Towards more sophisticated ARP Spoofing detection/prevention systems in LAN networks

Towards More Sophisticated ARP SpoofingDetection/Prevention Systems in LAN

Networks

Mohamed Al-Hemairy, Saad AminSchool of Informatics

British University in Dubai (BUiD)Dubai, UAE

[email protected], [email protected]

Abstract-The Address Resolution Protocol (ARP) is used bycomputers to map network addresses (IP) to physical addresses[MAC] and we can't imagine a communications betweennetworks without the support of ARP protocol. However, ARPhad been misused by many malicious hosts for illegitimatepenetration; ARP Spoofing is one example for such illegalaccess. ARP Spoofing can enable malicious hosts to performMan-in-the-Middle attacks [MiM] as well as a Denial ofService attacks [DoS]. Unfortunately, ARP Spoofing has notbeen focused by security experts or solutions, e.g, IntrusionDetection Systems or Intrusion Protection Systems [IDS/IPS].In this research we evaluate the most famous & expensivedetection and prevention [IDS/IPS] systems for detecting alltypes of ARP spoofing attacks and introduce an algorithmwhich can be implemented in IDS/IPS systems to enhance it'ssecurity.

I. INTRODUCTION

As we mentioned above, malicious hosts can performdifferent types of attacks, for instance; DoS, MiM attacks,ARP spoofing, Sniffing and Buffer-Overflow ... etc. ARPspoofing is a hacking technique which is occurring whenforged ARP replies <IP destination, MAC attacker> iscreated and sent to the source computer who initiated theARP request formerly and updated it's ARP cache with fakeinformation. This kind of exploitation is known by poisoningthe ARP cache; and is also called "ARP Cache Poisoning".

Afterward, malicious users are going to corrupt the ARPcaches of target hosts and perform MiM or DoS attacks. ARPspoofing can be made by anyone who has little knowledge inwriting scripts and there are many tools available on the webto conduct such kind of activities. For instance, ARP SpoofTool [3], Winarp [4], SwitchSniffer [5], WinArpSpoof[6],WinArpAttacker [7], and Cain & Abel [8].

In this research we evaluated the most famous &expensive detection and prevention [IDS/IPS] systems,where none of them was able to detect all possible kinds ofARP spoofing attacks. Thus we introduced an algorithm

978-1-4244-5757-1/10/$26.00 ©2009 IEEE

Zouheir TrabelsiInformation Security Department

UAE UniversityAI-Ain, UAE

[email protected]

which can be implemented in IDS/IPS systems and enhanceit's security.

II. BACKGROUND

ARP [1] protocol is primarily used to link IP address intothe corresponding MAC address and exchanges APRmessages between hosts on the network.

There are two types of entries in an ARP cache, namely:Static entries and Dynamic entries. Static entries remain inthe ARP cache until the system reboots. Dynamic entriesremain in the ARP cache for few minutes then they areremoved if they are not referenced. Static entries mechanismis used unfortunately in small LAN networks only and is nota common practice in large networks.

For static entries ARP cache stays in the system memoryand is deleted whenever the system restarted. However, inthe dynamic entries the ARP entries stays for a shorter periodi.e. few minutes..! In small or medium LANs static entriesare commonly used, where in large LANs dynamic entriesare unluckily used. For more details about ARP updatingprocess; one can refer to the study in [2] for more details onARP cache updating.

III. ARP SPOOFING

ARP spoofing, also called ARP Cache poisoning,introduces a forged IP address to MAC address mapping inanother host's ARP cache. The ARP poisoning can be doneby updating an existing ARP entry or inserting new forgedentry in the ARP cache for a target host.

IV. ARP SPOOFING BASED MIM AND DoS ATTACKS

Man-in-the-Middle attacks [MiM] and Denial of Serviceattacks [DoS] are mostly familiar in Local Area Networks,they are easy to launch as well.

