Evaluation of Network Blocking Algorithm Based ... - Semantic Scholar

Evaluation of Network Blocking Algorithm Based on ARP Spoofing and Its Application Jahwan Koo1 , Seongjin Ahn2,
, Younghwan Lim3 , and Youngsong Mun3 1

School of Information and Communications Engineering, Sungkyunkwan Univ., Chunchun-dong 300, Jangan-gu, Suwon, Kyounggi-do, Korea [email protected] 2 Department of Computer Education, Sungkyunkwan Univ., Myeongnyun-dong 3-ga 53, Jongno-gu, Seoul, Korea [email protected] 3 School of Media, Sungsil University, Sangdo-Dong, Dongjak-Gu, Seoul, Korea

Abstract. Sometimes network resources including IP address, MAC address, and hostname could be misused for the weakness of TCP/IP protocol suite and the deficiency of network management. Therefore, there is urgent need to solve the problems from the viewpoint of network management and operation. In this paper, we propose a network network blocking algorithm based on ARP spoofing and evaluate the robustness of this algorithm via various experiments. We have performed several experiments on the gratuitous ARP exchange and IP address conflict detection in order to identify the robustness of the network blocking algorithm under both homogeneous and heterogeneous operating system.

1

Introduction

Sometimes we have some experiences on the IP address conflict and network inaccessibility. Without administrator’s admission, the unauthorized user abuses the network configuration resources like IP address, MAC address, and hostname on the TCP/IP network environment. It is basically caused by the security weakness of TCP/IP protocols and the deficiency of network administration. Therefore, there is urgent need to solve the problems from the viewpoint of network management and operation. Ironically, Address Resolution Protocol (ARP) spoofing techniques can be used to prohibit unauthorized network access and resource modifications [1] [2]. The ARP is a dynamic mapping method that finds a physical address given a logical address and a basic protocol in every Internet host and router. Gratuitous ARP is a mechanism used by TCP/IP computers to announce their IP address to the local network and, therefore, avoid duplicate IP addresses on the network. A gratuitous ARP is an ARP request for a node’s own IP address. In the gratuitous


Dr. S. Ahn. is the Corresponding Author.

O. Gervasi et al. (Eds.): ICCSA 2005, LNCS 3481, pp. 848–855, 2005. c Springer-Verlag Berlin Heidelberg 2005


Evaluation of Network Blocking Algorithm Based on ARP Spoofing

849

ARP, the sender protocol address (SPA) and the target protocol address (TPA) are set to the same IP address. If a node sends a gratuitous ARP and no ARP reply frames are received, the node determines that other nodes are not using its assigned IP address. If a node sends a gratuitous ARP and an ARP reply frame is received, the node determines that another node is using its assigned IP address. Although ARP and gratuitous ARP are simple protocol and very useful in every Internet host and router, however, it is said that the ARP has many security weaknesses [3] [4]. In this paper, we introduce a network blocking algorithm (NBA) and evaluate this algorithm via various experiments. The rest of the paper is organized as follows. In section 2, we describe a NBA based on ARP Spoofing technique. In section 3, we evaluate this algorithm via various experiments. The final section offers some concluding remarks.

2

Network Blocking Algorithm and Architecture

The NBA based on ARP spoofing we proposed consists of three major modules as shown Figure 1 and 2: network blocking, preservation, and dissolution modules. Blocking

Gratuitous ARP Transmission

Agent MAC

Broad cast

Req

Blocked IP

Agent MAC

Blocked IP

0000..00

Gratuitous ARP Transmission

Agent MAC

Broad cast

Req

Blocked IP

Origin MAC of Blocked IP

Blocked IP

0000..00

Blocked MAC

Broad cast

Req

Blocked IP

Origin MAC of Blocked IP

in order(i)

0000..00

Blocking Dissolution

For i=1 to 254 ARP Request Transmission

Fig. 1. Network blocking and dissolution of NBA

Typically, the architecture for the network resource and security management is a manager-to-probe or a manager-to-agent model. A node on the entire network is designated as a manager system and at least a probe or an agent system has to be installed on each network management domain. The manager issues a message of the protocol data unit to a probe. The probe interprets the protocol data unit message. If the message is set operation, the probe updates the policy database. After the creation of the policy database is completed, the probe monitors all the packets on its management domain by using the packet capture library, for example, pcap library in Linux and picks up only the ARP request or reply packets. If the ARP packets are in violation of the management policy, the probe issues network block messages by means of NBA.

850

J. Koo et al. Packet Arrival

NB tries to restart

ARP Packet ?

Yes

No

Gratuitous ARP of blocked Node ?

Yes

1) NA Send Packet 1 2) NA Send Packet 2

No NB tries to communicate with NO

Packet Discard SPA is the IP of Blocked Node ?

