4/7/2018 ARP SPOOFING Group 1
Duan Chao 301230103 Luo Yi 301220263 Abstract For the first few decades of network existence, computer networks were used by university researchers for sending e-mail and by corporate employees for sharing printers. With the development of society, network technology is also constantly developing, and network applications are gradually popularized. More and more computer users can access a lot of information resources of global network system at home. Internet has become an integral part of today’s world. However, network security also comes to our sight. There are tons of protocols were used to establish these networks. But there are some precautions that we did not consider. In this paper, we do some research and simulation about the Address Resolution Protocol (ARP) and ARP spoofing to demonstrate some precautions in ARP.
i Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
Contents Abstract ...... i List of Figure and Table ...... iv Glossary ...... v Introduction ...... 1 Researched Work ...... 1 ARP Overview ...... 3 ARP History ...... 4 ARP Request ...... 5 ARP Response ...... 6 ARP Cache ...... 6 ARP Spoofing ...... 7 Simulation ...... 9 Goals ...... 9 Environment ...... 9 Problems ...... 9 Ns-3 does not provide interface for sending request: ...... 9 Ns-3 ARP caches keep states of each entry: ...... 10 Topology ...... 11 Scenario 1 ...... 11 Scenario 2 ...... 12 Results ...... 13 Scenario 1 ...... 13 Scenario 2 ...... 14 Conclusion ...... 16 Industry Work ...... 16 Dynamic ARP Inspection – Cisco ...... 16 Future Plan ...... 18 Monitoring in each node: ...... 19 Monitoring in the LAN: ...... 19 Conclusion ...... 19
ii Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
References ...... 20 Appendix ...... 21 Project Link ...... 21 Project Source Code ...... 21
iii Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
List of Figure and Table
Figure 1 ARP spoofing mitigation flow chart [2] ...... 2 Figure 2 Algorithm of the Proposed Mechanism [3] ...... 3 Figure 3 ARP Request ...... 5 Figure 4 ARP Response...... 6 Figure 5 ARP Spoofing ...... 8 Figure 6 ns-3 logo [7] ...... 9 Figure 7 ARP request & response in ns-3...... 10 Figure 8 Scenario1 ...... 11 Figure 9 Scenario 2 ...... 12 Figure 10 Simulation results of UDP client in scenario 1 ...... 13 Figure 11 Simulation results of UDP server in scenario 1 ...... 13 Figure 12 Simulation results of attacker in scenario 1 ...... 14 Figure 13 Simulation results of UDP client in scenario 2 ...... 14 Figure 14 Simulation results of UDP server in scenario 2 ...... 14 Figure 15 Simulation results of attacker in scenario 2 ...... 15 Figure 16 Topology of the simulation ...... 15 Figure 17 Catalyst 6500 ...... 16 Figure 18 Dynamic ARP Inspection ...... 17 Figure 19 DAI Trust State ...... 18
Table 1 ARP cache table of Client#1 ...... 6 Table 2 Changed ARP cache table of Client#1 ...... 8 Table 3 ARP states and corresponding behaviour ...... 11 Table 4 Configuration of the scenario1 ...... 12 Table 5 Configuration of the scenario 2 ...... 13
iv Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
Glossary
ARP: Address Resolution Protocol MAC: Medium Access Control IP: Internet Protocol TCP: Transmission Control Protocol LAN: Local Area Network CSMA: Carrier-Sense Multiple Access WAN: Wide Area Network DDOS: Distributed Denial of Service OSI: Open Systems Interconnection DAI: Dynamic ARP Inspection
v Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
Introduction With the development of the computer networks, plenty of services and applications have increased the priority of LAN. Meanwhile, the security of LANs also need much more consideration. Address Resolution Protocol (ARP), which is a frequently used network layer protocol that maps the IP address to the MAC address, is extremely vulnerable. It increases the risk of attacks in LANs. ARP spoofing is one of the hacking technique to threat the LANs. In general, ARP spoofing is the purposeful behaviour of issuing incorrect ARP broadcast packet. ARP spoofing was originally used by hackers and became the main method for hackers to steal network data. The hacker sends out the wrong ARP broadcast packet, blocks the normal communication, disguises the computer that he uses to be the computer of other people, so the data originally sent to other computers is sent to the hacker’s computer, to steal the data. The wave of recent ARP attacks diversified its purpose and methods, and its impact and influence are much greater than the previous two phases. The first is that the virus has joined the ranks of ARP attacks. The previous virus attack network was mainly WAN. The most effective attack method war DDOS attack. However, with the development of prevention capabilities, virus makers have turned their attention to the LAN and began to try ARP attacks. In this paper, we only focus on the original ARP spoofing and will do some simulation about the ARP spoofing using ns-3. Researched Work At the beginning, we did some research about the ARP spoofing to let us understand the technic of ARP spoofing. “Mitigating ARP Spoofing Attacks in Software-Defined Networks” gives us some basic information about the ARP Spoofing. ARP spoofing may be used to launch either one of the following attacks [1].