When the malicious host re-forwarding the networktraffic between the target hosts and is enabling IP Packetrouting and starts sniffing the network; then MiM is takingplace. The malicious host in this case is becoming similar to

Host A ---- .......... . . . . . . . .. .. . . ..... . ... .. .. .• Host B

produce DoS situations in target hosts. Consequently theyshould be detected. Tables I and II identify two lists of allpossible abnormal ARP request and reply packets,respectively. We identified 4 possible types of abnormalARP request packets and 6 possible types of abnormal ARPreply packets, as follows:

P#l, P#5, and P#7: Security devices should keep track ofIP-to-MAC address mappings. Every ARP packet contains amapping of IP-to-MAC address. ARP requests contain theIP-MAC mapping of the sender. ARP replies contain the IP­MAC mapping of the machine resolved. Every mapping isinserted into a database. If a mappings is monitored thatbreaks current mappings, an alert is generated. IP-to-MACmappings database can filled either automatically ormanually.

P#2, P#6, and P#8: ARP packets have special restrictions.In an ARP request and reply packet, the Ethernet sourceMAC address has to match the ARP source MAC address. InARP reply, the Ethernet destination MAC address has tomatch the ARP destination MAC address.

P#3: A normal ARP request needs to be sent to thebroadcast MAC address, and not to a Unicast MAC address.Such packets are used by ARP spoofing software to spoofonly a specific machine and not all machines on a network.

P#9: A normal ARP reply needs to be sent to UnicastMAC address, and not the broadcast MAC address. Suchpackets are used by ARP spoofing software to spoof only aspecific machine and not all machines on a network.

P#4 and P#lO: There are fields in the ARP packet thathave restrictions regarding the values they can adopt. Thismodule checks these values for correctness. ARP mappingsmay not contain certain IP addresses. These includebroadcast and multicast as well as null addresses.

Moreover, some MAC addresses in ARP packets arehighly suspicious. No IP-to-MAC mapping should, forexample, have the MAC broadcast, multicast or null addressassigned. Every ARP packets IP addresses need to be in thesame subnet. An ARP packet with IP addresses that are notin the network interfaces configured subnet are suspiciousand will be alerted.

Table I and II shows that only abnormal packets P#l andP#5 can corrupt ARP caches of target hosts with fake IP­MAC entries. The remaining abnormal ARP packets do notcorrupt ARP caches. However, they may still be harmful andshould be detected since they can carry DoS attacks.

/

Figure 2. A presentation of the DoS attack

1"- - -Host A .·························x ·······················. Host B

Figure 1. A presentation of the MiM attack

It is important to notice that if the malicious host corruptsthe ARP caches of the two target hosts without enabling itsIP packet routing, then the two hosts will not be able toexchange packets and it will be a Denial of Service (DoS)attack. This is extremely harmful while considering routersand gateways can be poisoned too. To perform MiM attack,host C enables its IP packet routing and corrupts the ARPcaches of hosts A and B, using ARP cache poisoning attack.

However, in DoS attack (Fig.2), target hosts are deniedfrom communicating with each other, or with the Internet.This is done simply by corrupting their ARP caches withfake entries including nonexistent MAC addresses, or bydisabling the IP packet routing option in the malicious host,so that received redirected traffic will not be forwarded to itsreal destination.

v. ABNORMAL ARP PACKETS

ARP spoofing uses abnormal ARP packets to corruptARP caches of target hosts. The detection process consists ofdetecting those abnormal ARP packets sent over the LANnetwork. However, most abnormal ARP packets do notdamage the ARP caches (Tables I and II), but they may

a router where it redirect all the traffic without anyinterruption. (Fig.I).

TABLE I. LIST OF POSSIBL E ABNORMA L ARP REQUEST PACKETS

1'#3 1'#4Packet number 1'#1 1'#2 Unicast ARP Unexpected II' or MAC address in ARP

request request packetsARP Header

ARP Operation 1 1 1 I

Source IP II' A II' A0.0.0.0255.255.255.255

MulticastNot in the network subnet

00-00-00-00-00-00Source MAC MAC X MAC A ff- ff-ff- ff- ff-ff

Multicast0.0.0.0

Destination IP255.255.255.255MulticastNot in the network subnet

Destination MACEthernet Header

00-00-00-00 -00-00Source MAC MAC X ff- ff- ff- ff- ff- ff

Multicast MAC

Destination MAC Unicast00-00-00-00-00 -00Unicas t or Multicast

Does the packe t corru pt the ARP cache? Yes No No No

II'_A. IS the II' address of a host A; MAC_A: IS the MAC address of a host A ; MAC X: IS a MACaddress of a nonexistent host ; Unexpected IP or MAC address in ARP request packets

