4/7/2018 ARP SPOOFING Group 1 Duan Chao 301230103 Luo Yi 301220263
4/7/2018
ARP SPOOFING Group 1
Duan Chao 301230103
Luo Yi 301220263
i Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
Abstract For the first few decades of network existence, computer networks were used by
university researchers for sending e-mail and by corporate employees for sharing
printers. With the development of society, network technology is also constantly
developing, and network applications are gradually popularized. More and more
computer users can access a lot of information resources of global network
system at home. Internet has become an integral part of today’s world. However,
network security also comes to our sight. There are tons of protocols were used
to establish these networks. But there are some precautions that we did not
consider. In this paper, we do some research and simulation about the Address
Resolution Protocol (ARP) and ARP spoofing to demonstrate some precautions in
ARP.
ii Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
Contents Abstract ............................................................................................................................................ i
List of Figure and Table ................................................................................................................... iv
Glossary ............................................................................................................................................ v
Introduction .................................................................................................................................... 1
Researched Work ............................................................................................................................ 1
ARP Overview .................................................................................................................................. 3
ARP History .................................................................................................................................. 4
ARP Request ................................................................................................................................ 5
ARP Response .............................................................................................................................. 6
ARP Cache ....................................................................................................................................... 6
ARP Spoofing ................................................................................................................................... 7
Simulation ....................................................................................................................................... 9
Goals ............................................................................................................................................ 9
Environment ................................................................................................................................ 9
Problems ..................................................................................................................................... 9
Ns-3 does not provide interface for sending request: ............................................................ 9
Ns-3 ARP caches keep states of each entry: ......................................................................... 10
Topology .................................................................................................................................... 11
Scenario 1 .............................................................................................................................. 11
Scenario 2 .............................................................................................................................. 12
Results ....................................................................................................................................... 13
Scenario 1 .............................................................................................................................. 13
Scenario 2 .............................................................................................................................. 14
Conclusion ................................................................................................................................. 16
Industry Work ............................................................................................................................... 16
Dynamic ARP Inspection – Cisco ............................................................................................... 16
Future Plan .................................................................................................................................... 18
Monitoring in each node: .......................................................................................................... 19
Monitoring in the LAN: .............................................................................................................. 19
Conclusion ..................................................................................................................................... 19
iii Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
References .................................................................................................................................... 20
Appendix ....................................................................................................................................... 21
Project Link ................................................................................................................................ 21
Project Source Code .................................................................................................................. 21
iv Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
List of Figure and Table
Figure 1 ARP spoofing mitigation flow chart [2] ............................................................................. 2
Figure 2 Algorithm of the Proposed Mechanism [3] ...................................................................... 3
Figure 3 ARP Request ...................................................................................................................... 5
Figure 4 ARP Response.................................................................................................................... 6
Figure 5 ARP Spoofing ..................................................................................................................... 8
Figure 6 ns-3 logo [7] ...................................................................................................................... 9
Figure 7 ARP request & response in ns-3...................................................................................... 10
Figure 8 Scenario1 ......................................................................................................................... 11
Figure 9 Scenario 2 ........................................................................................................................ 12
Figure 10 Simulation results of UDP client in scenario 1 .............................................................. 13
Figure 11 Simulation results of UDP server in scenario 1 ............................................................. 13
Figure 12 Simulation results of attacker in scenario 1 ................................................................ 14
Figure 13 Simulation results of UDP client in scenario 2 ............................................................. 14
Figure 14 Simulation results of UDP server in scenario 2 ............................................................. 14
Figure 15 Simulation results of attacker in scenario 2 ................................................................. 15
Figure 16 Topology of the simulation ........................................................................................... 15
Figure 17 Catalyst 6500 ................................................................................................................. 16
Figure 18 Dynamic ARP Inspection ............................................................................................... 17
Figure 19 DAI Trust State .............................................................................................................. 18
Table 1 ARP cache table of Client#1 ............................................................................................... 6
Table 2 Changed ARP cache table of Client#1 ................................................................................ 8
Table 3 ARP states and corresponding behaviour ........................................................................ 11
Table 4 Configuration of the scenario1 ........................................................................................ 12
Table 5 Configuration of the scenario 2 ....................................................................................... 13
v Table of Content | ENSC 427 FINAL PROJECT: ARP SPOOFING
Glossary
ARP: Address Resolution Protocol
MAC: Medium Access Control
IP: Internet Protocol
TCP: Transmission Control Protocol
LAN: Local Area Network
CSMA: Carrier-Sense Multiple Access
WAN: Wide Area Network
DDOS: Distributed Denial of Service
OSI: Open Systems Interconnection
DAI: Dynamic ARP Inspection
1 Introduction | ENSC 427 FINAL PROJECT: ARP SPOOFING
Introduction With the development of the computer networks, plenty of services and applications have
increased the priority of LAN. Meanwhile, the security of LANs also need much more
consideration. Address Resolution Protocol (ARP), which is a frequently used network layer
protocol that maps the IP address to the MAC address, is extremely vulnerable. It increases the
risk of attacks in LANs. ARP spoofing is one of the hacking technique to threat the LANs.