• DoS attacks: the attacker will prevent the two communicating hosts from getting connected to each other. • Host impersonation attack: the attacker will receive packets intended to the victim and can reply to these packets on behalf of the victim. • Man-In-The-Middle (MITM) attack: the attacker will be able to monitor all the traffic between two communicating hosts. After introduce ARP spoofing, it provides several techniques used to figure out ARP spoofing.
• ARP authentication • Operating system patching • Dynamic ARP Inspection • ARP mitigation tools • Static ARP mappings
1 Introduction | ENSC 427 FINAL PROJECT: ARP SPOOFING
And then mitigating ARP spoofing attacks in software defined networks is provided in detail to solve ARP spoofing. The flow chart of ARP spoofing mitigation is shown below
Figure 1 ARP spoofing mitigation flow chart [2]
After we get familiar with the ARP spoofing, we can not find any resources about the simulation of ARP spoofing using ns-3. Next, we would like to find a prevention method to avoid ARP spoofing. A paper called “A Proposal for a Schema for ARP Spoofing Protection” from Jin-Cherng Lin, Men-Jue Koo, and Cheng-Sheng Wang give us a lot of ideas. In this paper, it points that ARP Spoofing attack mainly interferes with the correctness of the IP/MAC mapping correlation in the ARP table of the host. [3] It has four characteristics:
• Targeted attacks • Does not generate suspicious traffics • Difficult to detect • Difficult to be prevented in mind
2 Researched Work | ENSC 427 FINAL PROJECT: ARP SPOOFING
To solve these problems, it provides a method called “Enhanced ARP Query Schema Protective Mechanism”. First technique used in this method is correlation analysis of IP and MAC in LAN. Because the relationship between IP and MAC should be unique. If there is a IP address correlated with two MAC addresses, it means something is incorrect in this LAN. we need to update our ARP table to ensure that each IP address only correlate with one MAC address. Next technique used in this method is ARP Protective Mechanism and Algorithm. The purpose of this algorithm is maintaining the accuracy of IP/MAC correlations in the ARP table. The flow chart is shown below.
Figure 2 Algorithm of the Proposed Mechanism [3] ARP Overview In this section, we will go over the basic information about the ARP and ARP spoofing. The OSI model divides the network into seven layers. OSI model is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology [4]The IP address is in the third layer (network layer) of the OSI model, and the MAC address is in the second layer (link layer). They do not deal with each other directly. When sending IP packet over Ethernet, you need to encapsulate the header of network layer and link layer first but only the destination IP address is known at the time of sending, and the MAC address is unknown. However, it cannot cross the network layer and link layer, so it needs to use the Address Resolution Protocol (ARP). After using the ARP, the MAC address information can be parsed according to the IP address information in the IP header of the network layer.
3 ARP Overview | ENSC 427 FINAL PROJECT: ARP SPOOFING
Basically, there are two steps of operations to associate the MAC address with the IP address. They are ARP request and ARP response. ARP History The problem of address resolution was apparent from the very start in the development of the TCP/IP protocol suite. Much of the early development of IP was performed on the then- fledgling Ethernet local area networking technology; this was even before Ethernet had been officially standardized as IEEE 802.3. It was necessary to define a way to map IP addresses to Ethernet addresses to allow communication over Ethernet networks. There are two basic methods that resolution could have been used to accomplish this correlation of addresses: direct mapping or dynamic resolution. However, Ethernet addresses are 48 bits long while IP addresses are only 32 bits, which immediately rules out direct mapping. Furthermore, the designers of IP wanted the flexibility that results from using the dynamic resolution model. To this end, they developed the TCP/IP Address Resolution Protocol (ARP). This protocol is described in one of the earliest of the Internet RFCs still in common use: RFC 826, An Ethernet Address Resolution Protocol, published in 1982 [5]. The name makes clear that ARP was originally developed for Ethernet. Thus, it represents a nexus between the most popular layer two LAN protocol and the most popular layer three internetworking protocol—this is true even two decades later. However, it was also obvious from the beginning that even if Ethernet was a very common way of transporting IP, it would not be the only one. Therefore, ARP was made a general protocol capable of resolving addresses from IP to not just Ethernet but numerous other data link layer technologies.
