key contributions is the integration of a deep learning-based Deep Neural Network (DNN) model to detect and mitigate ARP spoofing attacks. Leveraging a self-generated ARP spoofing dataset from SDN environments, our model demonstrates exceptional accuracy and adaptability, enhancing the network’s capability to identify and counter such threats effectively. Our approach showcases exceptional reliability, achieving 100% accuracy rate in detection of ARP spoofing, which is crucial for sustaining network responsiveness.

Advanced approaches to prevent ARP attacks

Advanced approaches to prevent ARP attacks

A Survey on ARP Poisoning

This paper's primary goal is to examine the detection and mechanism of ARP spoofing. One may argue that the Address Resolution Protocol, or ARP for simple terms, is crucial to computer science and forensics. ARP spoofing is one of the various computers hacking techniques used nowadays by individuals to transmit phony ARP packets across a Local Area Network (LAN). Such attacks might lead to changes in traffic patterns or, worse yet, a temporary or permanent stoppage of traffic. Even though this attack is only possible on networks with Address Resolution Protocols, ARP spoofing can be a precursor to more dangerous assaults that have the potential to do considerably more harm. An attacker seeking to launch this sort of attack will search for the Address Resolution Protocol's vulnerabilities. He may, for instance, be trying to take advantage of flaws like the message's inability to properly verify the sender. Because of this, hackers may find it very simple to alter or steal users' data. Because ARP spoofing poses a genuine risk to the security of every user on the network, all appropriate precautions must be taken to minimize harm.

VoWi‐Fi security threats: Address resolution protocol attack and countermeasures

AbstractB5G/6G networks are facing challenges in the deployment of additional base stations. However, Taiwan's four major operators have launched VoWi‐Fi calling services to maintain signal quality and coverage for customers. These services pose potential threats when users connect to untrusted Wi‐Fi networks. Therefore, the authors utilised commercial equipment to study the security of VoWi‐Fi calling services offered by Taiwan's four major telecom companies. The authors employed address resolution protocol attack methods to develop two verification attacks that bypass existing security measures: one for dropping session initiation protocol packets and the other for dropping voice call packets, both capable of circumventing current security defences. Through real‐world experiments, the authors confirmed their feasibility and assessed their potential harm. Consequently, two defence methods are proposed. The first is an anti‐attack algorithm for app and device manufacturers to detect the security of the user's calling environment. The second is a recommendation for telecom operators to implement new detection mechanisms to safeguard user rights.The cover image is based on the Case Study VoWi‐Fi security threats: Address resolution protocol attack and countermeasures by Kuan‐Chu Lu et al., https://doi.org/10.1049/ntw2.12113

Countering ARP spoofing attacks in software-defined networks using a game-theoretic approach

The Address Resolution Protocol (ARP) spoofing is a form of attack typically used by attackers to cause a denial of service or man-in-the-middle attacks. This attack comes from ARP weaknesses and aims to compromise victims' ARP caches by sending ARP packets containing fake IP-MAC pairs. To overcome ARP spoofing attacks, several approaches leverage the advantages of software-defined networking (SDN) to detect malicious users in the network. To achieve their goal, the SDN controller consecutively checks the characteristics of each ARP packet to ensure its correctness. However, this verification method can lead to latency and congestion at the controller level or render the system unusable for large-scale networks. To address this drawback, we propose a game-theoretic approach to provide an optimal verification method that considers the intelligent attackers' decision-making process during an ARP cache poisoning attempt. This approach is a zero-sum game between the attacker who wants to poison the victims' ARP caches and the defender who must avoid this poisoning. The game model results in mixed-strategy Nash equilibria that identify optimal verification methods to prevent control plane latency and congestion during attacker detection. The results show that an intelligent attacker will refrain from poisoning ARP caches with a high-impact strategy because the defender frequently checks such a strategy. In addition, the attacker's penalty value can deter both rational and irrational attackers from poisoning ARP caches. Simulations in the Mininet simulator have shown that the proposed approach can significantly mitigate control plane latency and congestion during the attacker's characteristic checking.

