A Hardware Approach for detecting the ARP Attack M.M.Dessouky, W.Elkilany, and N.Alfishawy1 Faculty of Electronic Engineering - Computer Science Department Menoufeya University / Menouf –Egypt 1
[email protected]
Abstract—This paper describes Address Resolution Protocol (ARP) and the ARP cache poisoning (ARP SPOOFING) problem and presents a proposed architecture for detecting the ARP attacks. In addition, it discusses a set of techniques used to detect the ARP poisoning attacks on switched Ethernet networks. A new practical technique by adding external hardware element to the LAN network to work as sniffer is suggested. These external elements are combined in architecture for practical implementation in production network. Results from laboratory and real-world detection experiments using several popular attack tools are also presented. The obtained practical results illustrate that the practical board works successfully for detecting the ARP attack.
I. INTRODUCTION The ARP (Address Resolution Protocol) [1,2] is a network layer protocol of the Open Systems Interconnection (OSI) that is used by hosts on a Local Area Network (LAN) to dynamically mapping an IP (Internet Protocol) address (logical address) to a MAC(Media Access Control ) address (physical machine address). ARP protocol is an independent protocol that connects to physical layer and network layer directly to provide the mapping between IP and MAC addresses. When a host machine wants to know a physical address for any host in the LAN, it broadcasts an ARP request, the host that owns the IP address sends a unicast ARP reply message indicating its MAC address. Each host machine maintains a table, called ARP cache, used to convert IP addresses to MAC addresses. ARP has proved to work well under regular circumstances, but ARP is a stateless protocol, every time a host gets an ARP reply from another host, even though it has not sent an ARP request for that reply, it accepts that ARP entry and updates its ARP cache. The process of updating a target host's ARP cache with a forged entry is referred to as poisoning. The attacker sends a forged ARP reply with host B's IP address and the attacker's MAC address to host A. In addition, the attacker sends a forged ARP reply with host A's IP address and the attacker's MAC address to host B. The traffic between host A and B goes through the attacker allowing sniffing. This attack can be performed between a host and a router as well. This paper is organized as follows: The problem definition and ARP attacks types is described in part 2. Part 3, includes the methods for securing ARP. Part 4, includes the suggested practical implementation for
detecting the ARP attack. Part 5, includes comparison between the existing schemes and the proposed practical technique, followed by the conclusions and the relevant references. II. PROBLEM DEFINITION
The Address Resolution Protocol (ARP) [1, 3] is used by computers to map network addresses (IP) to physical addresses (MAC), that is used to adapt between IP and MAC layers to translate between 32bit IP addresses and 48-bit MAC addresses. ARP is a simple protocol that its work depends on the following: x First, the host that wants to learn the MAC address of another host, broadcasts an ARP request on the network “Who has IP x.x.x.x? Tell MAC mm.mm.mm.mm.mm.mm”. As shown in Fig.1 (a). x Second, All the other hosts in the LAN receive the request. The host with the given IP answers back in a unicast ARP replies “I have IP x.x.x.x. My MAC is xx:xx:xx:xx:xx:xx.”. As shown in Fig.1 (b). The host that issued the request caches the (IP, MAC) pairing in a local ARP cache (ARP table) so that it does not have to make the same request in the near future. The ARP cache entries expire (typically after 20 minutes). Some operating systems reset the expiration timer of ARP entries every time they use an entry [3,4]. When There are special cases of ARP requests/ replies that do not work as described above: Proxy ARP and gratuitous ARP. x Proxy ARP [3, 5] was designed to allow implementation of transparent subnet gateways. Using proxy ARP, a host can contact another host on the other side of a router, even if the original host does not have a default gateway configured. The basic idea is that the router is configured to reply to ARP requests on behalf of the hosts on the other side of the router. x Gratuitous ARP [3, 6] is an ARP messages sent by hosts, directed to their own IP addresses. Hosts commonly use this type of messages when joining a network with a dynamically assigned IP address. These hosts use gratuitous ARP to confirm that the newly assigned IP address is not currently in use by another host in the network.