4 ARP Overview | ENSC 427 FINAL PROJECT: ARP SPOOFING
ARP Request
Figure 3 ARP Request
From the above figure, there are three clients in a LAN. The IP address and MAC address of the first client are 10.1.1.1 and 00.00.00.00.00.00 respectively. For the second user, the IP address is 10.1.1.2 and MAC address is 00.00.00.00.00.01. And IP address and MAC address of the last client are 10.1.1.3 and 00.00.00.00.00.02 respectively. In this scenario, the first user is looking for the other client in this LAN who has the IP address 10.1.1.2. The procedure of “Broadcast: Does anyone have IP 10.1.1.2” is called ARP Request.
5 ARP Overview | ENSC 427 FINAL PROJECT: ARP SPOOFING
ARP Response
Figure 4 ARP Response
After every client in this LAN received the broadcasting message from Client#1. The user who has the required IP will send a response back to the Client#1. It also contains the MAC address of Client#2 to let Client#1 update his memory. ARP Cache Each host should have an ARP cache, which contains the mapping table of IP addresses to MAC addresses of hosts and clients on the LAN. If we do not use ARP cache, any host must send an ARP request packet on the network as long as it communicates once. This increase the traffic on the network. ARP saves the obtained address map in the cache so that when the host communicates with the same destination next time, it can directly find the required MAC address from the cache without broadcast ARP request packet. In fact, the ARP cache sounds like look up tables that map the IP addresses with MAC addresses. For example, the ARP Cache of the Client#1 after getting the response from the second client is shown below. IP address MAC address 10.1.1.1 00.00.00.00.00.00 10.1.1.2 00.00.00.00.00.01 10.1.1.3 00.00.00.00.00.02 Table 1 ARP cache table of Client#1
6 ARP Cache | ENSC 427 FINAL PROJECT: ARP SPOOFING
When the ARP is queried for the MAC address of a known IP address node, it is first viewed in the ARP cache. If it exists, it directly returns the corresponding MAC address. If it does not exist, it sends an ARP request as we mentioned before to the LAN to find the corresponding MAC address and update the ARP cache. To minimize broadcast traffic, ARP maintains an IP address to MAC address cache for future use. The ARP cache can contain dynamic and static options. Dynamic ARP means automatically updated over time. The potential life time of each dynamic ARP cache entry is 10 minutes. Items that are newly added to the cache are time stamped. If an item is not reused within 2 minutes after it is added, the item expires and is deleted from the ARP cache. If an item is already in use, it receives another 2 minutes up to a maximum lifetime of 10 minutes. Static ARP is just remaining everything in the cache until the computer is restarted. In our situation, we only consider the static ARP [6]. ARP Spoofing The ARP is based on the mutual trust of each host in the network. The birth of the ARP makes the network run more efficiently, but it also has its own flaws. In conclusion, there are several properties of ARP. ▪ Keep locally to minimize number of ARP requests being broadcast ▪ Update the cache when the new IP/MAC associate for each reply successfully ▪ Stateless Protocol: will update the cache when a reply is received without any confirmation Because the ARP is a stateless protocol. It always will update the cache whenever a new response is received. This gives the attacker an opportunity to hack the ARP. The ARP request is sent as a broadcast message. Hosts on the network can send ARP response messages autonomously. And when other hosts receive the response packets, they will be detected in the authenticity of the packets and they will be recorded in the ARP cache. In this way, an attacker can send a fake ARP response packet to the destination host to tamper with his ARP cache.
7 ARP Spoofing | ENSC 427 FINAL PROJECT: ARP SPOOFING
Figure 5 ARP Spoofing
For example, there are still 3 hosts in a LAN. Host who has IP address 10.1.1.3 plays the role of an attacker in this scenario. The attacker will send a spurious ARP response. However, in this ARP response the sender IP address is 10.1.1.2 (IP address of Client#2) and the MAC address is 00.00.00.00.00.02 (MAC address of Client#3). When Client#1 receives this fake ARP response, it updates his local ARP cache immediately. At this time, Client#1 does not recognise that this ARP response has been forged. Meanwhile, Client#1 is unaware that this ARP response was sent from Client#3 and use attacker’s MAC address.