In general, ARP spoofing is the purposeful behaviour of issuing incorrect ARP broadcast packet.
ARP spoofing was originally used by hackers and became the main method for hackers to steal
network data. The hacker sends out the wrong ARP broadcast packet, blocks the normal
communication, disguises the computer that he uses to be the computer of other people, so
the data originally sent to other computers is sent to the hacker’s computer, to steal the data.
The wave of recent ARP attacks diversified its purpose and methods, and its impact and
influence are much greater than the previous two phases. The first is that the virus has joined
the ranks of ARP attacks. The previous virus attack network was mainly WAN. The most
effective attack method war DDOS attack. However, with the development of prevention
capabilities, virus makers have turned their attention to the LAN and began to try ARP attacks.
In this paper, we only focus on the original ARP spoofing and will do some simulation about the
ARP spoofing using ns-3.
Researched Work At the beginning, we did some research about the ARP spoofing to let us understand the
technic of ARP spoofing. “Mitigating ARP Spoofing Attacks in Software-Defined Networks” gives
us some basic information about the ARP Spoofing. ARP spoofing may be used to launch either
one of the following attacks [1].
• DoS attacks: the attacker will prevent the two communicating hosts from getting
connected to each other.
• Host impersonation attack: the attacker will receive packets intended to the victim and
can reply to these packets on behalf of the victim.
• Man-In-The-Middle (MITM) attack: the attacker will be able to monitor all the traffic
between two communicating hosts.
After introduce ARP spoofing, it provides several techniques used to figure out ARP spoofing.
• ARP authentication
• Operating system patching
• Dynamic ARP Inspection
• ARP mitigation tools
• Static ARP mappings
2 Researched Work | ENSC 427 FINAL PROJECT: ARP SPOOFING
And then mitigating ARP spoofing attacks in software defined networks is provided in detail to
solve ARP spoofing. The flow chart of ARP spoofing mitigation is shown below
Figure 1 ARP spoofing mitigation flow chart [2]
After we get familiar with the ARP spoofing, we can not find any resources about the simulation
of ARP spoofing using ns-3.
Next, we would like to find a prevention method to avoid ARP spoofing. A paper called “A
Proposal for a Schema for ARP Spoofing Protection” from Jin-Cherng Lin, Men-Jue Koo, and
Cheng-Sheng Wang give us a lot of ideas. In this paper, it points that ARP Spoofing attack mainly
interferes with the correctness of the IP/MAC mapping correlation in the ARP table of the host.
[3] It has four characteristics:
• Targeted attacks
• Does not generate suspicious traffics
• Difficult to detect
• Difficult to be prevented in mind
3 ARP Overview | ENSC 427 FINAL PROJECT: ARP SPOOFING
To solve these problems, it provides a method called “Enhanced ARP Query Schema Protective
Mechanism”. First technique used in this method is correlation analysis of IP and MAC in LAN.
Because the relationship between IP and MAC should be unique. If there is a IP address
correlated with two MAC addresses, it means something is incorrect in this LAN. we need to
update our ARP table to ensure that each IP address only correlate with one MAC address.
Next technique used in this method is ARP Protective Mechanism and Algorithm. The purpose
of this algorithm is maintaining the accuracy of IP/MAC correlations in the ARP table. The flow
chart is shown below.
Figure 2 Algorithm of the Proposed Mechanism [3]
ARP Overview In this section, we will go over the basic information about the ARP and ARP spoofing. The OSI
model divides the network into seven layers. OSI model is a conceptual model that
characterizes and standardizes the communication functions of a telecommunication or
computing system without regard to its underlying internal structure and technology [4]The IP
address is in the third layer (network layer) of the OSI model, and the MAC address is in the
second layer (link layer). They do not deal with each other directly. When sending IP packet
over Ethernet, you need to encapsulate the header of network layer and link layer first but only
the destination IP address is known at the time of sending, and the MAC address is unknown.