Fig. 1.a ARP Request
Fig. 1.b ARP Reply Fig.1: ARP Protocol Request / Reply
2.1 ARP Attacks types: There are two types of ARP attacks that may be done in the ARP cache table: 1- ARP Poisoning: When attacker sends forge ARP reply to ARP queries with MAC address that is not a valid destination for any node on the local subnet. 2- ARP Spoofing: The attacker corrupts the cache on two nodes in the same subnet. So, all traffic between the two nodes gets routed and forwarded through this Attacker. ARP is a stateless protocol by design [3], [6], i.e., a reply may be processed even though the corresponding request was never received. When an ARP reply is received, the host updates its ARP cache even if the host had not sent a corresponding ARP request. The attacker may easily change the association contained in a host ARP cache. Since each host assumes its local cache to be trustworthy, the poisoned host will send IP packets encapsulated into Ethernet frames with a wrong MAC address as destination. So, the attacker may receive all the frames originally directed to some other host. If also the cache of the real destination host is poisoned, both communication flows are under the attacker’s control. The attacker will be a two way man in the middle, where he can forward the received packets to the correct destination after read it and can modify them. The two end points of the connection will not notice the extra hop added by the attacker if the packet TTL is not decremented. The attacker needs to stop the victim into adding a new entry in the cache first, by sending a forged ICMP (Internet Control Message Protocol) echo request. When the first victim receives the forged ICMP echo request, it replies with an ICMP echo reply, which requires resolving first the IP address of the original
ICMP request into an Ethernet address, thus creating an entry in the cache. The attacker can now update it with an unsolicited ARP reply. ARP poisoning is possible also in switched networks. A layer 2 switch accepts the traffic that comes into each port and directs it only to the port to which the destination host is connected, except for broadcast messages which are sent to all ports. Therefore sniffing is no longer possible by simply configuring the network interface in promiscuous mode. However, it is possible to poison a host cache by sending an unsolicited ARP reply to the host containing the attacker’s MAC address. The same can be done against two hosts at the same time, thus allowing an attacker to intercept all the traffic between those two hosts, without the switch realizing it. This called ARP Spoofing, as shown in Fig.2. In Fig.2-(a) the host wants to send data to IP 10.0.0.1 but he doesn’t know the MAC address so he sends an ARP Request to all the hosts asked what is the MAC address for the IP 10.0.0.1?. The device which has that IP will responds with its MAC address as in Fig.2-(b) but because the ARP is stateless protocol the attacker will also sends a forge ARP Reply message saying that IP is for him and it sends its MAC address. So the ARP cache table will be poisoned with a forge entry as shown in Fig.2-(c). Then the path between the two hosts will be throw the attacker as shown in Fig.2-(d). III. METHODS FOR SECURING ARP The existing schemes to secure ARP in order to detect ARP cache poisoning and prevent it can be divided into schemes that concentrate in the detection of the problem, those that detect the problem, and those that aim at preventing or blocking the attacks. In this paper, we will concentrate about the detecting of the ARP attacks.
poisoning is limited , as they may not able to detect all of the types of the attack.
(b)
(a)
(d)
(c) Fig. 2 ARP Cache Poisoning (Man-In-The-Middle) Attack IV. DETECTING ARP ATTACKS There are many tools like arpwatch [3, 7], can be used to detect suspicious ARP traffic. With arpwatch, the network administrator is alerted via e-mail when (IP, MAC) address pairings change. This tool is very lightweight and widely available, but it depends on the network administrator being able to differentiate between non-forged events and ARP cache poisoning attacks, and also on his ability to take appropriate and elapsed time measured when an attack occurs. Intrusion Detection Systems (IDSs) like Snort [3,8], are usually able to detect ARP attacks and inform the administrator with the generation of an appropriate alert or alarm. The main problem with IDSs is that they end to generate a high number of wrong positives (alarms that turn out to be not part of attacks), that for them to be effective, it becomes a must for the company to put somebody in charge of dealing with these events. While IDSs are a good option for enhancing security, their ability to detect ARP
Carnut et al. [3,9] proposed architecture for the detection of ARP spoofing attacks on switched networks. Their architecture requires no special software to be installed on the network hosts. Instead, it delegates the task of detection to one or more detection stations. Their experiments showed that the architecture was very good at detecting ARP attacks without generating false positives. However, attackers could hide behind volume traffic to remain undetected for reasonably long periods. ARP-Guard [3,10] uses a sensor-based architecture to detect several internal network attacks like ARP attacks. The management system alerts administrators in case an ARP attack is detected from the analysis of the information received from the LAN and SNMP (Simple Network Management Protocol) sensors. MAC spoofing attacks can be detected by sending an Inverse ARP (InARP) request for a MAC address
V. PRACTICAL IMPLEMENTATION FOR DETECTING THE ARP ATTACK In the experiment the board shown in Fig.3 have been used and prepared to detect the attack by downloading C++ code into the board using JTAG interface. Also, it supports a code debugging with modern IDEs such as Keil and IAR workbench by special cable called ARM-JTAG with external power supply for that practical board
x x x x x x x x x
UEXT connector for Olimex modules connection MOD-MP3, MOD-RFID125, MOD-NRF24L01 etc. RESET circuit with external control of Philips ISP utility via USB-RS232 virtual port Jumpers for boot select from external memory Jumpers for ISP/RUN mode 2 BUTTONS POTENTIOMETER connected to AIN0 I2C 24LC515 EEPROM on board two on board voltage regulators 1.8V and 3.3V with up to 800mA current Cost about 5500 EP or (1000$).
