Professional Documents
Culture Documents
An ICMP Based Secondary Cache Approach F PDF
An ICMP Based Secondary Cache Approach F PDF
An ICMP Based Secondary Cache Approach F PDF
ARP Poisoning
Abstract - Address Resolution Protocol (ARP) poisoning These problematic scenarios demonstrate the
is one of the most basic technique employed in computer weaknesses in the ARP operations. As a result, there
hacking. ARP poisoning is used when a host is used to poison should be an efficient mitigation approach for the
ARP cache of another host in order to send packets to some prevention of ARP poisoning which should be robust and
other destination than the intended one. compatible with the existing networks. Also, the approach
This paper presents a feasible technique to detect and should not give rise to other loopholes which can be
prevent the ARP poisoning by removing the multiple entries exploited for other attacks.
for the same MAC address or IP address from the ARP The rest of the paper is structured as follows: Section
table using a secondary cache. This secondary cache
II discusses the background of ARP protocol and ARP
contains the entries according to Internet Control Message
Protocol (ICMP) responses. Since this technique prevents poisoning. In Section III, we discussed the related work
multiple entries for same IP address or MAC address, it also done for the mitigation of ARP poisoning attacks. We
mitigates IP exhaustion problem. The secondary cache is described our proposed solution in Section IV along with
maintained at every host which makes this technique the algorithms and attack scenarios. Results of the
distributed in nature, thereby prevents it from single point experiment are shown in Section V. Finally, Section VI
failure. Experimental results are also provided to support concludes the paper.
the proposal.
Switch
IPB is at MACC
Switch
IPB, IPC,
MACB MACC
IPA is at MACC
IPB, MACB IPC, MACC Host B Host C
Host B Host C
Fig. 3. Host C performing ARP poisoning on A and B
Fig. 1. Host A broadcasts ARP Request for Host B
The Antidote approach [9] checks if the previous just a text file having IP-MAC bindings. This secondary
MAC is alive. If it is alive, the ARP cache is not updated table/cache is a permanent cache with lifetime validity.
and new fake MAC address is added to banned address The entries are made and validated in this cache using
list. However, if attacker comes before the real user ICMP protocol. The secondary cache makes sure that
within the network, he can already poison the ARP cache. there are no multiple entries for a single IP address or for
This causes the real MAC address to get banned. As a a single MAC address. Then according to these entries
result, the attacker can easily poison the other hosts present in secondary cache, the primary cache is also
because the poisoned victim cannot reply to the ARP updated either by adding or deleting the entries. The
algorithm is made different for entering hosts and already
requests sent by the hosts.
existing hosts. Entering host is a new host which entered
Sumit Kumar and Shashikala Tapaswi [10] proposed
into a network when other hosts are already available in
a centralized technique for detection and prevention of the network. Existing host is a host which is already
ARP poisoning. In this technique, an ARP Central Server present when a new host enters into the network. It is
(ACS) is used to validate the ARP tables' entries of all the understood that all the entering hosts are existing hosts
hosts within the network. Clients also maintain a also. Thus, entering hosts will execute the algorithm for
secondary long term cache in this approach. However, entering as well as existing hosts. The entering hosts'
this technique does not address the IP exhaustion problem algorithm will be executed only once when a host will
which an attacker can create within a network. Moreover, enter into the network. Already existing hosts need not
this technique is centralized in nature. As a result, the execute the entering host algorithm.
failure of ACS server leaves the network insecure. According to the algorithm, when host C sends an
Gopi Nath Nayak and Shefalika Ghosh Samaddar ARP Reply to host B to bind the C's claiming IP address
[11] proposed two solutions in order to prevent ARP (IPCC) to C's MAC address (MC), B checks its secondary
poisoning. The first one sends arping request messages to cache for an entry associated with either MC or IPCC. This
the default gateway at fixed time intervals. However, this results in two situations.
technique is limited for the checking of host to gateway
traffic only. The traffic between one host to another host 1) No entry in secondary cache: If there is no such entry,
is not analyzed for detection and prevention of ARP B will send an ICMP echo request to IPCC. If B does not
poisoning attack. The second technique monitors the ARP receive the echo reply back, it will straightaway reject the
table at regular intervals. It generally checks how many IP new binding (IPCC-MC) and delete it from primary cache.
addresses are associated with the MAC address of Otherwise, if B receives the echo reply back, it will create
gateway. If the number is more than 1, it alerts the user an entry for IPCC-MC binding in secondary cache. Also, B
about possible poisoning. The disadvantage is that the will create a static entry in primary cache having validity
MAC address of the gateway should be known in of 10 minutes. B sends the ICMP request to make sure that
advance. the sender is not sending fake ARP Replies using some
random and invalid MAC addresses to create the IP
Gao Jinhua and Xia Kejian [12] proposed an ICMP
exhaustion problem.
protocol based detection algorithm for ARP spoofing.