IP address MAC address 10.1.1.1 00.00.00.00.00.00 10.1.1.2 00.00.00.00.00.02 10.1.1.3 00.00.00.00.00.02 Table 2 Changed ARP cache table of Client#1
The ARP cache table of Client#1 is shown in the Table 2. Comparing with Table 1, the MAC address of the Client#2 is already wrong. So, if Client#1 would like to communicate with Client#2 later, the IP address of the 10.1.1.2 will be incorrectly parsed by ARP into the MAC address 00.00.00.00.00.02. This will cause the two clients to be unable to communicate with each other.
8 ARP Spoofing | ENSC 427 FINAL PROJECT: ARP SPOOFING
When a host on the LAN repeatedly sends such invalid ARP response packets to other hosts, especially to the Ethernet Switch, severe network congestion will occur. Simulation Goals Prove the vulnerability of ARP protocol by simulating valid ARP replies and ARP spoofing, comparing the results and analyzing the behaviours of each node in both cases. Environment
Figure 6 ns-3 logo [7]
The operating system we used to set up our simulation is Ubuntu. And the simulation tool we used is ns-3. Ns3 is a discrete-event network simulator for Internet systems, targeted primarily for research and educational use. Unlike industrial simulation software such as Riverbed, ns3 is an open source project whose source code can be read and modified. Ns-3 helps us understand how the configurations change the behaviour of nodes by reading its source code rather than reading high-level behavioural descriptions, giving us access to the vulnerability of the protocols. If it is necessary, we can also modify ns3’s source code locally which we can never do with industrial tools. Problems
Ns-3 does not provide interface for sending request: Ns3 has classes that implement the procedures of ARP requests and replies. However, these methods are usually called implicitly because ARP protocol is usually occurred to assist transportation protocols such as UDP and TCP. In this case, we modified the source code to provide external interface to invoke ARP requests.
9 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
Ns-3 ARP caches keep states of each entry:
Figure 7 ARP request & response in ns-3
As we have introduced before, Arp protocol is a stateless protocol. However, ns3 has added states to ARP cache entries that provide some protection against ARP attacks. The states and corresponding behaviour are defined as following:
10 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
ARP cache entry meaning action if used state permanent never expires; never verified reset use counter reachable normal expiration reset use counter reset use counter; change state to stale still usable; needs verification delay schedule ARP request; needs delay reset use counter verification isWaitingReply sending ARP request reset use counter Table 3 ARP states and corresponding behaviour
If the entry is not on isWaitingReply state, any Arp replies rejected as spoofing messages. In most cases, the states and kept and handled by the operating system. To make the attack successful, we need to flood the ARP replies and there will be a chance one reply gets accepted right after the victim makes the request. Topology
Scenario 1
Figure 8 Scenario1
In this scenario, we set up the LAN by defining the nodes as CSMA devices and assigning them same subnet IP addresses using CSMA helper class defined in ns3. Just as the graph show, there are three hosts in the LAN. The first node with IP address 10.1.1.1 and MAC address 00.00.00.00.00.00 is installed with UdpClientApp acting as a UDP server. The second node with 11 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
IP address 10.1.1.2 and MAC address 00.00.00.00.00.01 is installed with UdpServerApp acting as a UDP client who accepts the UDP packets. The UdpClientApp and UdpServerApp are the classes defined in ns3. The client app class periodically makes a UDP packet, adds headers to it and sends it to the server app. The details are configured as following:
Number of packets will be sent 3
Interval between each packet 1000 ms
Propagation delay 200 ms
Server start time 5 ms
Client start time 50 ms
Table 4 Configuration of the scenario1
In this case, the third node with IP address 10.1.1.3 is not doing anything in the simulation.
Scenario 2
Figure 9 Scenario 2
In this scenario, the LAN, the first and the second node are set up and configured same way as they are in scenario 1. In addition to that, the third node with IP address 10.1.1.3 and Mac address 00.00.00.00.00.02 is installed with ARP attacker application we designed. With this application, the node sends a fake ARP reply periodically. If the victim picks up the reply
12 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING message, the following UDP packets will be redirected to the attacker. The behaviour of the attacker is configured as following:
Number of packets will be sent 7
Interval between each packet 1000 ms
Attacker start time 5 ms
Table 5 Configuration of the scenario 2 Results We output the results of the simulation in Pcap files.