This board is an external element is added to the network to increase the performance of the detection the attack with faster than any previous techniques and with no fault alarm. The detection scenario is done as shown in next section The defense technique will be summarized as follows:
Fig.3 the practical board The main FEATURES of this board can be summarized as follows [14] : x
x x x x x x x x x x x x
MCU: LPC2294 16/32 bit ARM7TDMI-S™t with 256K Bytes Program Flash, 16K Bytes RAM, EXTERNAL MEMORY BUS, RTC,4x 10 bit ADC 2.44 uS, 2x UARTs, 4x CAN, I2C, SPI, 2x 32bit TIMERS, 7x CCR, 6x PWM, WDT, 5V tolerant I/O, up to 60MHz operation Standard JTAG connector with ARM 2x10 pin layout for programming/debugging with ARMJTAG Optional TRACE connector (not assembled) 1MB (256Kx32bit) 12 ns 71V416 SRAM (for 1MB version) 8MB (2 M x 32bit) 70 ns K1S321611C PSRAM (for 8MB version) 2MB (256Kx16bit) 70ns TE28F160C3BD70 C3 INTEL FLASH LCD 16x2 DISPLAY with BACKLIGHT (1MB version) NOKIA 6610 TFT 128x128 12bit color LCD with backlight (8MB version) SD/MMC card connector USB to RS232 convertor, board can take power from USB port RS232 driver and connector Ethernet 100Mbit with DM9000E 4x CAN drivers and connectors
1- Building a dynamic table called (dtable) contains the IPs and MACs actual PCs in the LAN. 2- Checking all packets received from the Ethernet port if it is attack or not. 3- Updating the dynamic table. At the start we will prepare the board to be able to work by implementing technique using the object oriented programming technique in the implementation because of its large benefits. Then we will compile the code, rebuild it, and then downloading it on the board using JTAG. We used Dsniff [13] tool that is used for making ARP spoofing and to generate forged ARP and we installed it with all requirements like Libnids and Libnet on linux fedora core 8. We build the Network by adding the board to the network as a PC connecting the Ethernet port of the board to a port of the switch as shown in Fig.4
Switch
Practical board Fig.4: the proposed practical LAN with new
VI. THE PROPOSED DETECTING ATTACK ALGORITHM STEPS: The proposed detecting attack algorithm steps can be summarized as shown in the following flowchart.
START
The Experimental Result: Now we are going to discuss briefly the practical proposed algorithm results as follows: 1. Connecting the board to one port of the switch and the other devices to the other ports as shown in Fig.4. 2. Switching the board ON by power supply using the buttons. 3. Giving the board IP and subnet MASK from the PC that is directly connected to it by using the command
Downloading the C++ code into the board
Netconfig –c Example: netconfig –c 10.10.10.15 255.0.0.0 The obtained result using the previous command is shown in the Fig.5
Connecting the board to the switch and switch it ON
Giving the board IP and subnet MASK
See static ARP table that is downloaded with code into the board
Fig.5: insert IP and Mast to the board 4. Previewing the Static ARP table entries, using the command:
arp-a
Dtable is a dynamic table in board mapping between IP and MAC
Using the previous command the obtained result is given as shown in Fig.6
Search for Attack and compare between dynamic Dtable and Static ARP
NO
Is Dtable = ARP table
YES Fig.6: Printing the Static ARP table
There is an Attack and tell the Administrator
There is No Attack happened
5. There is another table called dtable that is used for mapping between IP and MAC is gotten dynamically using the following command Getdtable The obtained result using the previous command is shown in Fig.7 which displayed in the screen of the board. Fig.9: searching for attack 8. Tell now we just prepare the board and collect data without any spoofing or hacking and no attacks happened. 9. Dsniff [13] is a hacking tool has been used to make ARP spoofing or man in the middle attack, and generates other different types of attacks.
Fig.7: print the contents of dynamic Dtable 6. Ping from any PC in the LAN to the IP of the board from the DOS by applying the command: Ping For example: Ping 10.10.10.1 The result for that example is given in Fig.8.
10. The board will discover if there is any change happened to IP, MAC pair by using ARP and dtable (Dynamic table). If a packet received, the (search for attack) function will be invoked automatically to check if this packet comes from an attacker or not. If the packet received is from an attacker, a message will appear to the administrator telling him the type of the attack and the IP, MAC of attacker, and perform stopping the attack technique. Fig.10 shows the search for attack, and tells the administrator that there is no attack happened
Fig.10: searching for attack and no attack is
Fig.8 Ping result to the Board 7. After preparing the board we want it to watch the Ethernet port and searching for attack and if there is any change is happened in the static ARP table or not by using the command: exit. As shown in Fig.9 that illustrates in the screen of the of the board
11. If an attack is happened, the board can detect two types of attacks. The first one is two PC’s in the same LAN have different IP’s with the same MAC address as shown in Fig.11 which appeared on the board screen, and tells the administrator that there is an attack is happened. This attack is generated by Dsniff tool.