However, it cannot cross the network layer and link layer, so it needs to use the Address
Resolution Protocol (ARP). After using the ARP, the MAC address information can be parsed
according to the IP address information in the IP header of the network layer.
4 ARP Overview | ENSC 427 FINAL PROJECT: ARP SPOOFING
Basically, there are two steps of operations to associate the MAC address with the IP address.
They are ARP request and ARP response.
ARP History The problem of address resolution was apparent from the very start in the development of the
TCP/IP protocol suite. Much of the early development of IP was performed on the then-
fledgling Ethernet local area networking technology; this was even before Ethernet had been
officially standardized as IEEE 802.3. It was necessary to define a way to map IP addresses to
Ethernet addresses to allow communication over Ethernet networks.
There are two basic methods that resolution could have been used to accomplish this
correlation of addresses: direct mapping or dynamic resolution. However, Ethernet addresses
are 48 bits long while IP addresses are only 32 bits, which immediately rules out direct mapping.
Furthermore, the designers of IP wanted the flexibility that results from using the dynamic
resolution model. To this end, they developed the TCP/IP Address Resolution Protocol (ARP).
This protocol is described in one of the earliest of the Internet RFCs still in common use: RFC
826, An Ethernet Address Resolution Protocol, published in 1982 [5].
The name makes clear that ARP was originally developed for Ethernet. Thus, it represents a
nexus between the most popular layer two LAN protocol and the most popular layer three
internetworking protocol—this is true even two decades later. However, it was also obvious
from the beginning that even if Ethernet was a very common way of transporting IP, it would
not be the only one. Therefore, ARP was made a general protocol capable of resolving
addresses from IP to not just Ethernet but numerous other data link layer technologies.
5 ARP Overview | ENSC 427 FINAL PROJECT: ARP SPOOFING
ARP Request
Figure 3 ARP Request
From the above figure, there are three clients in a LAN. The IP address and MAC address of the
first client are 10.1.1.1 and 00.00.00.00.00.00 respectively. For the second user, the IP address
is 10.1.1.2 and MAC address is 00.00.00.00.00.01. And IP address and MAC address of the last
client are 10.1.1.3 and 00.00.00.00.00.02 respectively. In this scenario, the first user is looking
for the other client in this LAN who has the IP address 10.1.1.2. The procedure of “Broadcast:
Does anyone have IP 10.1.1.2” is called ARP Request.
6 ARP Cache | ENSC 427 FINAL PROJECT: ARP SPOOFING
ARP Response
Figure 4 ARP Response
After every client in this LAN received the broadcasting message from Client#1. The user who
has the required IP will send a response back to the Client#1. It also contains the MAC address
of Client#2 to let Client#1 update his memory.
ARP Cache Each host should have an ARP cache, which contains the mapping table of IP addresses to MAC
addresses of hosts and clients on the LAN. If we do not use ARP cache, any host must send an
ARP request packet on the network as long as it communicates once. This increase the traffic
on the network. ARP saves the obtained address map in the cache so that when the host
communicates with the same destination next time, it can directly find the required MAC
address from the cache without broadcast ARP request packet. In fact, the ARP cache sounds
like look up tables that map the IP addresses with MAC addresses. For example, the ARP Cache
of the Client#1 after getting the response from the second client is shown below.
IP address MAC address
10.1.1.1 00.00.00.00.00.00 10.1.1.2 00.00.00.00.00.01
10.1.1.3 00.00.00.00.00.02 Table 1 ARP cache table of Client#1
7 ARP Spoofing | ENSC 427 FINAL PROJECT: ARP SPOOFING
When the ARP is queried for the MAC address of a known IP address node, it is first viewed in
the ARP cache. If it exists, it directly returns the corresponding MAC address. If it does not exist,
it sends an ARP request as we mentioned before to the LAN to find the corresponding MAC
address and update the ARP cache.
To minimize broadcast traffic, ARP maintains an IP address to MAC address cache for future use.
The ARP cache can contain dynamic and static options. Dynamic ARP means automatically
updated over time. The potential life time of each dynamic ARP cache entry is 10 minutes.
Items that are newly added to the cache are time stamped. If an item is not reused within 2
minutes after it is added, the item expires and is deleted from the ARP cache. If an item is
already in use, it receives another 2 minutes up to a maximum lifetime of 10 minutes. Static
ARP is just remaining everything in the cache until the computer is restarted. In our situation,
we only consider the static ARP [6].
ARP Spoofing The ARP is based on the mutual trust of each host in the network. The birth of the ARP makes
the network run more efficiently, but it also has its own flaws. In conclusion, there are several
properties of ARP.
▪ Keep locally to minimize number of ARP requests being broadcast
▪ Update the cache when the new IP/MAC associate for each reply successfully
▪ Stateless Protocol: will update the cache when a reply is received without any
confirmation
Because the ARP is a stateless protocol. It always will update the cache whenever a new
response is received. This gives the attacker an opportunity to hack the ARP. The ARP request is
sent as a broadcast message. Hosts on the network can send ARP response messages
autonomously. And when other hosts receive the response packets, they will be detected in the
authenticity of the packets and they will be recorded in the ARP cache. In this way, an attacker
can send a fake ARP response packet to the destination host to tamper with his ARP cache.
8 ARP Spoofing | ENSC 427 FINAL PROJECT: ARP SPOOFING
Figure 5 ARP Spoofing
For example, there are still 3 hosts in a LAN. Host who has IP address 10.1.1.3 plays the role of
an attacker in this scenario. The attacker will send a spurious ARP response. However, in this
ARP response the sender IP address is 10.1.1.2 (IP address of Client#2) and the MAC address is
00.00.00.00.00.02 (MAC address of Client#3). When Client#1 receives this fake ARP response, it
updates his local ARP cache immediately. At this time, Client#1 does not recognise that this ARP
response has been forged. Meanwhile, Client#1 is unaware that this ARP response was sent
from Client#3 and use attacker’s MAC address.
IP address MAC address 10.1.1.1 00.00.00.00.00.00
10.1.1.2 00.00.00.00.00.02 10.1.1.3 00.00.00.00.00.02
Table 2 Changed ARP cache table of Client#1
The ARP cache table of Client#1 is shown in the Table 2. Comparing with Table 1, the MAC
address of the Client#2 is already wrong. So, if Client#1 would like to communicate with
Client#2 later, the IP address of the 10.1.1.2 will be incorrectly parsed by ARP into the MAC
address 00.00.00.00.00.02. This will cause the two clients to be unable to communicate with
each other.
9 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
When a host on the LAN repeatedly sends such invalid ARP response packets to other hosts,
especially to the Ethernet Switch, severe network congestion will occur.
Simulation
Goals Prove the vulnerability of ARP protocol by simulating valid ARP replies and ARP spoofing,
comparing the results and analyzing the behaviours of each node in both cases.
Environment
Figure 6 ns-3 logo [7]
The operating system we used to set up our simulation is Ubuntu. And the simulation tool we
used is ns-3.
Ns3 is a discrete-event network simulator for Internet systems, targeted primarily for research
and educational use.
Unlike industrial simulation software such as Riverbed, ns3 is an open source project whose
source code can be read and modified. Ns-3 helps us understand how the configurations
change the behaviour of nodes by reading its source code rather than reading high-level
behavioural descriptions, giving us access to the vulnerability of the protocols. If it is necessary,
we can also modify ns3’s source code locally which we can never do with industrial tools.
Problems
Ns-3 does not provide interface for sending request: Ns3 has classes that implement the procedures of ARP requests and replies. However, these
methods are usually called implicitly because ARP protocol is usually occurred to assist
transportation protocols such as UDP and TCP. In this case, we modified the source code to
provide external interface to invoke ARP requests.
10 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
Ns-3 ARP caches keep states of each entry:
Figure 7 ARP request & response in ns-3
As we have introduced before, Arp protocol is a stateless protocol. However, ns3 has added
states to ARP cache entries that provide some protection against ARP attacks. The states and
corresponding behaviour are defined as following:
11 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
ARP cache entry state
meaning action if used
permanent never expires; never verified reset use counter
reachable normal expiration reset use counter
stale still usable; needs verification reset use counter; change state to
delay
delay schedule ARP request; needs
verification reset use counter
isWaitingReply sending ARP request reset use counter
Table 3 ARP states and corresponding behaviour
If the entry is not on isWaitingReply state, any Arp replies rejected as spoofing messages.
In most cases, the states and kept and handled by the operating system. To make the attack
successful, we need to flood the ARP replies and there will be a chance one reply gets accepted
right after the victim makes the request.