Scenario 1 UDP client:
Figure 10 Simulation results of UDP client in scenario 1
As it is shown in the Pcap file, there UDP packets was properly sent to the server. UDP server:
Figure 11 Simulation results of UDP server in scenario 1
After the server replies with the correct MAC-IP mapping, it received three pickets normally. Attacker:
13 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
Figure 12 Simulation results of attacker in scenario 1
In the first scenario, the attacker is not involved. It only sees the broadcasted ARP request and the reply. It doesn’t have knowledge of the 3 UDP packets sent from the UDP client.
Scenario 2 UDP client:
Figure 13 Simulation results of UDP client in scenario 2
In this case, the first UDP packet is sent immediately after the first broadcasted fake ARP reply. Indicating the client accepted the fake ARP reply and sent a packet to the attacker. UDP server:
Figure 14 Simulation results of UDP server in scenario 2
The server is still getting the packets from the client. This will be explained later. Attacker:
14 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
Figure 15 Simulation results of attacker in scenario 2
The three Pcap files show result here. Because the hosts are by nature ns-3 objects, their behaviours are set by ns3. It looks like the attacker becomes the ARP proxy for the UDP client and the UDP server. After it received the first UDP packet, it broadcasts a request to ask for the correct MAC address of the UDP server and redirected the packet to the server. The two sequential UDP packets are also redirected by the attacker to the server. That explains why the server is still getting the packets and why the attacker has Pcap messages for each UDP packets. The following graph shows the topology from the simulation results.
Figure 16 Topology of the simulation
Becoming an ARP proxy, the attacker will be able to examine or modify the content of the UDP packet and redirected to the server. 15 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
Conclusion Based on simulation of ARP spoofing, we can conclude.
• ARP is vulnerable • Even with state ARP, it is harder to poison the ARP cache • Most attacks are launched in the same LAN • Attacker can be man in the middle Industry Work To avoid the ARP spoofing, not only the individual users come with some ideas to solve ARP spoofing, but also companies provide some solutions about ARP spoofing. We will focus on the Dynamic ARP Inspection method provided by Cisco. Cisco has already provided software solution on their switch such as Catalyst 6500, Catalyst 4500, etc.
Figure 17 Catalyst 6500 Dynamic ARP Inspection – Cisco Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks [8]. The foundation of the DAI is DHCP snooping. Because DHCP snooping is a DHCP security feature. It filters out untrusted DHCP information by establishing and maintaining a DHCP snooping binding table. This information refers to DHCP information from untrusted zones. The DHCP snooping binding table contains information such as the user MAC address, IP address, lease period, and VLAN-ID interface in the untrusted zone. Functions of DHCP snooping:
16 Industry Work | ENSC 427 FINAL PROJECT: ARP SPOOFING
• Isolate the illegal DHCP server by configuring untrusted ports • Create and maintain a DHCP snooping binding table. This table is generated form the IP and MAC addresses in the DHCP Ack package, and can be specified manually After the Ethernet switch is enabled with DHCP snooping, it intercepts to DHCP messages and extracts and records IP address and MAC address information from received DHCP request messages or DHCP Ack messages. In addition, DHCP snooping allows a physical port to be set as a trusted or untrusted port. The trusted port can receive and forward the DHCP offer packet normally, but untrusted port will discard the received DHCP offer message. In this way, the switch can block the fake DHCP server and ensure that the client obtains an IP address from a valid DHCP server. In fact, DAI will check all the transmitted ARP messages. And make sure that only valid ARP requests and response are relayed. In detail, there are 3 steps of DAI.
• Intercepts all ARP request and responses packet on untrusted ports • Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination [8]. • Drops invalid ARP packets save the information in the log
Figure 18 Dynamic ARP Inspection We add a DHCP server in LAN as shown in the above figure. DAI determine the validity of ARP packets based on valid IP-to-MAC address bindings stored in the trusted database. In above figure, the trusted database is the DHCP server. If the ARP packet is received from a trusted port, the Ethernet switch forward the packets without any activities. On the other hand, if the
17 Industry Work | ENSC 427 FINAL PROJECT: ARP SPOOFING
ARP packet is from an untrusted port, the Ethernet switch forward the packets depending on the validity check of the port. Furthermore, DAI also provide a trust state with each port in a LAN.
