Automatic Attack Detection and Correction System ...

Automatic Attack Detection and Correction System Development Teerapat Sanguankotchakorn, Senior member IEEE

Thanatorn Dechasawatwong

Telecommunications Field of Study School of Engineering and Technology Asian Institute of Technology, Thailand [email protected]

Telecommunications Field of Study School of Engineering and Technology Asian Institute of Technology, Thailand [email protected]

Abstract— Recently, there are increasingly numerous hacking techniques which are used to compromise the computer systems. One popular hacking technique is called Man-in-the-Middle attack [1]. This technique uses the weakness of ARP protocol [5] namely “ARP spoofing” to damage the users on both confidentiality and privacy issues. It does not only steal the sensitive information, but also leads to the collapse of the network communications. The current methods to secure the users are mainly only passive detections; for example, to monitor invalid MAC to IP addresses mappings, and give the alerts to the administrators. The main disadvantages of this method are the time lag between learning and detecting spoofing. Moreover, it does neither correct spoofing automatically, nor does it not resolve at the root of problems (the attacker’s host). In this work, we propose the algorithm called “SmartARP” to detect and correct the ARP spoofing attack. The algorithm works as follows: the constructed ARP-Request and TCP SYN packets are sent to the network to verify the inconsistencies. When the algorithm detects ARP spoofing, it will send the correct ARP packets to the victim’s hosts to correct their ARP caches automatically. In addition, the invalid ARP-Reply packets will be sent to update the attacker’s host to deny it. We measure the performance of our proposed techniques using various evaluation metrics such as Response time, Correction time, the Successful Correction ratio, CPU Usage and Network Utilization. It can be shown that our proposed techniques are fast, intelligent, scalable and reliable in detecting and correcting attacks. Keywords- TCP/IP; ARP protocol; ARP spoofing; ARP spoofing attack

I.

INTRODUCTION

A. Background The Internet, a network made up of millions of computers connected together, is growing rapidly every day. All the information on the Internet is distributed on millions of computers around the world. People can share their ideas and point of views across the world, thus providing wider commercial opportunity. However, the entire Internet is at risk from the hackers who are taking advantages from Internet flaws. For instance,

the hackers may imitate webpage of businesses such as bank or credit card companies to trick people into disclosing account numbers, passwords and other sensitive information. Moreover, the hackers may attempt to make a computer resource unavailable to its intended users using the method called Denial-of-Service attack [1]. They are able to attack computer networks and capture information or other secret data and redirect it to the systems under their control. Currently, one of the most critical problems is the Man-inthe-Middle attack [1][6]. It is a form of active eavesdropping in which the attacker makes independent connections with the victims, and relays messages between them. The attacker makes the victims believe that they are talking directly to each other over a private connection despite in fact the entire conversation is controlled by the attacker. The attacker is able to intercept all messages going between the two victims and inject new ones. It has been shown [1] that the Man-in-theMiddle attacks can significantly affect the security in an organization, and might cause other kinds of attacks such as Denial-of-Service or DNS spoofing [2]. Due to these problems, it is very important to explore the methods to protect against those attacks, and should have selfassessment standards for administrators to be able to determine the risks in the organization. There are many existing research works on the techniques to detect and protect the ARP spoofing attack from hackers [3-4,7-11]. In this paper, we propose the technique called SmartARP to detect, correct and reply to the ARP spoofing attack. We developed the program to verify our proposed algorithm. We measure the performance of our proposed algorithm using the criteria such as Response time, Correction time, the Successful Correction time CPU usage and the Network Utilization. This paper is structured as follows: Section 2 details the System Development and Measurements Tools. Section 3 describes the Simulation Network Model while Section 4 illustrates the Results and Discussion. Finally, the conclusion is made in Section 5. B. Related Works Secure ARP protocol (S-ARP) [4] is a backward compatible extension to ARP that relies on public-key cryptography to authenticate ARP replies. It was proposed as a replacement for the ARP protocol in order to deal with ARP spoofing. In order to be implemented in a LAN, every secured hosts have to be modified to use S-ARP instead of ARP.