12. The other type of attack that the practical board can discover is that when two PC’s in the same LAN have the same IP but have the different MAC as shown in Fig.12 which appeared on the board screen, and tells the administrator that there is an attack is happened. This attack is generated by Dsniff tool.
successfully and detects the ARP attack easily in a negligible time. The proposed scheme overcomes wrong alarms and there is no complex setup just our board in the network is connected to a switch, its cost is not expensive, it is faster than any software tools and no need to change any host in network.
REFERENCES
Fig.12: searching for attack and attack is found (2 MAC’s with the same IP) VII. COMPARISON OF EXISTING SCHEMES AND OUR TECHNIQUE
We can notice from section 3 that no scheme can be used as an ideal solution for solving and detecting ARP attack. Carnut et al. [3,9] could be ideal for reducing wrong alarms, but needs a complex setup, and the authors did not made the software available yet. ARP-Guard [3, 10] may be a good choice, but it is not free. But other tools like arpwatch [3, 7] and Snort [3, 8] are free, but tend to generate a high-number of false positives, increasing the work of the network administrator. The middleware approach proposed by Tripunitara et al. [3, 5] is not practical, as it requires changes on all the hosts in the network, and furthermore, no implementation is widely available for download. In our proposed scheme we overcome wrong alarms and there is no complex setup just our board in the network is connected to a switch, its cost is not expensive, it is faster than any software tools and no need to change any host in network , as shown in table 1. VIII. CONCLUSION This paper describes briefly the problem of ARP spoofing attack; several available solutions have been discussed. It gives a complete proposed Hardware practical technique for detecting the ARP attack. A new practical board has been elaborated and a complete new program using C++ language has been setup for that board. The obtained results indicate that the practical board works
[1] D. Plummer. An ethernet address resolution protocol, Nov. 1982. RFC 826. [2] R. W. Stevens. TCP/IP Illustrated, Volume 1: The Protocols. Addison–Wesley Professional Computing Series, January 1994. [3] Cristina L. Abad and Rafael I. Bonilla. An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks IEEE 2007 [4] R. W. Stevens. TCP/IP Illustrated, vol 1. Addison Wesley,2001. [5] M. Tripunitara and P. Dutta. A middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning. In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC ’99), Dec. 1999. [6] D. Bruschi, A. Ornaghi, E. Rosti.. S-arp: a secure arp. http://security.dico.unimi.it/en/doctools/tools.html , 2003. [7] L. N. R. Group. arpwatch, the ethernet monitor program; for keeping track of ethernet/ip address pairings. , (Last accessed April 17, 2006) [8] Snort Project, The. Snort: The open source network intrusion detection system, 006. . (Last accessed April 17, 2006). [9] M. Carnut and J. Gondim. ARP spoofing detection on switched Ethernet networks: A feasibility study. In Proceedings of the 5th Nov.2003. [10] ARP-Guard. . (Last accessed April 17, 2006). [11] T. Demuth and A. Leitner. ARP spoofing and poisoning: Traffic tricks. Linux Magazine, 56:26–31, July 2005. [12] Wesam Lootah, William Enck, and Patrick McDaniel. TARP: Ticket-based Address Resolution Protocol. 2005 IEEE [13] D. Song. dsniff. . (Last accessed April 17, 2006). [14] http://www.olimex.com/dev/index.html
TABLE I: REQUIREMENTS FOR DIFFERENT SCHEMES, PERFORMANCE DEGRADATION AND USED MECHANISMS FOR EACH SCHEME. Scheme
Hosts on network
Switches
New or special device added to network
Performance Degradation
Mechanism
Arpwatch [3,7]
N/A
Port mirroring
Special host with arpwatch installed
0%
Sniffing and heuristic rules to generate alarms
Intrusion Detection Systems (snort) [3,8]
N/A
Port mirroring
Special host with an IDS installed
0%
Sniffing and heuristic rules to generate alarms
Carnut et al. [3,9]
N/A
Port mirroring
special SW required
0%
Sniffing and SNMP heuristics to generate alarms
ARP-Guard [3,10]
N/A
Port mirroring
An ARP-Guard LANSensor for every 8 switches
0%
Sniffing and heuristics to generate alarms
middleware approach [3,5]
Special middleware
N/A
N/A
4%
Heuristics used to block ARP replies at receiver
Proposed Scheme
N/A
N/A
The HW board is connected to switch
0%
Ping protocol to generate alarm