TABLE II. LISTOFPOSSIBLE ABNORMAL AR P REPLY PACKETS

1'#9 1'#10Packet numb er 1'#5 1'#6 1'#7 1'#8 Broadcast Unexpec ted II' or MAC

ARP reply addressARP Head er

Operation 2 2 2 2 2 20.0.0.0

Source IP II' A II' A255 .255 .255.255Mult icast Not inthe network subnet00-00-00-00 -00-00

Source MAC MAC X MAC A ff- ff-ft: rr-ff-ffMulticast0.0.0.0

Destination IP II' B II' B255.255 .255 .255Multicast Not inthe network subnet

Destination00-00 -00-00 -00-00

MACMAC X MAC B ff-ff-ff-ff-ff-ff

MulticastEthernet Header

00-00 -00-00-00 -00Source MAC MAC X ff-ff-ft: ft: ff-ff

Multicast

Destination ff- ff-ft: rr-ff-ff 00-00-00-00-00-00

MACMAC X ff- ff-ft: ft: ff-ff

Multicast

Does theYes No No No

packet corrupt ARP cache?No No

IP_B. IS the IPaddress ofa host B; MAC~B. IS the MAC address of a host B;Unexpected IP or MAC address in ARP reply packets

VI. EXPERIMENTS

The security solutions which are usedexperiments are class ified into 4 categories:

1. LAN switchesa. Cisco switch 3560 Seriesb. Juniper Switches EX3200 Series

2. Software IDS/IPS

in the3.

a. Snort IDSb. XArp 2 toolc. Sax2 NID S

IDS/IPS hardware app liancesa. Cisco IPS 425 5 Seriesb. TopLayer Model 5000c. IBM ISS Proventia Model GX4004Cd. SourceFire

e. TippingPoint 504. Unified Threat Management (UTM) devices

a. Juniper Netscreen 50

Table III shows the identified security solutions thatperform ARP inspection on ARP packets regardlessof the type of inspection.

TABLE III. SECURITYSOLUTIONS PERFORMINGARP INSPECTION

Performin g ARPDetection or prcvention

Secnrity solutions Type inspectionsolution?

(Yes or No)?Cisco Switch 3560 Ser ies Switch Yes Prevention.lunincr Switches EX3200 Ser ies Switch Yes Prevention

Snort IDS IDS software tool Yes DetectionXAr p 2 tool IDS software tool Yes DetectionSax2 NIDS IDS software tool Yes Detection

Cisco IPS 4425 Series IPS appliance Yes DetectionTo pl.ayer Model 5000 IPS appliance No DetectionIBM ISS Provcnti a IPS appliance No DetectionModel GX4004CSourceFi re IPS appliance No DetectionTinpinul'o int 50 IPS appliance Yes Detection

.Iunincr Nctscree n 50 UTM No Detection

In the experiments, we excluded from the abovelist, the IPS TippingPoint 50 since it includes ARPinspection that is not concerned with the detection ofARP spoofing attack. Among the security solutions

that include ARP inspection mechanisms (Table Ill),Table VI shows the ones that can totally or partiallydetect the abnormal ARP packets listed in Tables Iand II.

TABLE VI. DETECTIONOF ABNORMAL ARP REQUEST AND REPLY PACKETS

P#I P#2 P#3 P#4 P#5 P#6 P#7 P#8 P#9 P#IO

Cisco Switch 3560 Series D D N/D N/D D D D D NID N/D

Juniper Switches EX3200 D D N/D N/D D D D D N/D N/D

Snort IDS D D D N/D D D D D N/D N/D

XArp 2 tool D D D Partia lly D D D D D Partially

Sax2 NIDS N/D NID NID N/D N/D N/D N/D N/D NID N/D

Cisco IPS Series 4255 D NID NID Partially D N/D D N/D NID Part iallyD. for detection, Nli J. for 1101 detection, Partially :for partial detected

Using the data in Table VI, we can easily noticethat no system offers an ideal solution for the problemof ARP spoofing detection. Out of the detectionsystems, the XArp 2 tool seems ideal in terms of thenumber of detected abnormal ARP packets. SnortIDS seems to be a good alternative, but both of themperform only detection and are not enable to preventARP spoofing attack. The preventionJblockingsystems, such as Cisco switches 3560 Series [9] orJuniper switches EX3200 Series [10], are the mostambitious ones, but require usually complexinstallations. In addition, the high costs of theseswitches make this solution prohibitive for manycompanies [11]. Cisco IPS is a prevention system andis a limited alternative solution since it can deal with

few types of abnormal ARP packets (PI and P5).Nevertheless, it is important to remember that thepackets P#l and P#5 are the most used ARP packetsduring ARP spoofing, since they are the only packetsthat can corrupt the ARP caches of target hosts.

Sax2 NIDS cannot detect any abnormal packetdescribed in Tables I and II. However, it can detectARP request storm traffic and ARP scanning traffic.

A. Cross-layers ARP inspection

In order to be able to detect the abnormal ARPpackets P#2, P#6, and P #8 described in Tables I andII, a security solution requires including an ARPinspection mechanism that can perform cross-layersARP inspection between the Ethernet and ARP

headers. In an ARP request and reply packet, theEthernet source MAC address has to match the ARPsource MAC address. However, in ARP reply, theEthernet destination MAC address has to match theARP destination MAC address.

VII. EXPERIM ENTS ' RESULTS ANALYSIS

The experiments in this work show clearly thatARP spoofing is not fully detected by most commonsecurity solutions. This is because of the absence of anefficient ARP spoofing detection algorithm. There areabnormal ARP packets that do not corrupt ARPcaches. However, they are still harmful and should bedetected, since they can carry DoS attacks.

In addition to detecting some abnormal ARPpackets such as P#2, P#6 and P#8, cross-layer ARPinspection is required. Among the tested securitysolutions, only Cisco switch 3560 Series, Juniperswitch EX3200 Series, Snort IDS, and XArp 2 toolperform cross-layers ARP inspection .

Security solutions should also be able to cope withARP request storm traffic and ARP scanning traffic.This type of traffic is used usually to keep targethosts ' ARP caches corrupted or produce DoS attack.Sax2 IDS is the only security solution that is able todetect ARP request storm and ARP scanning.

According to the conducted experimental results,XArp 2 tool is the most efficient available securitysolutions to cope with ARP spoofing. However, itneeds minor improvement, compared to the othertested security solutions, by adding mechanisms todetect ARP request storm and ARP scanning. Fig. 3shows a LAN network that uses a simple switchwithout any security features and a host running XArp2 tool to detect ARP spoofing attack. The host runningXArp 2 tool is connected to a SPAN port (mirroringport) in order to be able to receive and analyze all theLAN network traffic. This network architecture isconsidered ideal in terms of its low cost and itsefficiency regarding the detection of ARP spoofing.However, this network architecture cannot preventARP spoofing, unless the simple switch is replaced bya more costly switch that integrates advanced security

features. Cisco switch 3560 Series [9] and Juniperswitch EX3200 Series [10] are examples of highlycost switches that can prevent ARP spoofing using afeature called Dynamic ARP Inspection (DAI).

Host runningXArp 2 tool

Figure 3. A LAN network with simple switch and XArp 2 tool.

Vlll. OPTIMAL ARP SPOOFING DETECTIONALGORITHM

Based on the experiments results, our workconcludes that any security system claiming to copewith ARP spoofing, should use an efficient algorithm.We compiled six requirements that any Securityanalyst should follow in order to get an idealalgorithm that deals with ARP spoofing on switchedLANs:

1. Perform a cross-layer ARP inspection between theEthernet and ARP layers

2. Perform ARP statefull inspection3. Detect non expected IP and MAC addresses4. Detect ARP storm5. Detect ARP scanning6. Build manually (in case of non DHCP

environment) or automatically (in case of DHCPenvironment) IP-MAC mapping table, in order tobe able to detect invalid IP-MAC pairs.

The algorithm that we created in order to detect ARPSpoofing is presented in FigA.

Abnormal_Arp_PacketDetection (Ethernetheader,ARP_header, IP_MAC_Mapping_Table){ /* ARP request packet */if (ARP _Operation = "request"):{ Unicast_ARP_request (Ethernet_MAC_Destination); /* fordetecting packet P#3 */

Unexpected_IP_MAC_Addresses_in_ARP_Request(Ethernet_MAC_Source, Ethernet_MAC_Destination,ARP_IP_Source, ARP_MAC_Source, ARP_IP_Destination,ARP_MAC_Destination); /* for detecting packet P#4 */

Cross_Layer_ Inspection_ARP_Request(Ethernet_MAC_Source, ARP_MAC_Source) /* for detectingpacket P#2 */

IP_to_MAC_Address_Mappings_ARP_Request(ARP_IP_Source, ARP_MAC_Source,IP_MAC_Mapping_Table) /* for detecting packet P#l */}

/* ARP reply packet */if (ARP_Operation = "reply"):{ Broadcast_ARP_reply (Ethernet_MAC_Destination) /* fordetecting packet P#9 */

Unexpected_IP_MAC_Addresses_in_ARP_Reply(Ethernet_MA C_Source, Ethernet_MAC_Destination,ARP_IP_Source, ARP_MAC_Source, ARP_IP_Destination,ARP_MAC_Destination),. /* for detecting packet P#10 */Cross_Layer_Inspection_ARP_Reply (Ethernet_MAC_Source,ARP_MAC_Source, Ethernet_MAC_Destination,ARPyAC_Destination) /* for detecting packets P#6 andP#8 */

IP_to_MAC_Address_Mappings_ARP_Reply(ARP_IP_Source, ARP_MAC_Source, ARP_IP_Destination,ARP_MAC_Destination, IP_MAC_Mapping_Table) /* fordetecting packets P#5 and P#7 */}}

Figure 4. Optimal ARP Spoofing Detection Algorithm.

IX. CONCLUSION

In this study, we conducted an extensive work toknow which security solutions are able to detect avery dangerous MAC layer attack called ARPspoofing. It is to be noted that ARP spoofingconstitutes the beginning of many attacks, one ofwhich is, the destructive MiM attack. We were able toshow throw testing and experimentation that thecurrent security solutions have many shortcomingsand defects when it comes to detecting ARP Spoofing.XArp 2 tool was the most efficient available securitysolution that can cope with ARP spoofing attacks.However, it needs minor improvements, compared tothe other security solutions, by adding mechanisms todetect ARP request storm and ARP scanning. As aconclusion of our study, we suggested 6 basic andcrucial requirements that any algorithm should followin order to detect ARP spoofing sufficiently onswitched LANs.

REFERENCES

[1] D. Plummer, "An Ethernet Address ResolutionProtocol", RFC 826, MIT -LCS, November 1982.

[2] Z. Trabelsi, and K. Shuaib, "A Novel Man-in-the­Middle Intrusion Detection Scheme for SwitchedLANs", the International Journal of Computers andApplication, ACTA Press, Vol. 3, No.3, 2008.

[3] ARP Spoof Tool,http://www.imfirewall.com/en/arp-spoof.htm

[4] Winarp,http://www.aqrskorg[5] SwitchSniffer,

http://www.nextsecurity.net/software/SwitchSniffer.htmI

[6] WinArpSpoof,http://www.nextsecurity.net/software/Windows_ARP_Spoofer.html

[7] WinArpAttacker,http://www.xfocus.net/tools/200606/WinArpAttacker3 .50.rar

[8] Cain & Abel, http://www.oxid.it/cain.html[9] Cisco Catalyst 3560 Series Switches,

http://www.cisco.com[10] Juniper Switches EX3200 Series,

http://www.juniper.net[11] Cristina L. Abad, Rafael I. Bonilla, "An Analysis on the

Schemes for Detecting and Preventing ARP CachePoisoning Attacks ", Proceedings of the 27thInternational Conference on Distributed ComputingSystems Workshops (ICDCSW'07), June 22 - 29, 2007.