The drawbacks of this method are scalability due to the network stack of all hosts in network and overhead of cryptographic calculations due to Digital Signature Algorithm (DSA). Gouda et al. [7] proposed the architecture for resolving IP addresses into hardware addresses over an Ethernet. This solution is not practical as it requires changing the ARP protocol implementation of every host with this new address resolution protocol. In addition, the secured server represents a single point of failure in the network, and becomes an obvious target for DoS attacks. Some high-end Cisco switches have a new feature called Dynamic ARP Inspection which allows the switch to drop ARP packets with invalid (IP, MAC) address bindings. The primary disadvantage of this solution is the high cost of switches. Moreover, it might not be possible to validate some ARP packets on all switches in the VLAN [8] [9]. Ebtables is a Linux utility used to create programmable bridging/switching devices to perform Ethernet frame filtering, among other things. It has been suggested that Ebtables can be used to implement ARP attack prevention mechanisms [11], but the efficiency of such method has not been studied. The main drawback of this approach is that this solution would only filter malicious ARP messages attempting to pass through the Linux box, while other areas of the network remain unprotected. In Addition, Ebtables rules to prevent ARP attacks are not widely available, and the administrator can easily make mistakes when programming the bridge/switch [10]. Passive Detection is one of the ARP spoofing detection methods. It sniffs the ARP-Requests and Replies on the network and constructs a MAC address to IP address mapping database [3]. If it observes any conflicts between new ARP traffic and (MAC-IP) mapping database, it concludes that an ARP spoofing attack is occurring. The drawbacks of this method are a time lag between learning the address mappings and unreliability. Active Detection is also one of the ARP spoofing detection methods [3]. It sniffs the ARP packets and constructs a MAC address to IP address mapping database. Before inputting the MAC-IP address mapping into the learnt database, it will verify the ARP packets by sending TCP SYN packets to source machines. This technique is faster, intelligent, scalable and more reliable in detecting attacks than the passive methods. In addition, hackers take advantages of some programs such as Nmap, Nessus, John the Ripper and SuperScan to attack and enumerate the computer systems. Occasionally, common softwares such as ActiveX or Java script are used by hackers as a hacking tool as well. Even Google which is one of the popular search-engines, is one of the best hacking tools, since to simply search in Google and other search engines can dig out sensitive/dangerous information about any sites, any servers and companies. This is often called Google hacking. II.

This is the main problem which causes the ARP spoofing attack. The typical behaviors of ARP spoofing attack are illustrated as follows: 1. An attacker broadcasts ARP-Requests into the entire network to collect the host’s information such as MAC and IP address mappings. 2. The attacker selects the pair hosts in order to intercept some information from them. 3. The attacker sends ARP-Requests to the pair victims by telling them a lie. After that the attacker sends periodic ARP-Replies to update ARP cache of the victims. 4. Due to the behaviors of ARP-Requests and ARP-Replies, the attacker can intercept packets of the pair victims successfully. B.

Software Application (SmartARP) and Requirements In this work, we develop network applications with .NET, using the C# programming language, because .NET is a capable platform on which to develop almost any solutions, and it offers substantial support for network programming. In fact, .NET has more intrinsic support for networking than any other platforms developed by Microsoft. Here, to deal with ARP attacks on switched LANs, the following requirements can be listed: • Require no change to be made to every host on the network (e.g., install special software on each host), as this may increase the administrative costs. • The use of cryptographic techniques should be minimized or avoided since it slows down ARP performance. • Prevention/blocking are preferred to detect, since the latter depends on how well the administrator is able to handle the alarms in an effective and timely manner. • Be widely available and easy to implement. • Costly hardware should be minimized as much as possible. • Solution should be backward compatible with ARP. • ARP-Requests/Replies should not be slowed down significantly. • All types of ARP attacks should be blocked. C. ARP Spoof Detection and Correction Architecture (AmartARP)

PROPOSED SYSTEM DESCRIPTION, ARCHITECTURE AND OPERATION

A.