This algorithm collects and analyzes the ARP packets and 2) Entry found in Secondary Cache: This situation
then injects ICMP echo request packets to probe for further gives rise to three cases.
malicious host according to its response packets. (a) Entry matching with C's MAC address (MC): If B finds
However, the algorithm is based on a database available an entry having C's MAC address (MC) in secondary
at Detection host. Thus, it causes the single point failure cache, it looks for the IP address bind to it, say IPMC. Now,
problem. Also, the algorithm does not address the issue of B will generate and send an ICMP echo request destined to
ARP poisoning using fake ICMP echo requests. An IPMC. This request is generated using raw socket
attacker can send a fake ICMP echo request with the programming. If B does not receive the echo response
back, B will consider that C has released the IP address
spoofed source IP address of a legitimate host and the
IPMC and thus, it will delete the old binding (IPMC-MC) and
source MAC address of itself. As a result, when the
update the new binding (IPCC-MC) in secondary cache. This
victim host receives this message, it will update its ARP entry will also be made statically in primary cache for 10
cache with illegitimate binding having attacker’s MAC minutes. Otherwise, if B receives the echo reply back, it
address bind to a spoofed legitimate IP address allotted to means the old mapping exists and MC still possesses IPMC.
another host within the subnet. The attacker can send the As a result, B will not update its secondary cache with the
same type of fake ICMP echo requests to default gateway IPCC-MC binding. This is due to the fact that one interface at
also so as to get the MITM position between the default one system can have only one IPv4 address at a time.
gateway and the victim host. Moreover, since the primary cache has automatically been
updated with the new binding (IPCC-MC) due to the ARP
reply sent by C, B will delete this entry from primary
IV. PROPOSED SOLUTION cache and update it with older entry (IPMC-MC) by adding it
statically for 10 minutes. This is done using secondary
In this paper, we propose an algorithm which makes cache because it contains the older mapping. This prevents
use of ICMP requests and replies to store the IP-MAC ARP poisoning. Since there is only one entry for one
bindings in a secondary ARP cache. Every client in the MAC addresses, no MAC address can have more than one
network maintains a secondary ARP cache which may be
IP address. This enables the solution to prevent the IP Initially, the entering host sends a broadcasted ARP
exhaustion problem as well. reply so that every existing host receive it and after proper
(b) Entry matching with C's claiming IP address (IPCC): In validation using secondary cache look up, store this new
this case, B will generate and send an ICMP echo request binding in their secondary cache.
destined to IPCC. The MAC address (MO) corresponding to
this claiming address in secondary cache will be the B. Algorithm for existing hosts
destination MAC address for sending the echo request.
This request also is generated using raw socket 1) When receive an ARP Reply (IP-MAC binding),
programming. If B does not receive the echo response
check the secondary cache whether the MAC address
back, B will consider that MO has released IPCC and thus, it
will delete the old binding (IPCC-MO) and update the new or IP address are already mapped to any other IP
binding (IPCC-MC) in secondary cache. This entry will also address or MAC address respectively.
be made statically in primary cache for 10 minutes. 2) If IP address is not bound to any other MAC address,
Otherwise if B receives the echo response back, it means go to Step 5.
IPCC is already being used by MO. At a time, one IP address 3) If IP address is already bound to same MAC address
can be allotted to only one host within the network. which is received in ARP Reply, just ignore this reply
Moreover, since the primary cache has automatically been and go to Step 1.
updated with the new binding (IPCC-MC) due to the ARP 4) If IP address is already bound to a MAC address
reply sent by C, B will delete this entry from primary
which is not same as received in ARP Reply, send an
cache and update it with older entry (IPCC-MO) by adding it
statically for 10 minutes. This is done using secondary echo request destined to this IP address with the
cache because it contains the older mapping. This prevents bound destination MAC address found in this
ARP poisoning attacks. secondary cache entry.
(c) Entry with IPCC bound to MC: If B finds an entry which a) If echo reply comes back, ignore the new IP-
already shows the binding IPCC-MC, B will directly ignore MAC binding received in step 1, delete it from
this reply because this reply will also lead to same binding. primary cache and update it statically for 10
The algorithms for the entering hosts and the existing minutes with the binding available in secondary
hosts are explained as follows: cache. Go to Step 1.
b) If no reply comes back, delete the older entry,
A. Algorithm for entering hosts accept the newer one and update it in secondary
cache. Also make this entry static in primary
1) After receiving IP address from DHCP server, send cache for 10 minutes. Go to Step 1.
ARP reply to the broadcast address to make other 5) If MAC address is not bound to any other IP address,
hosts aware of this IP-MAC binding. accept the IP-MAC binding and store it in secondary
2) Send ICMP echo request to every host. cache. Also, update the primary cache with static
3) Receive the echo reply coming from host and thus, entry of 10 minutes for this binding and go to Step 1.
receive the IP-MAC binding due to this reply. 6) If MAC address is already bound to same IP address
4) Check the secondary cache whether the MAC address which is received in ARP Reply, just ignore this reply
captured (in echo reply) is already mapped to any IP and go to Step 1.
address. 7) If MAC address is already bound to an IP address
5) If found no such entry, accept the IP-MAC binding which is not same as received in ARP reply, send an
and store it in secondary cache. Also, update the echo request destined to the IP address bound with
primary cache with static entry of 10 minutes for this this MAC address in the secondary cache.
binding and go to Step 2 to send echo requests to a) If echo reply comes back, ignore the newer IP-
other hosts. MAC binding received in step 1, delete it from
6) If MAC address is already bound to an IP address, primary cache and update it statically for 10
send echo request destined to the IP address bound minutes with the binding available in secondary
with this MAC address in the secondary cache. cache. Go to Step 1.
a) If echo reply comes back, ignore the newer b) If no reply comes back, remove the older binding,
binding which is received in 3rd Step, delete this accept the newer one and update it in secondary
binding from primary cache and update it cache. Also make this entry static in primary
statically with the older binding for 10 minutes. cache for 10 minutes. Go to Step 1.
Go to Step 2.
b) If no echo reply comes back, remove the older C. Attack Scenarios
binding, accept the newer one and update it in
secondary cache. Also make this entry static in We assume different attack scenarios in which attack
primary cache for 10 minutes. Go to Step 2. is possible. The attack scenario is divided into four
situations.
1) Attacker as an entering host: This situation arises In normal network, the IP-MAC binding at victim
when attacker, C, enters into a network while other hosts, host changed to 172.16.7.52—00:24:8c:81:9c:db. A's
A and B, are already present in the network. In this case, if primary cache is shown in Fig. 5 after being poisoned.
C sends to A an ARP Reply with C's MAC address (MC) After implementing the algorithm, when A received
bound to B's IP address (IPB), A will check its secondary the ARP Reply, it checked its secondary cache. It found
cache to see if there is any entry related to MC or IPB. Since out that there is already an entry for 172.16.7.52. This is
A and B were present in the network before C, they are shown in Fig. 6. So, it sent an echo request to the old
having these entries. As a result, A will ignore this ARP binding present in secondary cache. Since it received the
Reply. Thus, the ARP poisoning tried by C will not be echo reply back, it came to know that older binding
successful. already exists. As a result, it ignored the new binding and
2) Attacker as an existing host: This situation will arise deleted it from the primary cache and updated it statically
when C is already present in the network before another with the binding available in secondary cache for 10
host, A, which is yet to come into the network. Here, two minutes. The ICMP echo request with B's IP-MAC
cases arise. The first case happens when C sends such fake binding is sent and the resulting echo reply is shown in
ARP replies to A so that A will consider C as Default Fig. 8 using Wireshark [15]. The echo request was sent
Gateway (DG). The second case happens when C sends using PackEth as shown in Fig. 7. The final primary cache
such fake ARP replies to A so that A will consider C as of A with static entry is shown in Fig. 9.
another host, B. Both the cases are discussed in the next
two points. TABLE I
IP ADDRESS AND MAC ADDRESS OF DIFFERENT HOSTS
3) Attack against DG and host A: When A enters into the
network, C may send fake ARP replies to A with C's MAC
Host IP Address MAC Address
address (MC) bound to DG's IP address (IPDG). This causes
A to consider that C is DG for the subnet. This is possible Gateway(B) 172.16.7.52 6c:20:56:dc:ac:43
because being an entering host, initially, A's secondary Victim(A) 172.16.7.159 00:26:22:04:50:2a
cache is not having any entry at all. However, C will not Attacker(C) 172.16.7.152 00:24:8c:81:9c:db
be able to poison DG's cache because DG was already
present in the network before C and thus, DG will be
having an entry for MC bound to C's IP address. As a
result, C will not be able to get the MITM position.
4) Attack against two hosts A and B: If C wants to get
MITM position between two hosts A and B where A is
the entering host, C can poison A's cache by claiming
itself as B. But C will not be able to poison B's cache
because B may be present in the network before C, so B
will quickly receive IP-MAC binding of A when A will
enter into the network. If B also comes after C, C will not
be able to predict the IP address which B will be going to Fig. 4. A's ARP cache before attack.
get when it will enter into the network. Thus, C cannot get
the MITM position in this case also.
V. EXPERIMENTAL RESULTS
REFERENCES