网络安全外文翻译--APR欺骗检测:一种主动技术手段
外文翻译原文及译文
学院计算机学院
专业计算机科学与技术班级
学号
姓名
指导教师
负责教师
2011年6月
Detecting ARP Spoofing: An Active Technique
Vivek Ramachandran and Sukumar Nandi
Cisco Systems, Inc., Bangalore India
Indian Institute of Technology, Guwahati, Assam, India
Abstract. The Address Resolution Protocol (ARP) due to its
statelessness and lack of an authentication mechanism for verifying
the identity of the nder has a long history of being prone to
spoofing attacks. ARP spoofing is sometimes the starting point for
more sophisticated LAN attacks like denial of rvice, man in the
middle and ssion hijacking. The current methods of detection u a
passive approach, monitoring the ARP traffic and looking for
inconsistencies in the Ethernet to IP address mapping. The main
drawback of the passive approach is the time lag between learning
and detecting spoofing. This sometimes leads to the attack being
discovered long after it has been orchestrated. In this paper, we
prent an active technique to detect ARP spoofing. We inject ARP
request and TCP SYN packets into the network to probe for
inconsistencies. This technique is faster, intelligent, scalable and
more reliable in detecting attacks than the passive methods. It can
also additionally detect the real mapping of MAC to IP address to a
fair degree of accuracy in the event of an actual attack.
1. Introduction
The ARP protocol is one of the most basic but esntial protocols for LAN communication. The ARP protocol is ud to resolve the MAC address of a host given its
IP address. This is done by nding an ARP request packet (broadcasted) on the network. The concerned host now replies back with its MAC address in an ARP reply packet (unicast). In some situations a host might broadcast its own MAC address in a special Gratuitous ARP packet. All hosts maintain an ARP cache where all address mappings
learnt from the network (dynamic entries) or configured by the administrator (static entries) are kept. The dynamic entries age out after a fixed interval of time, which varies across operating systems. After the entry ages out it is deleted from the cache and if the host wants to communicate with the same peer, another ARP request is made. The static entries never age out.
The ARP protocol is stateless. Hosts will cache all ARP replies nt to them even if they had not nt an explicit ARP request for it. Even if a previous unexpired dynamic ARP entry is there in the ARP cache it will be overwritten by a newer ARP reply packet on most operating systems. All hosts blindly cache the ARP replies they receive, as they hav
e no mechanism to authenticate their peer. This is the root problem, which leads to ARP spoofing.
ARP spoofing is the process of forging ARP packets to be able to impersonate another host on the network. In the most general form of ARP spoofing the attacker nds spoofed ARP respons to the victim periodically. The period between the spoofed respons is much lesr than the ARP cache entry timeout period for the operating system running on the victim host. This will ensure that the victim host would never make an ARP request for the host who address the attacker is impersonating. Following subction briefly discuss the current detection and mitigation techniques.
1.1 Current Mitigation and Detection Techniques
Existing ARP spoofing detection techniques are discusd next quentially.
1.1.1 Secure ARP Protocol (S-ARP)
This has been propod as a replacement for the ARP protocol in S-ARP: a Secure Addr
ess Resolution Protocol. The S-ARP protocol is definitely a permanent solution to ARP spoofing but the biggest drawback is that we will have to make changes to the network stack of all the hosts. This is not very scalable as going for a stack upgrade across all available operating systems is something both vendors and customers will not be happy about. As S-ARP us Digital Signature Algorithm (DSA) we have the additional overhead of cryptographic calculations though the authors of the paper have claimed that this overhead is not significant.
1.1.2 Static MAC Entries
Adding static MAC address on every host for all other hosts will not allow spoofing but is not a scalable solution at all and managing all the entries is a full time job by itlf. This can fail mirably if mobile hosts such as laptops are periodically introduced into the network. Also some operating systems are known to overwrite static ARP entries if they receive Gratuitous ARP packets (GARP).
1.1.3 Kernel Bad Patches
Kernel bad patches such as Anticap and Antidote have made an attempt to protect from ARP spoofing at a individual host level. Anticap does not allow updating of the host ARP cache by an ARP reply that carries a different MAC address then the one already in the cache. This unfortunately makes it drop legal gratuitous ARP replies as well, which is a violation to the ARP protocol specification. Antidote on receiving an ARP reply who MAC address differs from the previously cached one tries to check if the previously learnt MAC is still alive. If the previously learnt MAC is still alive then the update is rejected and the offending MAC address is added to a list of banned address.