ARP Protocol and Behavior of ARP Spoofing Attack due to Sniffing Packets ARP protocol is a stateless. Host’s ARP cache will be updated automatically every time when all ARP replies to hosts, even though they have not sent any ARP-Request. The ARP cache will be overwritten by a newer ARP-Reply. The hosts do not have a mechanism to authenticate their peers.

Figure 1. ARP Spoofing Detection and Prevention Architecture (SmartARP) (modified from [3])

Based on the architecture shown in Fig.1, the SmartARP can be classified into two phases: • ARP Spoof Detection Phase • ARP Spoof Prevention Phase ARP Spoof Detection Phase • ARP Sniffer module: used to capture all ARP traffics in broadcast network. • Invalid MAC Detection module: used to classify the ARP traffic into the valid and invalid MAC addresses. It detects the invalid MAC address by verifying MAC addresses in the Ethernet frame and ARP header. If both source and/or destination MAC addresses are not identical, it can be assured that there are ARP spoofed packets occurring. The valid MAC address packets will be sent to Host Database Detection module. • Host Database Detection module: used to filter the valid ARP traffic by comparing the IP-MAC address pairings of the valid ARP traffic with IP-MAC address pairings of the learnt Database. If there are any conflicts, it can be guaranteed that there are ARP spoofed packets. All the new IP-MAC address pairings, which are not in the learnt Database, are sent to the ARP Spoof Detection module. • ARP Spoof Detection module: This is the final verification module. The valid ARP header packets are input into it. These packets are classified into three categories: Full ARP cycle, Request and Reply Half Cycle packets. After applying the ARP Spoof Detection module, it will send the ARP entry to the Database module if the ARP entry is correct, or send it to Spoof Alarm module if it is incorrect. The Database module will add these verified MAC and IP addresses mapping into the database. The detailed ARP Spoof Detection Algorithm is mentioned in Section D. • Database module: the verified ARP packets will be added into the database. • Spoof Alarm module: This module is used to alert the administrators on detection of ARP spoofing attack. ARP Spoof Prevention Phase • ARP Cache Repair module: used to correct ARP cache of the victim’s hosts by sending ARP-Requests/Replies to overwrite ARP entries. When the SmartARP detects the forged ARP packets from the attacker, it will create and send ARP-Replies to the victim’s hosts to correct the ARP cache entries. • Reverse Attack module: an optional module. When an administrator desires to eliminate the malicious hosts from the network, it will send forged ARP-Replies to the attacker’s hosts for updating their ARP cache. The hosts, which have wrong MAC addresses in ARP cache, will not be able to communicate to the outside network (Denial-of-Service Attack). D. ARP Spoof Detection Algorithm As mentioned previously, three different ARP Cycle packets: Full ARP Cycle, Request and Reply Half Cycle

packets, which are detected in different methods by ARP Spoof Detection module, works based on the following rules: Rule 1: Firstly, the network interface of hosts will accept packets sent to its MAC address. If there are IP packets encapsulations, it will pass on these packets to the IP layer. The IP layer will accept IP packets to its IP address. If the accepted packet is a TCP packet, it will be passed on to the TCP layer. If the TCP layer receives TCP SYN packet, it will either reply back with a TCP SYN/ACK packet if the destination port is opened or with a TCP RST packet if the port is closed. Rule 2: The attacker can spoof ARP packets to update the victim’s cache, but he/she cannot stop the real host to reply from ARP-Requests sent to it which means that the real host is still alive on the network. Based on both rules, we can verify the source ARP packets whether they are real or forged packets. We will generate TCP SYN packets and send them on the network by using source MAC and IP addresses in ARP-Requests/Replies sent by the host. For example, the destination MAC and IP addresses in the created TCP SYN packet will be the source MAC and IP addresses advertised in the ARP-Request/Reply. The source MAC and IP addresses in the created TCP SYN packet would be the host running the ARP spoof detection (see Fig. 2).

