Skip to main content
SpringerLink
Log in

Detecting ARP Spoofing: An Active Technique

  • Conference paper
Information Systems Security (ICISS 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3803))

Included in the following conference series:

Abstract

The Address Resolution Protocol (ARP) due to its statelessness and lack of an authentication mechanism for verifying the identity of the sender has a long history of being prone to spoofing attacks. ARP spoofing is sometimes the starting point for more sophisticated LAN attacks like denial of service, man in the middle and session hijacking. The current methods of detection use a passive approach, monitoring the ARP traffic and looking for inconsistencies in the Ethernet to IP address mapping. The main drawback of the passive approach is the time lag between learning and detecting spoofing. This sometimes leads to the attack being discovered long after it has been orchestrated. In this paper, we present an active technique to detect ARP spoofing. We inject ARP request and TCP SYN packets into the network to probe for inconsistencies. This technique is faster, intelligent, scalable and more reliable in detecting attacks than the passive methods. It can also additionally detect the real mapping of MAC to IP addresses to a fair degree of accuracy in the event of an actual attack.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Plummer, D.: An Ethernet Address Resolution Protocol., RFC-826, USC Information Science Institute, California (November 1982), http://www.ietf.org/rfc/rfc0826.txt

  2. Richard, S.W.: TCP/IP Illustrated The Protocols, vol. 1. Addison Wesley Longman, Inc., Amsterdam (1994), ISBN: 0201633469

    Google Scholar 

  3. Wagner, R.: Address Resolution Protocol Spoofing and Man in the Middle Attacks (2001), http://rr.sans.org/threats/address.php

  4. Ornaghi, A., Valleri, M.: A multipurpose sniffer for switched LANs, http://ettercap.sf.net

  5. AtStake.com. Etherleak: Ethernet frame padding information leakage (2003), http://www.atstake.com/research/advisories/2003/a010603-1.txt

  6. Althes.: The IP Smart spoofing, InterOp Paris (2002), http://www.althes.fr/ressources/avis/smartspoofing.htm

  7. Volobuev, Y.: Redir games with ARP and ICMP, http://lists.insecure.org/lists/bugtraq/1997/Sep/0059.html

  8. Raynal, F., Detoisien, E., Blancher, C.: ARP-SK: a swiss knife tool for ARP, http://www.ARP-sk.org/

  9. Lawrence Berkeley National Laboratory, ARPWATCH tool: ARP Spoofing Detector, ftp://ftp.ee.lbl.gov/ARPwatch.tar.gz

  10. Bruschi, D., Ornaghi, A., Rosti, E.: S-ARP: a Secure Adderess Resolution Protocol. In: 19th Annual Computer Security Applications Conference (2003), www.acsac.org/2003/papers/111.pdf

  11. Barnaba, M.: Anticap (2003), http://cvs.antifork.org/cvsweb.cgi/anticap

  12. Teterin, I.: Antidote, http://online.securityfocus.com/archive/1/299929

Download references

Author information

Authors and Affiliations

  1. Cisco Systems, Inc., Bangalore, India

    Vivek Ramachandran

  2. Indian Institute of Technology, Guwahati, Assam, India

    Sukumar Nandi

Authors
  1. Vivek Ramachandran
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sukumar Nandi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, George Mason University, VA 22030, Fairfax, USA

    Sushil Jajodia

  2. Jadavpur University, 7000032, Kolkata, India

    Chandan Mazumdar

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ramachandran, V., Nandi, S. (2005). Detecting ARP Spoofing: An Active Technique. In: Jajodia, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2005. Lecture Notes in Computer Science, vol 3803. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11593980_18

Download citation

  • DOI: https://doi.org/10.1007/11593980_18

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-30706-8

  • Online ISBN: 978-3-540-32422-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation