Research and Applications: Emerging Technologies (e-ISSN:3048-4766)

Due to its stateless nature and absence of authentication mechanisms to verify sender identity, the Address Resolution Protocol (ARP) has long been susceptible to spoofing attacks. ARP spoofing often serves as a gateway to more advanced attacks on local area networks, such as denial of service, man-in-the-middle, and session hijacking. Most existing detection methods adopt a passive approach by monitoring ARP traffic for anomalies in the IP-to-Ethernet address mappings. However, this strategy suffers from a delayed response time, often identifying an attack only after it has already caused harm. In this paper, we introduce an active detection technique for ARP spoofing. By injecting ARP request and TCP SYN packets into the network, we proactively probe for mismatches in address mappings. Compared to passive methods, our approach is faster, more intelligent, scalable, and reliable. Additionally, it enhances accuracy in identifying the true MAC-to-IP address associations during an attack scenario.

D Plummer, “An Ethernet Address Resolution Protocol”, RFC826, USC Information Science Institute, California, November 1982. http://www.ietf.org/rfc/rfc0826.txt.

Stevens, W. Richard. “TCP/IP Illustrated, Volume 1. The Protocols”. Addison Wesley Longman, Inc, 1994. ISBN: 0201633469.

R.Wagner, “Address Resolution Protocol Spoofing and Man in the Middle Attacks” http://rr.sans.org/threats/address.php,2001.

A. Ornaghi and M. Valleri, “A multipurpose sniffer for switched LANs” http://ettercap.sf.net.

At Stake.com. Etherleak: Ethernet frame padding information leakage. http://www.atstake.com/research/advisories/2003/a010603-1.txt, 2003.

Althes. “The IP Smart spoofing”, InterOp Paris 2002. http://www.althes.fr/ressources/avis/smartspoofing.htm.

Yuri Volobuev. “Redir games with ARP and ICMP”. http://lists.insecure.org/lists/bugtraq/1997/Sep/0059.html.

Fredric Raynal, Eric Detoisien, Cedric Blancher, “ARP-SK: a swiss knife tool for ARP”. http://www.ARP-sk.org/.

Lawrence Berkeley National Laboratory , “ARPWATCH tool”: ARP Spoofing Detector. ftp://ftp.ee.lbl.gov/ARPwatch.tar.gz.

Danilo Bruschi, Alberto Ornaghi, Emilia Rosti , “S-ARP: a Secure Adderess Resolution Protocol” 19th Annual Computer Security Applications Conference, 2003, www.acsac.org/2003/papers/111.pdf.