Abstract
The Address Resolution Protocol (ARP) due to its statelessness and lack of an authentication mechanism for verifying the identity of the sender has a long history of being prone to spoofing attacks. ARP spoofing is sometimes the starting point for more sophisticated LAN attacks like denial of service, man in the middle and session hijacking. The current methods of detection use a passive approach, monitoring the ARP traffic and looking for inconsistencies in the Ethernet to IP address mapping. The main drawback of the passive approach is the time lag between learning and detecting spoofing. This sometimes leads to the attack being discovered long after it has been orchestrated. In this paper, we present an active technique to detect ARP spoofing. We inject ARP request and TCP SYN packets into the network to probe for inconsistencies. This technique is faster, intelligent, scalable and more reliable in detecting attacks than the passive methods. It can also additionally detect the real mapping of MAC to IP addresses to a fair degree of accuracy in the event of an actual attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Plummer, D.: An Ethernet Address Resolution Protocol., RFC-826, USC Information Science Institute, California (November 1982), http://www.ietf.org/rfc/rfc0826.txt
Richard, S.W.: TCP/IP Illustrated The Protocols, vol. 1. Addison Wesley Longman, Inc., Amsterdam (1994), ISBN: 0201633469
Wagner, R.: Address Resolution Protocol Spoofing and Man in the Middle Attacks (2001), http://rr.sans.org/threats/address.php
Ornaghi, A., Valleri, M.: A multipurpose sniffer for switched LANs, http://ettercap.sf.net
AtStake.com. Etherleak: Ethernet frame padding information leakage (2003), http://www.atstake.com/research/advisories/2003/a010603-1.txt
Althes.: The IP Smart spoofing, InterOp Paris (2002), http://www.althes.fr/ressources/avis/smartspoofing.htm
Volobuev, Y.: Redir games with ARP and ICMP, http://lists.insecure.org/lists/bugtraq/1997/Sep/0059.html
Raynal, F., Detoisien, E., Blancher, C.: ARP-SK: a swiss knife tool for ARP, http://www.ARP-sk.org/
Lawrence Berkeley National Laboratory, ARPWATCH tool: ARP Spoofing Detector, ftp://ftp.ee.lbl.gov/ARPwatch.tar.gz
Bruschi, D., Ornaghi, A., Rosti, E.: S-ARP: a Secure Adderess Resolution Protocol. In: 19th Annual Computer Security Applications Conference (2003), www.acsac.org/2003/papers/111.pdf
Barnaba, M.: Anticap (2003), http://cvs.antifork.org/cvsweb.cgi/anticap
Teterin, I.: Antidote, http://online.securityfocus.com/archive/1/299929
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ramachandran, V., Nandi, S. (2005). Detecting ARP Spoofing: An Active Technique. In: Jajodia, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2005. Lecture Notes in Computer Science, vol 3803. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11593980_18
Download citation
DOI: https://doi.org/10.1007/11593980_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30706-8
Online ISBN: 978-3-540-32422-5
eBook Packages: Computer ScienceComputer Science (R0)