Figure 19 DAI Trust State
As shown in the above figure, there are three clients and a DHCP server in this LAN. Client#1.
• Client#1 would like to update his ARP cache • Client#2 is an untrusted port • Client#3 is a trusted port When Client#3 would like to send packets to Client#1, he will skip all DAI validation checks and directly send to Client#1. Because Client#3 is in trust state in DHCP server. However, when Client#2 would like to send packets to Client#1, he need to experience all DAI validation process because he is in untrusted state. If he passes the DAI validation process, he will become a trusted port and could communicate with the other trusted port without any DAI validation later. If he fails the DAI validation process, DAI will drop all packets from this client. Future Plan At present, the most effective way to protect ARP spoofing in LANs is through bidirectional binding of IP and MAC addresses between clients. However, this method still cannot effectively prevent ARP attacks on LANs. The most significant reason is that when we discovered the ARP spoofing and set up two-way binding, it had already changed the MAC address of the local computer resulting in invalid binding. On the other hand, it is human-made destruction. For
18 Future Plan | ENSC 427 FINAL PROJECT: ARP SPOOFING example, if someone floods the ARP response in a LAN like our scenario, it will lead to a decrease in network performance. Inspired by the related research work, we can implement the two following methods of protecting the LAN from ARP spoofing: Monitoring in each node:
We can modify ns-3 ARP cache class by adding a monitor method that gets allocated if an entry in the ARP table gets updated. It will decide whether the update is valid based on an arbitrary algorithm. Monitoring in the LAN:
We can add an administrative node in the LAN that is designated to monitor the broadcasted ARP reply. If it detects an ARP flood, it can block the node from flooding ARP replies. For each method we can compare the effectiveness and the implementation cost.7 We can also expand the LAN by adding more nodes and the test the scenario with more than one attacker. Conclusion ARP spoofing and attack problems are the culprits of enterprise networks. The discussion on this issue has been very thorough. After our simulation, the mechanism of ARP attacks has been thoroughly understood and various preventive precautions have been introduced. But the question is that is it really bothering you to get rid of ARP problems now. As we known, although various methods have been tried, this problem has not been fundamentally solved. There are three reasons that we conclude. First, the preventive ability of the solution measures is limited, and it is not the most fundamental method. The second is that the network management is very constrained, inconvenient and impractical, and has no operability. Third, some measures have a loss in the efficiency of network transmission, slower network speed, and wasteful bandwidth which is also undesirable.
19 Conclusion | ENSC 427 FINAL PROJECT: ARP SPOOFING
References
[1] S. Bhirud and V. Katkar, "Light weight approach for IP-ARP spoofing detection and prevention," Second Asian Himalayas International Conference on Internet (AH-ICI), Kathmandu, 2011.
[2] M. Ahmed, B.-S. Ashraf and R. K. Vamshi , "Mitigating ARP Spoofing Attacks in Software- Defined Networks," ICCTA, Alexandria, Egypt, 2015.
[3] J.-C. Lin, M.-J. Koo and C.-S. Wang, "A Proposal for a Schema for ARP Spoofing Protection," ICETI, Taiwan, 2012.
[4] Wikipedia, "OSI model," 2018.
[5] C. P. David , "An Ethernet Address Resolution Protocol," IETF, 1982.
[6] Q. Zhang, "Summary of TCP/IP," 2018.
[7] "ns-3," [Online]. Available: https://www.nsnam.org.
[8] "Cisco.com," [Online]. Available: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12- 2SXF/native/configuration/guide/swcg/dynarp.pdf.