Figure 2. ARP Spoofing Packet and TCP Verifying Packet

From Fig.2, the ARP-Reply is sent from a malicious host, and the SmartARP will verify packet by sending a TCP SYN packet to the source of ARP-Reply. When the attacker’s host receives the verified TCP SYN packet, its network stack silently discards the TCP SYN packet in accordance with Rule 1. Thus, the ARP Spoof Detection host does not receive any TCP responses within a specific time. As a result, the host sending ARP-Reply would be considered as an attacker. E. Smart ARP Application In this section, we detail the input of 3 cycles of ARP Spoof Detection Module. 1. Full ARP Cycle Full ARP Cycle packets are sent by the spoof detection’s host in order to collect the legitimate IP and MAC addresses of the other hosts in the entire network. It broadcasts ARPRequests into the network and may receive one or more Replies from living hosts. If ARP spoofing is on, both attacker and real host will reply back to the original ARP-Request. Then the SmartARP sends a constructed TCP SYN packet using the MAC and IP addresses information in the ARPReply packet(s) to each source address of both ARP-Replies. The SmartARP may receive two TCP packets as a response

since the attacker redirects the packet along with the real host. This situation can be identified as occurrence of packet spoofing. On the other hand, after the SmartARP broadcasts ARP-Requests to the network, if there is only one ARP-Reply from the real host, the SmartARP will send a TCP SYN packet to the source of ARP-Reply for confirmation. If the target is the real host, it will respond either TCP SYN/ACK or TCP RST packet to the SmartARP based on Rule 1. The program will add this entry into database as a legitimate MAC to IP address mapping. If the target does not respond anything within a specific time, it can be defined that the host is sending ARP spoofed packet. An administrator can react to the attacker by Reverse attack technique. 2. Request Half Cycle Request Half Cycle packets are sent by hosts in a network. It can be separated into two parts as follows: (a) ARP sends Request to the SmartARP: This is the ARP-Requests that were sent by the other hosts in a network to the SmartARP. They may come from attackers or legitimate users. The SmartARP would verify these packets by broadcasting ARP-Requests to the network and waiting for the responses. If ARP spoof is performing, the SmartARP will receive two ARPReplies. The first and second packets come from a legitimate user and attacker, respectively. Therefore, the SmartARP can verify these ARP-Replies by sending a TCP SYN packet to each source address of ARPReplies. This process is the same as the aforementioned Full ARP Cycle. (b) ARP sends Request to the other hosts: This is the ARPRequests that were sent by a computer host to the other hosts in a network. The requested packets may come from a malicious or legitimate user. The SmartARP will verify these packets by sending a constructed TCP SYN packet to the source MAC and IP addresses of the ARP-Request. If the source addresses are the real host’s addresses, the authentic hosts will respond either by TCP SYN/ACK, or TCP RST to the SmartARP. This response can be used to identify whether the packet is the reality or imitation. If there are not any responses within the appropriate time, the program will alert an administrator, and perform ARP Cache Repair technique automatically. The administrator can counteract to the attacker by Reverse attack as well. 3. Reply Half Cycle ARP-Reply Half Cycle would occur in two possible scenarios as follows: 1. A malicious attacker sends spoofed ARP packets to the victims. This is one of the most common techniques of ARP spoofing attack by sending periodic spoofed ARP-Replies to the victims in order that the spoofed address entry in the victim’s ARP cache never expires. 2. The detector (SmartARP) has missed the ARP-Request. This may occur if the SmartARP application is opened after the ARP-Request was sent. Therefore, it could only sniff the