Topology
Scenario 1
Figure 8 Scenario1
In this scenario, we set up the LAN by defining the nodes as CSMA devices and assigning them
same subnet IP addresses using CSMA helper class defined in ns3. Just as the graph show, there
are three hosts in the LAN. The first node with IP address 10.1.1.1 and MAC address
00.00.00.00.00.00 is installed with UdpClientApp acting as a UDP server. The second node with
12 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
IP address 10.1.1.2 and MAC address 00.00.00.00.00.01 is installed with UdpServerApp acting
as a UDP client who accepts the UDP packets. The UdpClientApp and UdpServerApp are the
classes defined in ns3. The client app class periodically makes a UDP packet, adds headers to it
and sends it to the server app. The details are configured as following:
Number of packets will be sent 3
Interval between each packet 1000 ms
Propagation delay 200 ms
Server start time 5 ms
Client start time 50 ms
Table 4 Configuration of the scenario1
In this case, the third node with IP address 10.1.1.3 is not doing anything in the simulation.
Scenario 2
Figure 9 Scenario 2
In this scenario, the LAN, the first and the second node are set up and configured same way as
they are in scenario 1. In addition to that, the third node with IP address 10.1.1.3 and Mac
address 00.00.00.00.00.02 is installed with ARP attacker application we designed. With this
application, the node sends a fake ARP reply periodically. If the victim picks up the reply
13 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
message, the following UDP packets will be redirected to the attacker. The behaviour of the
attacker is configured as following:
Number of packets will be sent 7
Interval between each packet 1000 ms
Attacker start time 5 ms
Table 5 Configuration of the scenario 2
Results We output the results of the simulation in Pcap files.
Scenario 1 UDP client:
Figure 10 Simulation results of UDP client in scenario 1
As it is shown in the Pcap file, there UDP packets was properly sent to the server.
UDP server:
Figure 11 Simulation results of UDP server in scenario 1
After the server replies with the correct MAC-IP mapping, it received three pickets normally.
Attacker:
14 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
Figure 12 Simulation results of attacker in scenario 1
In the first scenario, the attacker is not involved. It only sees the broadcasted ARP request and
the reply. It doesn’t have knowledge of the 3 UDP packets sent from the UDP client.
Scenario 2 UDP client:
Figure 13 Simulation results of UDP client in scenario 2
In this case, the first UDP packet is sent immediately after the first broadcasted fake ARP reply.
Indicating the client accepted the fake ARP reply and sent a packet to the attacker.
UDP server:
Figure 14 Simulation results of UDP server in scenario 2
The server is still getting the packets from the client. This will be explained later.
Attacker:
15 Simulation | ENSC 427 FINAL PROJECT: ARP SPOOFING
Figure 15 Simulation results of attacker in scenario 2
The three Pcap files show result here. Because the hosts are by nature ns-3 objects, their
behaviours are set by ns3. It looks like the attacker becomes the ARP proxy for the UDP client
and the UDP server. After it received the first UDP packet, it broadcasts a request to ask for the
correct MAC address of the UDP server and redirected the packet to the server. The two
sequential UDP packets are also redirected by the attacker to the server. That explains why the
server is still getting the packets and why the attacker has Pcap messages for each UDP packets.
The following graph shows the topology from the simulation results.
Figure 16 Topology of the simulation
Becoming an ARP proxy, the attacker will be able to examine or modify the content of the UDP
packet and redirected to the server.
16 Industry Work | ENSC 427 FINAL PROJECT: ARP SPOOFING
Conclusion Based on simulation of ARP spoofing, we can conclude.
• ARP is vulnerable
• Even with state ARP, it is harder to poison the ARP cache
• Most attacks are launched in the same LAN
• Attacker can be man in the middle
Industry Work To avoid the ARP spoofing, not only the individual users come with some ideas to solve ARP
spoofing, but also companies provide some solutions about ARP spoofing. We will focus on the
Dynamic ARP Inspection method provided by Cisco. Cisco has already provided software
solution on their switch such as Catalyst 6500, Catalyst 4500, etc.
Figure 17 Catalyst 6500
Dynamic ARP Inspection – Cisco Dynamic ARP Inspection (DAI) is a security feature that validates ARP packets in a network. DAI
intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This
capability protects the network from some man-in-the-middle attacks [8]. The foundation of
the DAI is DHCP snooping. Because DHCP snooping is a DHCP security feature. It filters out
untrusted DHCP information by establishing and maintaining a DHCP snooping binding table.