20 References | ENSC 427 FINAL PROJECT: ARP SPOOFING
Appendix Project Link Our project: https://github.com/Dark-Rinnegan/ns3-arp-spoofing Project Source Code /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */ /* * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation; * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */
#include "ns3/core-module.h" #include "ns3/network-module.h" #include "ns3/csma-module.h" #include "ns3/internet-module.h" #include "ns3/point-to-point-module.h" #include "ns3/applications-module.h" #include "ns3/ipv4-global-routing-helper.h" #include
using namespace ns3;
NS_LOG_COMPONENT_DEFINE ("arp1"); class AttackApp : public Application { public:
AttackApp (); virtual ~AttackApp();
void Setup (Ptr
21 Appendix | ENSC 427 FINAL PROJECT: ARP SPOOFING
void SendPacket (void);
Ptr
// victim info Ipv4Address m_vAddr; Address m_vMac;
EventId m_sendEvent; bool m_running;
ArpL3Protocol m_attacker; Ptr
AttackApp::AttackApp () :m_node(), m_device(), m_iface(), m_fakeAddr(), m_vAddr(), m_vMac(), m_sendEvent (), m_running (false) { }
AttackApp::~AttackApp() { } void AttackApp::Setup (Ptr
m_running = true; SendPacket(); } void AttackApp::StopApplication (void) { m_running = false;
if (m_sendEvent.IsRunning ()) { Simulator::Cancel (m_sendEvent); } } void AttackApp::SendPacket (void) { m_attacker.SendArpReply(m_arpCache, m_fakeAddr, m_vAddr, m_vMac); std::cout << "stucked here" << std::endl; ScheduleTx (); } void AttackApp::ScheduleTx (void) { if (m_running) { Time tNext (MilliSeconds(1000)); m_sendEvent = Simulator::Schedule (tNext, &AttackApp::SendPacket, this); } } int main () { LogComponentEnable ("UdpClient", LOG_LEVEL_INFO); LogComponentEnable ("UdpServer", LOG_LEVEL_INFO); LogComponentEnable ("ArpL3Protocol", LOG_LEVEL_INFO); LogComponentEnable ("ArpHeader", LOG_LEVEL_INFO); LogComponentEnable("arp1", LOG_LEVEL_INFO);
uint32_t nPackets = 3; uint32_t packetInt = 1000; uint32_t propDelay = 200; uint32_t delayT = 0; uint32_t serverStart = 5; // Server start time in ms uint32_t clientStart = 50; // Client start time in ms uint32_t stopTime = (clientStart) + (nPackets*packetInt) + (10*propDelay) + delayT; // Stop the simulation once all packets have been received
Ptr
23 Appendix | ENSC 427 FINAL PROJECT: ARP SPOOFING
uint32_t nCsma = 3; uint32_t attackerId = 2; uint32_t serverId = 1; uint32_t victimId = 0;
Address victimAddr;
NodeContainer csmaNodes; csmaNodes.Create (nCsma);
CsmaHelper csma; csma.SetChannelAttribute ("DataRate", StringValue ("100Mbps")); csma.SetChannelAttribute ("Delay", TimeValue (NanoSeconds (6560)));
NetDeviceContainer csmaDevices = csma.Install (csmaNodes);
// define the mac address std::stringstream macAddr; for( uint32_t i = 0; i < nCsma; i++ ) { macAddr << "00:00:00:00:00:0" << i; Ptr InternetStackHelper stack; stack.Install (csmaNodes); Ipv4AddressHelper address; address.SetBase ("10.1.1.0", "255.255.255.0"); Ipv4InterfaceContainer csmaInterfaces; csmaInterfaces = address.Assign (csmaDevices); // get IPV4 interface for the attacker std::pair //contruct attacker app Ptr csmaNodes.Get (attackerId)->AddApplication (attacker); attacker->SetStartTime (MilliSeconds (clientStart + delayT )); attacker->SetStopTime (MilliSeconds (stopTime)); uint16_t port = 4000; UdpServerHelper server (port); ApplicationContainer apps = server.Install (csmaNodes.Get (1)); Ipv4Address sourceAddr = csmaInterfaces.GetAddress(+1); apps.Start (MilliSeconds (serverStart + delayT)); apps.Stop (MilliSeconds (stopTime)); uint32_t MaxPacketSize = 32; uint32_t maxPacketCount = nPackets; UdpClientHelper client (sourceAddr, port); client.SetAttribute ("MaxPackets", UintegerValue (maxPacketCount)); client.SetAttribute ("Interval", TimeValue (MilliSeconds (packetInt))); client.SetAttribute ("PacketSize", UintegerValue (MaxPacketSize)); apps = client.Install (csmaNodes.Get (0)); apps.Start (MilliSeconds (clientStart + delayT)); apps.Stop (MilliSeconds (stopTime)); Ipv4GlobalRoutingHelper::PopulateRoutingTables (); csma.EnablePcapAll("arp1"); Simulator::Run (); Simulator::Destroy (); return 0; } 25 Appendix | ENSC 427 FINAL PROJECT: ARP SPOOFING