ARP Spoof Detection System Using ICMP Protocol: an Active Approach

International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 3 Issue 5, May - 2014 ARP Spoof Detection System using ICMP Protocol: An Active Approach

1 2 Mr. Vinay K. R. M.Tech Mr. T. R. Muhibur Rahman Assoc Prof Dept of Computer Science & Engineering1 Dept of Computer Science & Engineering2 Ballari Institute of Technology & Management, Ballari Institute of Technology & Management, Bellary, India Bellary, India

Abstract—Address Resolution Protocol (ARP) is used by we are purposely injecting the packet to the network. The computers to map network addresses (IP) to physical addresses proposed technique actively interacts with the network to (MAC). ARP spoofing is the act of vindictively changing the IP- gauge the presence of ARP spoofing attacks. ARP protocol is MAC associations stored in ARP cache of any network host. This vulnerable to many different kinds of attacks. These attacks paper discusses ARP spoofing attack and some related works lead to loss of important information. With certain loopholes it about it first. On these bases, the paper proposed an efficient algorithm based on ICMP protocol to detect malicious hosts that has become easy to be attacked and with not so reliable are performing ARP spoofing attack. The technique includes security mechanism, confidentiality of data is being collecting and analyzing the ARP packets, and then injecting compromised. ICMP echo request packets to probe for malicious host according to its response packets. The rest of the paper is organized as follows. In section 2 ARP spoofing attack and several serious ARP attacks are Keywords—ARP cache; ARP protocol; ARP spoofing; libpcap; described. Section 3 provides an overview of currently dsniff; ICMP protocol available techniques to deal with ARP attacks. Section 4 discusses the proposed method. Section 5 describes the I. INTRODUCTION algorithm and finally in section 6 conclusions are made.

Address Resolution Protocol (ARP) is a protocol having simple architecture and have been in use since the advent of II. BACKGROUND Open System Interconnection (OSI) network architecture. IJERTIt’sIJERT The most commonly employed network frame architecture been working at network layer for the important dynamic is based on OSI model. Each layers service depends on the conversion of network address i.e. Internet Protocol (IP) varying protocols working at layers. But working of these address to physical address or Media Access Control (MAC) protocols to ensure complete security to the applications address. When a host wants to communicate with another host running has really become a challenging task for the whose hardware address it does not know, it broadcasts an developers and security professionals. There have been ARP request for the hardware address associated with the different efforts made in the field of network security to protocol address of the destination. And only the host with provide effective and reliable defensive mechanisms to control corresponding protocol address sends a unicast reply to the attacks being made of these protocols due to their lack of sender with its < protocol address, hardware address,> pair. ability to work and prevent themselves in complex and Obviously, ARP protocol plays a key role in local area insecure network. One such protocol is ARP working on network communication, but due to its own loopholes, it is network layer. Due to its architecture it cannot prevent itself often used as part of other serious attacks such as Man-in-the- from being attacked over LAN. Middle (MiM) attack, Denial of Service (DoS) attack. With a MiM attack, the attacker can sniff the traffic between two In order not to make the same request in the near future, victim hosts. With a DoS attack, the attacker makes a victim every host maintains a table called ARP cache to store the host deny communicating with others. So ARP spoofing attack address pairs learnt from the network. The host who issued the is becoming the most dangerous attack in the LAN [1]. There are two techniques for detecting ARP spoofing one is request will cache the address pair taken by the reply. There Passive technique and other is Active technique. In Passive are probably two types of entries in an ARP cache: Static entries which remain in the ARP cache until the system Detection we sniff the ARP requests/responses on the network reboots Dynamic entries which only remain in the ARP cache and construct a MAC address to IP address mapping database. for few minutes. Most operation systems allow creating a new If we notice a change in any of these mappings in future ARP entry by an ARP reply packet. All operation systems allow traffic then we raise an alarm and conclude that an ARP spoofing attack is underway. The main drawback of the update an old entry by an ARP request or reply packet [2].

passive method is a time lag between learning the address As ARP is a stateless protocol and its reply packets are not mappings and subsequent attack detection. In active method authenticated, all hosts blindly cache the ARP replies they