Yes 1) NA Send Packet 2

No NO tries to communicate with NB TPA is the IP of Blocked Node ?

Yes 1) NA Send Packet 2

No Done Type of Node NA : Agent Node NB : Blocked Node NO : Other Node

Type of Packet Packet 1 : [ NB-MAC, NA -MAC, ( 2, NA -MAC, NB-IP, NA -MAC, NB-IP ) ] Packet 2 : [ FF:FF, NA -MAC, ( 1, NA -MAC, NB-IP, All 0's, NB-IP ) ]

Fig. 2. Blocking preservation module of NBA

The manager system serves as the interface for the human network manager. It has a set of management modules for visualization, management, report, communication, and database. It maintains the network resource management information from the probes via the Inform-PDU message exchange, visualizes current resource status information such as the number of total IP addresses, used IP addresses, and unused IP addresses, and provides the real time information such as the corresponding IP-to-MAC addresses, hostnames, and policies. The probe system responds to requests for information and actions from the manager system. It has a set of probe modules for communication, control, packet monitoring, policy, and network blocking message module. The manager and probes are communicated with several protocol data unit messages.

3

Evaluation

We have performed several experiments on the gratuitous ARP exchange and IP address conflict detection in order to identify the robustness of the NBA. 3.1

Experiment 1: IP Address Conflict on Homogeneous Environment

The first experiment’s objective is to observe the operation process of normal gratuitous ARP in an IP address conflict on homogeneous environment and to examine whether the gratuitous ARP vulnerability exists.

Evaluation of Network Blocking Algorithm Based on ARP Spoofing Offending Node

X 00:50:22:00:0F:F7

Defending Node

10.0.0.1 00:60:08:A6:D8:6F

Other Nodes

10.0.0.2 00:60:08:52:F9:D8

Gratuitous ARP

I P

MAC

[FF:FF, 0F:F7, (1, 0F:F7, 0.1, 00:00, 0.1)]

0.1

D8:6F

1

2

ARP Reply

IP Duplication Detection

851

I P

MAC

0.1

0F:F7

[0F:F7, D8:6F, (2, D8:6F, 0.1, 0F:F7, 0.1)] Disable Network Access After IP Duplication Detection 3

Another ARP Request [FF:FF, D8:6F, (1, D8:6F, 0.1, 00:00, 0.1)] I P

MAC

0.1

D8:6F

Fig. 3. The gratuitous ARP and address conflict exchange on homogeneous environment

For this experiment, all nodes on the same network segment are the computers running Microsoft Windows operating systems. The defending node means the node that is already successfully configured with the IP address and the offending node meansthenodethatissendingthegratuitousARP.Let’sassumethattheothernodes have already an entry for the IP address of the defending node. And we have manually configuredtheIPaddressoftheoffendingnodetotheIPaddressofthedefendingnode and restarted the offending node in order to invoke IP address conflict. Figure 3 shows the exchange of the gratuitous ARP in the detection process of IP address conflict. Frame 1 is the offending node’s gratuitous ARP request, frame 2 is the defending node’s ARP reply, and frame 3 is the defending node’s gratuitous ARP request. We have showed the changes of ARP cache table entry in other nodes. At the end of frame 3, all network nodes have been reset to the proper IP-to-MAC address. We have known that the gratuitous ARP and address conflict detection for the Windows family is an exchange of three frames [5]. The first two frames are the ARP request-reply exchange for the conflicting address. After that, the defending node sends another broadcast ARP request to reset the ARP cache entries that were improperly updated by the offending node’s sending of the gratuitous ARP request. However, it seems that the vulnerability of gratuitous ARP does not exist in the first experiment’s situation. 3.2

Experiment 2: IP Address Conflict on Heterogeneous Environment

The second experiment’s objective is to observe the operation process of normal gratuitous ARP in an IP address conflict on heterogeneous environment and to examine whether the gratuitous ARP vulnerability exists.

852

J. Koo et al.

Offending Node

X 00:50:22:00:0F:F7

Defending Node

10.0.0.1 00:60:08:A6:D8:6F

Other Nodes

10.0.0.2 00:60:08:52:F9:D8

Gratuitous ARP

I P

MAC

[FF:FF, 0F:F7, (1, 0F:F7, 0.1, 00:00, 0.1)]

0.1

D8:6F

1

can be used duplicate IP address

I P

MAC

0.1

0F:F7

Disable to communicate with the Defending Node temporarily

Fig. 4. The gratuitous ARP and address conflict exchange on heterogeneous environment