This information refers to DHCP information from untrusted zones. The DHCP snooping binding
table contains information such as the user MAC address, IP address, lease period, and VLAN-ID
interface in the untrusted zone.
Functions of DHCP snooping:
17 Industry Work | ENSC 427 FINAL PROJECT: ARP SPOOFING
• Isolate the illegal DHCP server by configuring untrusted ports
• Create and maintain a DHCP snooping binding table. This table is generated form the IP
and MAC addresses in the DHCP Ack package, and can be specified manually
After the Ethernet switch is enabled with DHCP snooping, it intercepts to DHCP messages and
extracts and records IP address and MAC address information from received DHCP request
messages or DHCP Ack messages. In addition, DHCP snooping allows a physical port to be set as
a trusted or untrusted port. The trusted port can receive and forward the DHCP offer packet
normally, but untrusted port will discard the received DHCP offer message. In this way, the
switch can block the fake DHCP server and ensure that the client obtains an IP address from a
valid DHCP server.
In fact, DAI will check all the transmitted ARP messages. And make sure that only valid ARP
requests and response are relayed. In detail, there are 3 steps of DAI.
• Intercepts all ARP request and responses packet on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address
binding before updating the local ARP cache or before forwarding the packet to
the appropriate destination [8].
• Drops invalid ARP packets save the information in the log
Figure 18 Dynamic ARP Inspection
We add a DHCP server in LAN as shown in the above figure. DAI determine the validity of ARP
packets based on valid IP-to-MAC address bindings stored in the trusted database. In above
figure, the trusted database is the DHCP server. If the ARP packet is received from a trusted
port, the Ethernet switch forward the packets without any activities. On the other hand, if the
18 Future Plan | ENSC 427 FINAL PROJECT: ARP SPOOFING
ARP packet is from an untrusted port, the Ethernet switch forward the packets depending on
the validity check of the port.
Furthermore, DAI also provide a trust state with each port in a LAN.
Figure 19 DAI Trust State
As shown in the above figure, there are three clients and a DHCP server in this LAN. Client#1.
• Client#1 would like to update his ARP cache
• Client#2 is an untrusted port
• Client#3 is a trusted port
When Client#3 would like to send packets to Client#1, he will skip all DAI validation checks and
directly send to Client#1. Because Client#3 is in trust state in DHCP server. However, when
Client#2 would like to send packets to Client#1, he need to experience all DAI validation process
because he is in untrusted state. If he passes the DAI validation process, he will become a
trusted port and could communicate with the other trusted port without any DAI validation
later. If he fails the DAI validation process, DAI will drop all packets from this client.
Future Plan At present, the most effective way to protect ARP spoofing in LANs is through bidirectional
binding of IP and MAC addresses between clients. However, this method still cannot effectively
prevent ARP attacks on LANs. The most significant reason is that when we discovered the ARP
spoofing and set up two-way binding, it had already changed the MAC address of the local
computer resulting in invalid binding. On the other hand, it is human-made destruction. For
19 Conclusion | ENSC 427 FINAL PROJECT: ARP SPOOFING
example, if someone floods the ARP response in a LAN like our scenario, it will lead to a
decrease in network performance.
Inspired by the related research work, we can implement the two following methods of
protecting the LAN from ARP spoofing:
Monitoring in each node:
We can modify ns-3 ARP cache class by adding a monitor method that gets allocated if an entry
in the ARP table gets updated. It will decide whether the update is valid based on an arbitrary
algorithm.
Monitoring in the LAN:
We can add an administrative node in the LAN that is designated to monitor the broadcasted
ARP reply. If it detects an ARP flood, it can block the node from flooding ARP replies.
For each method we can compare the effectiveness and the implementation cost.7
We can also expand the LAN by adding more nodes and the test the scenario with more than
one attacker.
Conclusion ARP spoofing and attack problems are the culprits of enterprise networks. The discussion on
this issue has been very thorough. After our simulation, the mechanism of ARP attacks has been
thoroughly understood and various preventive precautions have been introduced. But the
question is that is it really bothering you to get rid of ARP problems now. As we known,
although various methods have been tried, this problem has not been fundamentally solved.
There are three reasons that we conclude. First, the preventive ability of the solution measures
is limited, and it is not the most fundamental method. The second is that the network
management is very constrained, inconvenient and impractical, and has no operability. Third,
some measures have a loss in the efficiency of network transmission, slower network speed,
and wasteful bandwidth which is also undesirable.