ARP-Reply. The Reply Half Cycle can be divided into two situations as follows: (a) ARP sends Response to the SmartARP: This is the ARP-Replies that were sent by hosts in a network to the SmartARP. They may come from attackers or legitimate users. The detector would verify these packets by broadcasting ARP-Requests to the network and waiting for the responses. If ARP spoofing is performing, the SmartARP will receive two ARPReplies. The first and second packets come from a legitimate user and an attacker, respectively. Therefore, the SmartARP will verify these ARP-R Replies by sending a TCP SYN packet to each source address of ARP-Replies. If there are more than one TCP response packets, the SmartARP would be able to identify that there is spoofed packet. (b) ARP sends Response to the other hosts: This is the ARP-Replies that were sent by a computer host to the other hosts in a network. The replied packets may come from a malicious or legitimate user. The SmartARP will verify these packets by sending a constructed TCP SYN packet to the source MAC and IP addresses of the ARP-Reply. If the source addresses are manipulated by a malicious user, the attacker’s machine will silently discard this packet because the IP address is invalid, and does not correspond to any of the host’s addresses. When the SmartARP does not obtain any responses within the specific interval, it will alert to an administrator, and perform ARP Cache Repair technique automatically. The administrator can respond to the attacker by Reverse attack manually. III.

SOFTWARE USED AND SIMULATION NETWORK MODEL

A. ARP Spoofing Attack Simulation Softwares The software applications for testing are listed here: • VMware workstation Ver.6.02. • Installed Microsoft Window XP on VMware. • Installed Ubuntu version 8.04 on VMware. • CAIN application Ver.4.9.8: to simulate ARP spoofing attack. • Colasoft Packet Builder Ver.1.0: to simulate sending ARP and TCP/IP packets. • Wireshark Network Protocol Analyzer Ver.0.99.6a: to capture and analyze packets traffic. • SolarWinds Engineer’s edition Ver.8.0: to measure the system performance.

Figure 3. Proposed Network Simulation Structure

Fig.3 illustrates the proposed network structure to simulate the event of ARP spoofing attack. The attacker’s machine is running CAIN application which captures the sensitive information between the legitimate user (203.159.97.25), and the gateway router (203.159.97.1). When the attacker is capturing the data, the SmartARP alerts to an administrator, and sends repaired ARP packets to both victims automatically. Based on this action, we can prevent the attack completely. Moreover, the administrator can deny the attacker’s host via Reverse attack. The SmartARP may send a forged ARP packet, which is random MAC address, to the attacker’s machine. All these events can be illustrated step-bystep as follows: 1. The attacker is sniffing the sensitive information of both victims that communicate to each other (203.159.97.25 and 203.159.97.1) by sending forged ARP-Replies. 2. After the attacker sends forged ARP-Replies to the victims, ARP cache of the victim’s hosts will be changed (00:09:43:CA:0F:FF => 00:14:24:88:0A:3C). 3. Now, the attacker can steal usernames and passwords of victims successfully.

From Fig.4, we assume that ARP spoofing attack occurs in VLAN 10 while the SmartARP computer is connected to the mirror port of the switching device in order to observe the packets traffic of each VLAN. We use the software called “CAIN” to simulate ARP spoofing which attacks the SmartARP and the other hosts in the network. The SmartARP is used to detect and correct the attack. We install VMWare application on 2 machines where each machine performs 31 virtual victims; therefore, the total victims are 62 stations. The CAIN application is used to attack many victims running on virtual machine. SmartARP is used to detect and correct the attack. The number of victims are increased every two hosts to measure the performance. E. Devices Specifications The devices’ specifications used for evaluation are listed in Table 1 as follows: Table 1 Devices’ Specification Processor Ram SmartARP

Intel ® Pentium® 4 CPU 2.4 GHz

512 MB

MS-Windows XP Professional (5.1, 2600)

CAIN

Intel® Pentium® 4 CPU 1.6 GHz Intel ® Pentium® 4 CPU 3.0 GHz

512 MB

MS-Windows XP Professional (5.1, 2600) MS-Windows XP Professional (5.1, 2600)