Ethernet–USB Bridge Application-Specific Integrated Circuit Incorporating the User Datagram Protocol and Address Resolution Protocol

Ethernet–USB Bridge Application-Specific Integrated Circuit Incorporating the User Datagram Protocol and Address Resolution Protocol

A Novel Mechanism for Detection of Address Resolution Protocol Spoofing Attacks in Large-Scale Software-Defined Networks

A Novel Mechanism for Detection of Address Resolution Protocol Spoofing Attacks in Large-Scale Software-Defined Networks

P4-HLDMC: A Novel Framework for DDoS and ARP Attack Detection and Mitigation in SD-IoT Networks Using Machine Learning, Stateful P4, and Distributed Multi-Controller Architecture

Distributed Denial of Service (DDoS) and Address Resolution Protocol (ARP) attacks pose significant threats to the security of Software-Defined Internet of Things (SD-IoT) networks. The standard Software-Defined Networking (SDN) architecture faces challenges in effectively detecting, preventing, and mitigating these attacks due to its centralized control and limited intelligence. In this paper, we present P4-HLDMC, a novel collaborative secure framework that combines machine learning (ML), stateful P4, and a hierarchical logically distributed multi-controller architecture. P4-HLDMC overcomes the limitations of the standard SDN architecture, ensuring scalability, performance, and an efficient response to attacks. It comprises four modules: the multi-controller dedicated interface (MCDI) for real-time attack detection through a distributed alert channel (DAC), the MSMPF, a P4-enabled stateful multi-state matching pipeline function for analyzing IoT network traffic using nine state tables, the modified ensemble voting (MEV) algorithm with six classifiers for enhanced detection of anomalies in P4-extracted traffic patterns, and an attack mitigation process distributed among multiple controllers to effectively handle larger-scale attacks. We validate our framework using diverse test cases and real-world IoT network traffic datasets, demonstrating high detection rates, low false-alarm rates, low latency, and short detection times compared to existing methods. Our work introduces the first integrated framework combining ML, stateful P4, and SDN-based multi-controller architecture for DDoS and ARP detection in IoT networks.

ARP-PROBE: An ARP spoofing detector for Internet of Things networks using explainable deep learning

The proliferation of the Internet of Things (IoT) devices and application domains has made IoT security an unavoidable challenge. Spoofing the address resolution protocol (ARP) can be exploited by botnets and other malicious programs to propagate and cause damage. Conventional ARP spoofing detection and prevention methods are, in most cases, inefficient for the IoT. This paper presents an ARP spoofing detection system using explainable deep learning, namely ARP-PROBE, for IoT networks. The proposed system relies on features extracted from network packets to detect ARP spoofing quickly and effectively using a feature selection and extraction module that identifies and selects the highly influential features. In a performance evaluation, the proposed system achieved an accuracy of 99.98% and an F1 score of 0.999. ARP-PROBE had a false positive rate of 0.026% and a false negative rate of 0.001%. To ensure that the model generalizes beyond the training data, a second dataset was used to evaluate it, and the results obtained were consistent with those of the first dataset. To provide a better understanding of the impact of each feature on the performance of the proposed deep learning model, which is the core of ARP-PROBE, a model explanation using SHAP explainability was provided.

Research on the Security of IPv6 Communication Based on Petri Net under IoT.

The distribution of wireless network systems challenges the communication security of Internet of Things (IoT), and the IPv6 protocol is gradually becoming the main communication protocol under the IoT. The Neighbor Discovery Protocol (NDP), as the base protocol of IPv6, includes address resolution, DAD, route redirection and other functions. The NDP protocol faces many attacks, such as DDoS attacks, MITM attacks, etc. In this paper, we focus on the communication-addressing problem between nodes in the Internet of Things (IoT). We propose a Petri-Net-based NS flooding attack model for the flooding attack problem of address resolution protocols under the NDP protocol. Through a fine-grained analysis of the Petri Net model and attacking techniques, we propose another Petri-Net-based defense model under the SDN architecture, achieving security for communications. We further simulate the normal communication between nodes in the EVE-NG simulation environment. We implement a DDoS attack on the communication protocol by an attacker who obtains the attack data through the THC-IPv6 tool. In this paper, the SVM algorithm, random forest algorithm (RF) and Bayesian algorithm (NBC) are used to process the attack data. The NBC algorithm is proven to exhibit high accuracy in classifying and identifying data through experiments. Further, the abnormal data are discarded through the abnormal data processing rules issued by the controller in the SDN architecture, to ensure the security of communications between nodes.

Protection Schemes for DDoS, ARP Spoofing, and IP Fragmentation Attacks in Smart Factory

Industry Revolution 4.0 connects the Internet of Things (IoT) resource-constrained devices to Smart Factory solutions and delivers insights. As a result, a complex and dynamic network with a vulnerability inherited from the Internet becomes an attractive target for hackers to attack critical infrastructures. Therefore, this paper selects three potential attacks with the evaluation of the protections, namely (1) distributed denial of service (DDoS), (2) address resolution protocol (ARP) spoofing, and (3) Internet protocol (IP) fragmentation attacks. In the DDoS protection, the F1-score, accuracy, precision, and recall of the four-feature random forest with principal component analysis (RFPCA) model are 95.65%, 97%, 97.06%, and 94.29%, respectively. In the ARP spoofing, a batch processing method adopts the entropy calculated in the 20 s window with sensitivity to network abnormalities detection of various ARP spoofing scenarios involving victims’ traffic. The detected attacker’s MAC address is inserted in the block list to filter malicious traffic. The proposed protection in the IP fragmentation attack is implementing one-time code (OTC) and timestamp fields in the packet header. The simulation shows that the method detected 160 fake fragments from attackers among 2040 fragments.