20 References | ENSC 427 FINAL PROJECT: ARP SPOOFING
References
[1] S. Bhirud and V. Katkar, "Light weight approach for IP-ARP spoofing detection and
prevention," Second Asian Himalayas International Conference on Internet (AH-ICI),
Kathmandu, 2011.
[2] M. Ahmed, B.-S. Ashraf and R. K. Vamshi , "Mitigating ARP Spoofing Attacks in Software-
Defined Networks," ICCTA, Alexandria, Egypt, 2015.
[3] J.-C. Lin, M.-J. Koo and C.-S. Wang, "A Proposal for a Schema for ARP Spoofing Protection,"
ICETI, Taiwan, 2012.
[4] Wikipedia, "OSI model," 2018.
[5] C. P. David , "An Ethernet Address Resolution Protocol," IETF, 1982.
[6] Q. Zhang, "Summary of TCP/IP," 2018.
[7] "ns-3," [Online]. Available: https://www.nsnam.org.
[8] "Cisco.com," [Online]. Available:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-
2SXF/native/configuration/guide/swcg/dynarp.pdf.
21 Appendix | ENSC 427 FINAL PROJECT: ARP SPOOFING
Appendix
Project Link Our project: https://github.com/Dark-Rinnegan/ns3-arp-spoofing
Project Source Code /* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
/*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation;
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "ns3/core-module.h"
#include "ns3/network-module.h"
#include "ns3/csma-module.h"
#include "ns3/internet-module.h"
#include "ns3/point-to-point-module.h"
#include "ns3/applications-module.h"
#include "ns3/ipv4-global-routing-helper.h"
#include <sstream>
#include <iostream>
using namespace ns3;
NS_LOG_COMPONENT_DEFINE ("arp1");
class AttackApp : public Application
{
public:
AttackApp ();
virtual ~AttackApp();
void Setup (Ptr<Node> aNode, Ptr<NetDevice> aDev, Ptr<Ipv4Interface> iface,
Ipv4Address addr, Ipv4Address vAddr, Address vMac);
private:
virtual void StartApplication (void);
virtual void StopApplication (void);
void ScheduleTx (void);
22 Appendix | ENSC 427 FINAL PROJECT: ARP SPOOFING
void SendPacket (void);
Ptr<Node> m_node;
Ptr<NetDevice> m_device;
Ptr<Ipv4Interface> m_iface;
Ipv4Address m_fakeAddr;
// victim info
Ipv4Address m_vAddr;
Address m_vMac;
EventId m_sendEvent;
bool m_running;
ArpL3Protocol m_attacker;
Ptr<ArpCache> m_arpCache;
};
AttackApp::AttackApp ()
:m_node(),
m_device(),
m_iface(),
m_fakeAddr(),
m_vAddr(),
m_vMac(),
m_sendEvent (),
m_running (false)
{
}
AttackApp::~AttackApp()
{
}
void
AttackApp::Setup (Ptr<Node> aNode, Ptr<NetDevice> aDev, Ptr<Ipv4Interface>
iface, Ipv4Address addr, Ipv4Address vAddr, Address vMac)
{
m_node = aNode;
m_device = aDev;
m_iface = iface;
m_fakeAddr = addr;
m_vAddr = vAddr;
m_vMac = vMac;
}
void
AttackApp::StartApplication (void)
{
// initialize the attacker
m_attacker.SetNode(m_node);
m_arpCache = m_attacker.CreateCache(m_device, m_iface);
23 Appendix | ENSC 427 FINAL PROJECT: ARP SPOOFING
m_running = true;
SendPacket();
}
void
AttackApp::StopApplication (void)
{
m_running = false;
if (m_sendEvent.IsRunning ())
{
Simulator::Cancel (m_sendEvent);
}
}
void
AttackApp::SendPacket (void)
{
m_attacker.SendArpReply(m_arpCache, m_fakeAddr, m_vAddr, m_vMac);
std::cout << "stucked here" << std::endl;
ScheduleTx ();
}
void
AttackApp::ScheduleTx (void)
{
if (m_running)
{
Time tNext (MilliSeconds(1000));
m_sendEvent = Simulator::Schedule (tNext, &AttackApp::SendPacket, this);
}
}
int
main ()
{
LogComponentEnable ("UdpClient", LOG_LEVEL_INFO);