For this experiment, we have configured the nodes on the same network segment as the following. The offending node and the defending node were installed to Microsoft Windows and Redhat Linux, respectively and other nodes were installed to Microsoft Windows. Let’s assume that the other nodes have already an entry for the IP address of the defending node. And we have manually configured the IP address of the offending node to the IP address of the defending node and restarted the offending node in order to invoke IP address conflict. Figure 4 shows the exchange of the gratuitous ARP in the detection process of IP address conflict when running heterogeneous operating systems on the same network segment. Note that the defending node running Redhat Linux does not send any reply frame even if the offending node sends a gratuitous ARP request frame. To this effect, both the offending node and the defending node have continued to use the conflicted IP address in rotation, and the other nodes having the corresponding ARP cache entry were confused with periodically changing the entry of the ARP cache table. It is certain that the vulnerability of gratuitous ARP exists in the second experiment’s situation. 3.3

Experiment 3: Forged Gratuitous ARP

The third experiment’s objective is to observe the operation process of forged gratuitous ARP and to examine whether we can arbitrarily modify ARP cache entries and prevent a specific node from accessing to the network segment at the network protocol level. For this experiment, we have implemented a simple command-line tool in C language which generates forged gratuitous APR packets. The syntax of this tool is fgarp datafile count interval-sec, where datafile is an ASCII file containing ARP frame information such as destination, source, operation, SHA, SPA, THA, and TPA, count is the number of sending ARP packet, and interval-sec is the interval time in second between the moment an ARP packet sends and the moment the next ARP packet sends. One of the main functions is the sendarp function which takes a pointer to the data structure of ARP, creates a socket by the socket function setting

Evaluation of Network Blocking Algorithm Based on ARP Spoofing

853

Fig. 5. Experimental result for network blocking

values for three fields (family, type, and protocol) of the socket structure, forms a gratuitous ARP packet for the specific node’s IP address, repeatedly transmits it to the target node by variable counter and variable interval and closes the socket. Figure 5 presents the result for the third experiment. The node on the left window and right window has the IP address of 203.252.53.57. In initial step, we can see that the node was able to connect to the IP address of 203.252.53.1 and .52 using Ping program. After that, the node on the bottom window having the IP address of 203.252.53.59 blocked the network access of node .57 by using the fgarp tool we have implemented. This is to verified that we can arbitrarily modify ARP cache entries and prevent a specific node from accessing to the other node.

4

Integration with Network Blocking Algorithm on Wireless LAN

In case of wireless environment, there are the security considerations that should be applied to different layers of the wireless network- namely, the physical, network, and application layers [6]. In this paper, we focus only on the 802.11-based network security mechanism which is the use of MAC access control lists. A MAC access control list is a list of physical addresses that are allowed to access the wireless network. This security mechanism is found in almost all access points. It enables the network administrator to enter lists of valid MAC addresses into an access control list,

854

J. Koo et al. Manager

Management Domain A

Policy

Event Log

(A)

Policy Probe (B)

(A)

X

(A)

Mobile Phone

(C)

Management Domain B

Management Domain C

Unauthorizaed User

Access Point

Authorized User Note Book

(A) : PDU Messages (B) : Gratuitous ARP Messages using Network Blocking Algorithm (C) : All ARP Packets (Promiscuous Mode)

Fig. 6. Security framework with NBA on wireless LAN

limiting network access. However, the administrative overhead needs to be considered because keeping track of valid MACs and updating all access points with the valid address can be a time-consuming task. To make up for the weak point, we propose an application for the network resource and security management with NBA shown in figure 6.

5

Conclusions

Sometimes network resources including IP address, MAC address, and hostname could be misused for the weakness of TCP/IP protocol suite and the deficiency of network management. Therefore, we proposed a NBA and evaluated the robustness of this algorithm via various experiments. The basic concept of the proposed network resource and security management system is that authorized users can access their own network but unauthorized users should not be able to access. The proposed system is an effective tool for managing network resources containing IP address, MAC address and hostname, etc. under diverse and complicated network environment.

References 1. K. Kwon, S. Ahn, and J. Chung, ”Network Security Management Using ARP Spoofing,” Proc. ICCSA 2004, LNCS 3043, pp. 142-149, 2004. 2. J. Koo, S. Ahn, and J. Chung, ”Network Blocking Algorithm and Architecture for Network Resource and Security Management,” Proc. ISPC Comm 2004, Bishkek, pp.181-186, 2004. 3. S.M. Bellovin, ”Security problems in the TCP/IP protocol suite,” Computer Communication Review, Vol. 19, No. 2, pp 32-48, April 1989.

Evaluation of Network Blocking Algorithm Based on ARP Spoofing

855

4. N.E. Hastings, P.A. McLean, ”TCP/IP spoofing fundamentals, computers and communications,” Proc. IEEE Fifteenth Annual International Phoenix Conference, pp. 218-224, 1996. 5. J. Davies and T. Lee. ”Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference,” Microsoft Press, 2003. 6. M. Maxim and D. Pollino, Wireless security, RSA Press, 2002.