An Effective Approach to Detect and Prevent ARP Spoofing Attacks on WLAN

Address Resolution Protocol (ARP) is used to resolve a host’s MAC address, given its IP address. ARP is stateless, as there is no authentication when exchanging a MAC address between the hosts. Hacking tactics using ARP spoofing are constantly being abused differently; many previous studies have prevented such attacks. However, prevention requires modification of the underlying network protocol or additional expensive equipment, so applying these methods to the existing network can be challenging. In this paper, we examine the limitations of previous research in preventing ARP spoofing. In addition, we propose a defense mechanism that does not require network protocol changes or expensive equipment. Before sending or receiving a packet to or from any device on the network, our method checks the MAC and IP addresses to ensure they are correct. It protects users from ARP spoofing. The findings demonstrate that the proposed method is secure, efficient, and very efficient against various threat scenarios. It also makes authentication safe and easy and ensures data and users’ privacy, integrity, and anonymity through strong encryption techniques.

A Survey on Consensus Protocols and Attacks on Blockchain Technology

In the current era, blockchain has approximately 30 consensus algorithms. This architecturally distributed database stores data in an encrypted form with multiple checks, including elliptical curve cryptography (ECC) and Merkle hash tree. Additionally, many researchers aim to implement a public key infrastructure (PKI) cryptography mechanism to boost the security of blockchain-based data management. However, the issue is that many of these are required for advanced cryptographic protocols. For all consensus protocols, security features are required to be discussed because these consensus algorithms have recently been attacked by address resolution protocols (ARP), distributed denial of service attacks (DDoS), and sharding attacks in a permission-less blockchain. The existence of a byzantine adversary is perilous, and is involved in these ongoing attacks. Considering the above issues, we conducted an informative survey based on the consensus protocol attack on blockchain through the latest published article from IEEE, Springer, Elsevier, ACM, Willy, Hindawi, and other publishers. We incorporate various methods involved in blockchain. Our main intention is to gain clarity from earlier published articles to elaborate numerous key methods in terms of a survey article.

Network Forensics Against Address Resolution Protocol Spoofing Attacks Using Trigger, Acquire, Analysis, Report, Action Method

This study aims to obtain attack evidence and reconstruct commonly used address resolution protocol attacks as a first step to launch a moderately malicious attack. MiTM and DoS are the initiations of ARP spoofing attacks that are used as a follow-up attack from ARP spoofing. The impact is quite severe, ranging from data theft and denial of service to crippling network infrastructure systems. In this study, data collection was conducted by launching an test attack against a real network infrastructure involving 27 computers, one router, and four switches. This study uses a Mikrotik router by building a firewall to generate log files and uses the Tazmen Sniffer Protocol, which is sent to a syslog-ng computer in a different virtual domain in a local area network. The Trigger, Acquire, Analysis, Report, Action method is used in network forensic investigations by utilising Wireshark and network miners to analyze network traffic during attacks. The results of this network forensics obtain evidence that there have been eight attacks with detailed information on when there was an attack on the media access control address and internet protocol address, both from the attacker and the victim. However, attacks carried out with the KickThemOut tool can provide further information about the attacker’s details through a number of settings, in particular using the Gratuitous ARP and ICMP protocols.

DDoSMitigator: An On-The-Fly Method of Mitigating Denial of Service Attack in Software Defined Networking

Abstract: Started in the early 2000s, the Software Defined Networking (SDN) paradigm has become the backbone for various network based technologies. It has the advantage of being simple to manage and easy to add new features to the network. In comparison to legacy hardware-based networks, scalability, performance, and maintainability become more advanced. However, hackers are more likely to target the SDN, putting the entire network at risk. Denial of Service is a common example of such a threat. It is feasible to reduce such attacks by carefully planning and building the SDN controller as well as the network applications that administer the SDN. This paper presents a novel and efficient method applicable to various types of protocol based Distributed Denial of Service (DDoS) attacks in SDN/OpenFlow networks. It can be used to detect and mitigate Transmission Control Protocol (TCP) SYN attacks, Internet Control Message Protocol (ICMP) ping flood attacks and User Datagram Protocol (UDP) flood attacks that happen against the SDN devices and/or any host. This feature stands above the controller and conforms to the OpenFlow policy without leveraging additional devices. All the detection and mitigation are done based on a True Host list which is created by tracking the Address Resolution Protocol (ARP) requests and replies from hosts. As ARP protocol is necessarily used by all hosts, this method can be effectively utilised for true host list creation and further attack detection and mitigation