LogComponentEnable ("UdpServer", LOG_LEVEL_INFO);
LogComponentEnable ("ArpL3Protocol", LOG_LEVEL_INFO);
LogComponentEnable ("ArpHeader", LOG_LEVEL_INFO);
LogComponentEnable("arp1", LOG_LEVEL_INFO);
uint32_t nPackets = 3;
uint32_t packetInt = 1000;
uint32_t propDelay = 200;
uint32_t delayT = 0;
uint32_t serverStart = 5; // Server start time in ms
uint32_t clientStart = 50; // Client start time in ms
uint32_t stopTime = (clientStart) + (nPackets*packetInt) + (10*propDelay) +
delayT; // Stop the simulation once all packets have been received
Ptr<OutputStreamWrapper> stdOutput(new OutputStreamWrapper(&std::cout));
24 Appendix | ENSC 427 FINAL PROJECT: ARP SPOOFING
uint32_t nCsma = 3;
uint32_t attackerId = 2;
uint32_t serverId = 1;
uint32_t victimId = 0;
Address victimAddr;
NodeContainer csmaNodes;
csmaNodes.Create (nCsma);
CsmaHelper csma;
csma.SetChannelAttribute ("DataRate", StringValue ("100Mbps"));
csma.SetChannelAttribute ("Delay", TimeValue (NanoSeconds (6560)));
NetDeviceContainer csmaDevices = csma.Install (csmaNodes);
// define the mac address
std::stringstream macAddr;
for( uint32_t i = 0; i < nCsma; i++ )
{
macAddr << "00:00:00:00:00:0" << i;
Ptr<NetDevice> nd = csmaDevices.Get (i);
Ptr<CsmaNetDevice> cd = nd->GetObject<CsmaNetDevice> ();
cd->SetAddress(ns3::Mac48Address(macAddr.str().c_str()));
// take a copy of victim addr
if(i == victimId)
victimAddr = cd->GetAddress();
std::cout << macAddr.str()<<std::endl;
macAddr.str(std::string());
}
InternetStackHelper stack;
stack.Install (csmaNodes);
Ipv4AddressHelper address;
address.SetBase ("10.1.1.0", "255.255.255.0");
Ipv4InterfaceContainer csmaInterfaces;
csmaInterfaces = address.Assign (csmaDevices);
// get IPV4 interface for the attacker
std::pair<Ptr<Ipv4>, uint32_t> returnValue = csmaInterfaces.Get
(attackerId);
Ptr<Ipv4> ipv4 = returnValue.first;
uint32_t index = returnValue.second;
Ptr<Ipv4Interface> iface = ipv4->GetObject<Ipv4L3Protocol> ()-
>GetInterface (index);
//contruct attacker app
Ptr<AttackApp> attacker = CreateObject<AttackApp> ();
attacker->Setup(csmaNodes.Get(attackerId), csmaDevices.Get(attackerId),
iface, csmaInterfaces.GetAddress(serverId),
csmaInterfaces.GetAddress(victimId), victimAddr);
25 Appendix | ENSC 427 FINAL PROJECT: ARP SPOOFING
csmaNodes.Get (attackerId)->AddApplication (attacker);
attacker->SetStartTime (MilliSeconds (clientStart + delayT ));
attacker->SetStopTime (MilliSeconds (stopTime));
uint16_t port = 4000;
UdpServerHelper server (port);
ApplicationContainer apps = server.Install (csmaNodes.Get (1));
Ipv4Address sourceAddr = csmaInterfaces.GetAddress(+1);
apps.Start (MilliSeconds (serverStart + delayT));
apps.Stop (MilliSeconds (stopTime));
uint32_t MaxPacketSize = 32;
uint32_t maxPacketCount = nPackets;
UdpClientHelper client (sourceAddr, port);
client.SetAttribute ("MaxPackets", UintegerValue (maxPacketCount));
client.SetAttribute ("Interval", TimeValue (MilliSeconds (packetInt)));
client.SetAttribute ("PacketSize", UintegerValue (MaxPacketSize));
apps = client.Install (csmaNodes.Get (0));
apps.Start (MilliSeconds (clientStart + delayT));
apps.Stop (MilliSeconds (stopTime));
Ipv4GlobalRoutingHelper::PopulateRoutingTables ();
csma.EnablePcapAll("arp1");
Simulator::Run ();
Simulator::Destroy ();
return 0;
}