Intel® Core ™ 2 duo CPU T7300@ 2.0GHz

3 GB

B. ARP Cache Repairing Simulation Colasoft software is used to create and send repaired ARP packets to the victim’s hosts to protect Man-in-the-Middle attack. After sending the repaired ARP packets, the ARP cache of victim’s hosts are changed again with the real MAC address (00:09:43:CA:0F:FF). C. Reverse Attack Simulation The administrator can deny the hosts identified as the malicious hosts by creating a forged ARP-Reply which is a random MAC address, and sending it to the attacker’s host periodically. Then, the ARP cache of the malicious host is updated with the forged MAC address. Based on this technique, the attacker will not be able to communicate with the outside world until he/she restarts the computer. The Colasoft application is used to simulate the Reverse attack technique. The ARP cache of the attacker’s host is updated with the forged MAC address (34-56-25-F5-9C-F8) sent by the SmartARP. D. Network Topology and Simulation Descriptions

Software

Victims*

Bandwidth Gauges

2 GB

MS-Windows XP Professional (5.1, 2600)

performance

Network Interface cards Two: one card for mirror port 3Com EtherLink XL 10/100 PCI TX NIC (3C905B-tX) and another is SiS 900-Base PCI Fast Ethernet Adapter for Vlan port: IP(192.168.10.100) 10/100 Ethernet

Fast

Realtek RTL8139 Family PCI Fast Ethernet NIC. It runs VMWare Workstation v.6.5.1 which is enabling many hosts (MSWindows XP Marvell Yukon 88E8055 PCI-E Gigabit Ethernet

Note: *= 2 machines are used. We use HP J4121A ProCurve Switch 4000M, revision C.09.G2, ROM C.06.01 /sw/code/build/vgro(msanchez_v09)), Fast Ethernet 64 ports. It is configured to enable mirror port and SNMP services. F. System Performance Evaluation We use SolarWinds software application to evaluate the following various performance metrics: • Response Time: the time that the victim receives the first correct ARP packet from the SmartARP minus the time that the victim obtains the whole fake ARP packets from the attacker.

Figure 4. Proposed Network Topology (observe all VLANs)

62

58

54

50

46

42

38

34

30

26

Correct Time 25.000 20.000 15.000 C orrect Time 10.000 5.000

62

58

54

50

46

42

38

34

30

26

22

18

14

10

6

0.000 Number of Victims (hosts)

Figure 6. Correction Time

From Fig. 6, the Correction Time always raises when we increase the amount of victims from 2 to 62. The correction time is lower than 5 seconds when the number of machines is between 2 and 20, which is practical in general situation. (3) Successful Correction Ratio We simulate the total attack of 10 times in every number of victims. %successful correction 120% 100% 80% 60%

C orrect s ucces s ful

40% 20%

62

56

50

44

38

32

26

20

8

14

0% 2

B. The SmartARP Evaluation with the Proposed Network Topology In Fig. 4, we assume that the SmartARP detects and corrects the attack for only VLAN10. The CAIN application, installed on VLAN10, starts sending forged ARP-Replies every 30 seconds to update ARP cache of the victims. The SmartARP machine, which has two interface cards, detects the fake ARP packets passing through the mirror port, and sends repaired ARP packets on the VLAN interface automatically. We simulate the victim hosts by installing VMWare application on victim1 and victim2 hosts which are totally 62 virtual victims. In addition, we use the Bandwidth Gauges application, installed on the other machine, to measure the bandwidth of the system by using SNMP protocol. The simulation results are illustrated as follows:

From Fig. 5, the Response Time increases significantly till the amount of victims reaches 14 hosts. After that the response time changes gradually, with the mean value of 1.3 seconds. (2) Correction Time