Defending a wireless LAN against ARP spoofing attacks using a Raspberry Pi

The Address Resolution Protocol (ARP) is a protocol that converts Internet Protocol (IP) addresses to Media Access Control (MAC) addresses. Due to a security issue known as "Man in the Middle," identity theft is feasible using the ARP protocol. ARP spoofing is one of the weaknesses in wireless networks when an attacker effectively masquerades as a legitimate one. Spoofing attacks will reduce network performance and break several security measures. In networks that use MAC address-based filtering to verify clients, all a spoofer needs is an actual MAC address from an authorised client to gain an unfair advantage. The research recommends developing a security system recognising and preventing ARP spoofing attacks. This system detects ARP spoofing attempts by comparing the static MAC address of the original router to the router's MAC address in the ARP cache table. After detecting the attack using information collected from the router's MAC address in the ARP cache table, the system will conduct a de-authentication attack against the attacker's MAC address. If the attacker is disconnected from the WLAN, they cannot perform ARP spoofing attacks. This system is operated using a Raspberry Pi Model B. Most ARP spoofing attacks can be detected in 0.93 seconds, and responding takes 3.05 seconds.

Spoofing Attack Mitigation in Address Resolution Protocol (ARP) and DDoS in Software-Defined Networking

Software Defined Networking (SDN) shows network operations to be performed for efficient network operations. Due to the increase in network devices, the percentage of attacks is also increased, and it is challenging to provide defense against such attacks. In SDN, the control plan is separated from the data plane. The control plan is implemented using some central devices called SDN controllers. In SDN Address Resolution Protocol (ARP), spoofing and Distributed Denial of Services (DDoS) attacks are carried out on an enormous scale. These are commonly launched attacks in SDN. Due to these attacks, the network performance is down, and network services are dead. This paper proposed a new auto detection methodology to detect ARP and DDoS attacks and mitigate SDN networks from these attacks. Additionally, we implemented two algorithms: one for flow rules and the second for attack detection. An individual server was installed to check the malicious traffic installation. We present the new forward flooding rules to detect and mitigate attacks. The experiments are performed using LINUX-based network implementation. Our proposal successfully improves network security and enhances network efficiency.

An Extendable Software Architecture for Mitigating ARP Spoofing-Based Attacks in SDN Data Plane Layer

Software-defined networking (SDN) is an emerging network architecture that brings benefits in network function virtualization, performance, and scalability. However, the scalability feature also increases the number of possible vulnerabilities through multiple entry points in the network. Address Resolution Protocol (ARP) spoofing-based attacks are widely encountered and allow an attacker to assume the identity of a different computer, facilitating other attacks, such as Man in the Middle (MitM). In the SDN context, most solutions employ a controller to detect and mitigate attacks. However, interacting with the control plane involves asynchronous network communication, which causes delayed responses to an attack. The current work avoids these delays by being implemented solely in the data plane through extendable and customizable software architecture. Therefore, faster response times improve network reliability by automatically blocking attackers. As attacks can be generated with a variety of tools and in networks experiencing different traffic patterns, the current solution is created to allow flexibility and extensibility, which can be adapted depending on the running environment. Experiments were run performing ARP spoofing-based attacks using KaliLinux, Mininet, and OpenVSwitch. The presented results are based on traffic pattern analysis offering greater customization capabilities and insight compared to similar work in this area.

Features of Address Resolution Protocol Operation in Computer Networks

The paper analyzes the network protocols of computer networks to identify potential vulnerabilities at the software level. The conditions for carrying out a man-in-the-middle attack in networks using the Address Resolution Protocol (ARP) are investigated. Such attacks are of a rather dangerous type, since they are based on the shortcomings of the ARP protocol. A detailed analysis of the stages of the attack and the sequence of impact on the attacked node is given. The technology of ARP spoofing (poisoning) and methods that allow one to infiltrate an existing connection and communication process are examined in detail. An implementation of an ARP spoofing attack in the Python and C# programming languages using the Soapy and SharpPcap libraries is presented. Examples of implementation of denial-of-service (DoS) attacks in a peer-to-peer network using the ARP protocol in C# are given. The article also describes examples of man-in-the-middle attacks associated with various protocols and infiltration into the address space of routers, such as DHCP (a protocol that dynamically assigns an IP address to a client computer) spoofing and ICMP (Internet Control Message Protocol) redirection. Methods for hacking a router and substituting a MAC address and examples of scripts that implement: sending a fake ARP packet; a function for performing a DoS attack; changing the Linux MAC address; router hacks, are presented in the article.