IJERTV3IS051581 www.ijert.org 1557 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 3 Issue 5, May - 2014

receive from the network. This mechanism provides cryptographic calculations as S-ARP uses Digital Signature convenient for malicious host. Attackers send forging ARP Algorithm (DSA). packets to the victim periodically to perform ARP spoofing M.Barnaba, Anticap [6] is a kernel patch for UNIX-based attack. In an ARP spoofing attack, the attacker sends ARP operating systems. It prevents ARP poisoning attacks by request or reply packets with fake mappings. For rejecting ARP updates that contain a different MAC address example, if a malicious host wants to sniff traffic sent from X from the current table entry for the same IP address. This to Y, he could send X an ARP packet with the address solution works only in static environment, and is available for mapping . Host X will cache the a limited number of operating systems. wrong address mapping and send data destined to Y to the Some high-end Cisco switches have a new feature which attacker instead. If the attacker also wants to know the allows the switch to drop ARP packets with invalid address bindings [7]. One disadvantage of this feature needs to send Y an ARP packet with address mapping . In order not to interrupt normal verify some ARP packets on all switches in the VLAN. communication between host X and Y, the attacker need to IV. THE PROPOSED ARCHITECTURE FOR DETECTING ARP enable IP packet routing to redirect the packet to the original SPOOFING destination host. If the attacker wants to perform a DoS attack, the attacker can poison the ARP cache of a host in the same The following sections describe the details of the architecture way. Every packet the host sends is sent to the attacker. Once we propose and tools which are used to achieve the task. the attacker receives the packet, he simply drops it, and A. The composition of the experiment is listed here: therefore, blocks the communication of the victim host [3].  Libpcap used as a Packet capture tool. III. RELATED WORKS  Dsniff used as a spoofing tool. Many efforts have been made and different methods have Libpcap is an open source library that provides a high level also been applied to prevent ARP spoofing attacks, but none interface to network packet capture systems. Libpcap runs on has been able to give satisfactory results. Different tools and most UNIX-like operating systems (Linux, Solaris). There is also a Windows version named Winpcap. Today, libpcap is architectures have been proposed but each have their own maintained by the Tcpdump Group [8]. feasibility issues. One simple but effective way to prevent ARP attacks is Dsniff is a collection of tools for network auditing and using static entries in the ARP cache. The drawbacks of this penetration testing [9]. solution are its low scalability. It does not work well in In this paper, we mainly use two types of packet: ARP dynamic environment and it would be a really heavy work for packet and ICMP ping packet. The headers are as follows: the network administrator to deploy and update these tables /*structure of Ethernet header*/ throughout the network especially when the network is big. struct ETHER_HEADER IJERTIJERT{ Gouda and C.-T. Huang [4] proposed the architecture to u_char dmac[6]; resolve IP addresses into MAC addresses over an Ethernet. u_char smac[6]; The proposed architecture consists of a secure server u_short type; connected to the Ethernet and two protocols: an invite–accept }; protocol and a request–reply protocol. Each computer /*structure of ARP header*/ connected to the Ethernet can use the invite–accept protocol to struct ARP_HEADER periodically record its IP address and its hardware address in { the database of the secure server. Each computer can later use unsigned short arp_hdw_type; the request–reply protocol to obtain the hardware address of unsigned short arp_pro_type; any other computer connected to the Ethernet from the unsigned char arp_mac_len; database of the secure server. This solution is not practical unsigned char arp_pro_len; because it requires changing the ARP protocol implementation unsigned short arp_opt_type; of every host with this new address resolution protocol. unsigned char arp_src_mac[6]; D. Bruschi, A. Ornaghi, and E. Rosti. Secure ARP protocol unsigned char arp_src_ip[4]; (S-ARP) [5] is a backward compatible extension to ARP. unsigned char arp_dst_mac[6]; Beginning with an ARP request, Cryptographic Link Layer unsigned char arp_dst_ip[4]; (CLL) applies public key cryptography to perform an initial } handshake between two hosts with the aim to establish a /*structure of ICMP header*/ security association. The two hosts prove their identity to each struct ICMP_HEADER other and exchange keying material. Here upon, secured IP { data packets may be sent. This solution involves cryptography byte i_type; to authenticate the origin of ARP packets. To implement this byte i_code; solution in a LAN, every host has to be modified to use S- ushort i_cksum; ARP instead of ARP. This is not scalable to update a stack ushort i_id; across all available operating systems. Another disadvantage ushort i_seq; of this method is that it has the additional overhead of };