2

A. The Software Implementation (Proof of Concept Code: SmartARP.cs) The following application is developed in order to demonstrate the feasibility of the ARP spoofing detection and prevention. It detects forge ARP packets and sends correct ARP packets to update ARP cache of victims. • The SmartARP configuration page: When we need to perform the SmartARP, we would select a monitoring interface to detect the ARP spoofing attack, and pick a VLAN interface to correct the attack on that VLAN. Then, we can adjust the time interval for updating the SmartARP’s database; we can set the waiting time of response packets. Moreover, we can select a TCP port of computers that we need to observe. • The SmartARP monitoring page: Firstly, the Real Host List illustrates the actual computers that the SmartARP collects from the local network. Secondly, the Victim List displays the computers which are attacked. It presents IP address, MAC address, Status, and Repaired Status. Finally, The Attacker List presents the attacker’s computer by detecting ARP packets that hackers send into the network. • The Logs of the application: It shows the real time working process of the SmartARP in every packet that the SmartARP sends or receives.

Figure 5. Response Time

C orrec t s uc c es s ful (%)

In all cases, the CAIN generates ARP-Replies to update ARP cache of the victims every default time interval (30 seconds) while the SmartARP detects and sends ARP-Replies to correct ARP cache of the victims as well.

22

18

14

Number of Victims (hosts)

RESULTS AND DISCUSSIONS

Correct Time (S)

IV.

Response Time

6

• CPU Usage: indicates how much of the CPU's capacity is in use. • Network Utilization: the ratio between the used bandwidth and the available bandwidth.

1.8 1.6 1.4 1.2 1 0.8 0.6 0.4 0.2 0 10

Amount of Successful Correction x100 Total Number of Attacks

Response Time

2

Successful Correction (%) =

(1) Response Time

Response Time (s )

• Correction Time: the total time that the SmartARP sends ARP packets to correct every victim’s ARP caches. • Successful Correction Ratio:

Number of victims (hosts)

Figure 7. The percentage of successful correction

From Fig.7, the percentage of Successful Correction is 100% when the number of victims is less than 38 stations whereas the SmartARP spends lower than 10 seconds of correction time. The Successful Correction Ratio decreases slightly when the number of victims exceeds 40. The lowest Successful Correction Ratio is about 50% when the number of victims is 60 stations whereas the Correction Time is lower than 20 seconds.

(4) CPU Usage

Victim1 utilization

62

58

54

50

46

42

SmartARP Utilization

0.03 0.025 0.02

S martARP Utilization

0.015 0.01 0.005 34 38 42 46 50 54 58 62

18 22 26 30

2 6 10 14

0 Number of victims (hosts)

Figure 9. SmartARP’s Network Utilization Cain Utilization 0.08 0.07 0.06 0.05 Cain Utilization

0.04 0.03 0.02 0.01 62

58

54

50

46

42

38

34

30

26

22

18

14

10

0 6

62

0.05 0.04 0.03

Victim2's utilization

0.02 0.01

Number of victims (hosts)

Figure 10. CAIN’s Network Utilization

62

50

56

38

44

26

32

8

14

0 Number of victims (hosts)

Figure 12. Victim-2’s Network Utilization

From Fig.9-12, it is obvious that the Network Utilizations of all applications are very low. Therefore, by implementing all proposed components, it does not affect the network system. The fluctuations in some points are due to the instability of traffics. V.

0.035

2

56

0.06

2

(5) Network Utilization The SmartARP, CAIN, and victims’ Network Utilizations are measured by the Bandwidth Gauges application using SNMP protocol. The maximum traffic of each port is 200 Mbps (including both sending and receiving). The media used for testing is UTP CAT5 100BASE-TX Ethernet. In order to simulate 62 machines in victim1 and victim 2’s scenarios, two VMWare applications are installed, since one VMWare application can accommodate up to only 31 virtual machines. We assume that each victim1 and victim2 has 31 virtual machines.