IJERTV3IS051581 www.ijert.org 1558 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 3 Issue 5, May - 2014

B. Architecture V. THE DETECTION ALGORITHM FOR ARP SPOOFING As shown in Fig. 1, we adopt a modularized approach and 1: If packet type is 0X806 then ARP packet. divide our ARP spoofing detection system into the following 2: Store First IP-MAC entry into database. modules:  ARP Packet Sniffer Module: This module sniffs all 3: If (stored first entry == next obtained entry) { ARP packets from the Ethernet. Capture next packet}  IP-MAC Mapping Database: Initially first IP-MAC Else if (only IP matches) { entry is stored in this database and second entry is Send IP to ARP spoofing detection module} compared with database, If both entry matches it indicates Else (new IP entry) { no sign of ARP spoofing but if new MAC entry for same Store into database} IP entry it assumed to be spoofing hence we send that IP 4: ARP spoofing detection ( ) { entry to ARP spoofing detection module, and if new IP Send ICMP packet to obtained IP entry comes then it stored in database. If (reply comes) {  ARP Spoofing Detection Module: This is the main Host is legitimate} Detection module. We feed the IP entry for which new Else MAC entry came into it as input. This module send ICMP Malicious host and call response module ( ) packet to that IP address and if reply comes from that host } then it decides the host is legitimate else if reply doesn’t 5: Response module ( ) { come then decides the host is fake, with reply it obtains Alert message to network administrator real MAC and the database is updated with real MAC. } The details of the module will be discussed in Section C.  Response Module: This module is used to alert the VI. CONCLUSIONS network administrator the happening of ARP spoofing In this paper we study the theory of ARP spoofing attack attack and various existing techniques proposed to defend against this attack, and then, we proposed a comprehensive method to deal with ARP spoofing problem. As the method we proposed to probe the authenticity of every ARP packet is very active, the time delay between capturing the packets and detecting spoofing attack is minimum. We send one trap ICMP ping packet for each spoofed ARP packet on the network and then infer its authenticity according to the response to our packet. IJERT Our method can also detect correct IP-MAC address Fig. 1. ARP Spoofing detection architecture. IJERTmappings of both the true host and the malicious host during an actual attack. This technique is simple and efficient. C. ARP Spoofing Detection Module REFERENCES It works based on two rules as follows. [1] Stevens, TCP/IP Illustrated: vol. 1 (2001). Rule 1: The NIC of a host only accepts packets with its [2] Zouheir Trabelsi and Khaled Shuaib, “Spoofed ARP Packets Detection own hardware address, broadcast address, and subscribed in Switched LAN Networks”. pp. 81–91, 2008. multicast addresses. The network layer only accepts IP packets [3] T. Demuth and A. Leitner, “ARP spoofing and poisoning: Traffic tricks” addressed to its IP address and will drop the other packets Linux Magazine, 56: 26–31, July 2005. silently. For example, there is a host with MAC address X and [4] M. Gouda and C.-T. Huang, “A secure address resolution protocol”, IP address Y, it would accept packet with destination MAC Computer Networks, 41(1):57–71, Jan 2003. address X and destination IP address Z as the destination [5] D Bruschi, A. Ornaghi, and E. Rosti, “S-ARP: A secure address resolution protocol”, In Proceedings of the19th Annual Computer MAC address matches, but still discard the packet as the Security Applications Conference (ACSAC ’03), Dec. 2003. destination IP address doesn’t match, without sending any [6] M.Barnaba.anticap, . error messages back to the source host. [7] Cisco Systems. Configuring Dynamic ARP Inspection, chapter 39, pages Rule 2: Hosts with enabled IP packet routing will forward 39:1–39:22, 2006. [8] Luis Martin Garcia, “Programming with Libpcap”, 2008. the packet to the destination host. All legitimate hosts in the [9] http://images.ihackmyi.com/news/steve/hacks/dsniff_faq.pdf network do not enable IP packet routing and will response back after it receives an ICMP echo request packet. Based on the two rules, we can verify the ARP packets we’ve got whether they are real or fake packets.

IJERTV3IS051581 www.ijert.org 1559