Victim2 utilization Network utiliz atio n (%)

We capture the CPU Usage while the SmartARP is detecting and correcting the attack. From Fig. 8, the CPU Usage of the SmartARP fluctuates around 80% in all number of victims. It can be concluded that the CPU usage does not depend on the number of victims.

Netwo rk utiliz atio n (%)

50

Figure 11. Victim-1’s Network Utilization

Figure 8. CPU Usage

20

38

34

30

26

22

18

14

6

10

2

Number of victims (hosts)

Number of victims (hosts)

Network utilization (%)

44

0 2

0%

0.01

38

20%

Victim1's utilization

0.02

32

40%

0.03

26

CP U Usage

0.04

20

60%

0.05

8

80%

0.06

14

C P U Usage (%)

100%

Network utilization (%)

CPU Usage

CONCLUSIONS

In this research, we study the various hacking techniques. One of the most critical problems is Man-in-the-Middle attack via ARP spoofing technique in LAN (local area network), because the attackers can intercept and manipulate all messages communicating between two victims. We propose the technique called SmartARP to detect and correct the ARP spoofing attack. The proposed SmartARP application works in the promiscuous mode, and filters only the ARP packages traffic. It verifies whether the Ethernet frame and ARP header have the same MAC addresses or not. If they are the same, ARP package will be re-checked by the learnt database. However, if the learnt database does not have the IP-MAC address pairings, the new ARP package will be sent to ARP Spoof Detection module in order to be re-verified again. We develop various software applications to simulate our proposed techniques and evaluate the performance of the application by simulation using the criteria namely Response Time, Correction Time, Successful Correction Ratio, CPU Usage and Network Utilization. Based on the simulation results, it can be concluded that our proposed techniques are fast, intelligent, scalable and reliable in detecting and correcting attacks. It can, for example, detect the ARP

spoofing attack and can correct 100% of the ARP caches of victims within 10 seconds at the 38 machines. Typically, when attackers want to steal the sensitive information, they always concentrate on a few targets, since they desire to get only the specific information. In addition, since more data will be redirected to the attacker’s machine which can cause their computers slowing down, therefore, it is obvious that the performance of the proposed SmartARP is acceptable in realistic. Moreover, the Network Utilization of all components is very low; therefore, it does not affect the network system under normal condition. REFERENCES [1] [2] [3]

Matthew Strebe: Network Security Foundations, SYBEX Inc, 2004. Doug Sax:DNS Spoofing (Malicious Cache Poisoning), 22 Oct 2008 . Vivek Ramachandran:Information System Security, Detecting ARP Spoofing: An Active Technique, ICISS 2005, Volume 3803/2005, ISBN: 978-3-540-30706-8, P.239-250, Springer Berlin / Heidelberg, 2005.

[4]

Danilo Bruschi, Alberto Ornaghi, Emilia Rosti, “S-ARP: a Secure Address Resolution Protocol, 19th Annual Computer Security Applications Conference, 2003, www.acsac.org/2003/papers/111.pdf. [5] David C. Plummer: An Ethernet Address Resolution Protocol, RFC-826, USC Information Science Institute, California, November 1982. [6] S. Whalen: An Introduction to ARP Spoofing, http://packetstormsecurity.org/papers/protocols/intro_to_arp_spoofing.p df [7] M. Gouda and C.-T. Huang.: A secure address resolution protocol, Computer Networks, January 2003. [8] Cisco Systems:Configuring Dynamic ARP Inspection, chapter 39, pages 1–22., Catalyst 6500 Series Switch Cisco IOS Sofware Configuration Guide, Release 12.2SX, 2006. [9] C. Schluting: Configure your Catalyst for a more secure layer 2, . (Last accessed November, 2008). [10] B. D. Schuymer: ebtables: Ethernet bridge tables, http://ebtables.sourceforge.net, March 2006. [11] M. Carnut and J. Gondim: ARP spoofing detection on switched Ethernet networks: A feasibility study, In Proceedings of the 5th Symposium on Security in Informatics., Nov, 2003.