An Enhanced Secure ARP Protocol and LAN Switch for Preveting ARP based Attacks Senda HAMMOUDA
Zouheir TRABELSI
MEDIATRON SUP’COM, Cité El Ghazela 2088 Tunisia
UAE University UAE University, CIT Al Ain, 17555,UAE
[email protected]
[email protected] were proposed to prevent or detect these types of malicious activities.
ABSTRACT After the ARP protocol was drafted, a subtle weakness in the protocol was discovered. In fact, ARP provides no means to establish the authenticity of the source of incoming ARP packets. That’s why any host of a LAN network can forge an ARP message containing malicious information to poison the ARP caches of target hosts. This lack of authentication mechanisms has made ARP vulnerable to a raft of IP-based impersonation, Man-in-the-Middle (MiM) and DoS attacks. In this paper we discuss a security solution to solve the ARP vulnerabilities and authenticity issues. For that purpose, a novel secure extended ARP protocol is proposed. In addition, the LAN switch has been enhanced to assume the role of “Trusted Authority” and assure the hosts authentication while exchanging ARP messages.
In this paper, we present a novel secure extended ARP protocol to solve the ARP vulnerabilities and authenticity issues. The proposed protocol is based on the generation of a random number by every host once it connects to the LAN network. The random number will be considered as the host’s fingerprint and will be used to authenticate the host’s ARP traffic. The proposed extended secure ARP protocol uses some fields in the standard ARP header to embed extra information that it requires. However, the standard ARP has not been discarded. That is, if a host of a LAN doesn’t support the proposed secure extended version of the ARP protocol, it is still able to communicate. In addition, the LAN switch functionalities have been enhanced so that the switch can play the role of a “Trusted Authority” and assure the hosts authentication while exchanging ARP messages.
Categories and Subject Descriptors C.2.1 [Network communications.
Architecture
and
Design]:
Network
The reminder of this paper is organized as follows. In section 2, we present an overview of ARP protocol and ARP based attacks. Section 3 discusses related works. Section 4 discusses the architecture of the proposed extended secure ARP protocol and its operation within LAN networks. Finally, section 5 concludes the paper.
General Terms Security.
Keywords ARP protocol, ARP cache poisoning attack, Man-in-the-Middle attack.
2. BACKGROUND: OVERVIEW OF ARP PROTOCOL AND ARP BASED ATTACK 2.1 ARP protocol
1. INTRODUCTION The Address Resolution Protocol (ARP) [10] is a protocol used by the Internet Protocol (IP) specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol. That’s why ARP is essential to the proper functioning of the network. Unfortunately, ARP is suffering from many serious vulnerabilities [11, 12].
To map a particular IP address to a given hardware address (MAC address) so that packets can be transmitted across a local network, systems use the Address Resolution Protocol (ARP) [10].
Figure 1 shows the fields of ARP header.
In fact, a malicious user can poison ARP caches to impersonate hosts, perform MiM or DoS attacks. Some countermeasures
We should mention too that each host in a network segment has a table, called ARP cache, which maps IP addresses with their correspondent MAC addresses. New entries in the ARP cache can be created or already existing entries can be updated by ARP request or reply messages.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. IWCMC’09, June 21–24, 2009, Leipzig, Germany. Copyright © 2009 ACM 978-1-60558-5697/09/06...$5.00
942
ϬϴϭϲϮϰϯϮ ARP header Hardware type LGR-MAT
LGR-PROT
Protocol Type
3.2 Detection techniques
Operation code=(1 for
They are passive techniques that sniff ARP requests and responses on the network and try to detect misbehaviour. The most popular tools are Arpwatch [1] and snort [2].
request), (2 for reply) Source MAC Address (bytes 0-3) Source MAC Address (bytes 4,5)
Source IP Address (bytes 0,1)
Source IP Address (bytes 2,3)
Destination MAC Address (bytes 0,1)
The main drawback of the passive methods is a time lag between learning and subsequent attack detection. Besides they do not have any intelligence and blindly look for a mismatch in the ARP traffic with their learnt database tables.
Destination MAC Address (bytes 2-5)
In [13] a combination of four different ARP traffic criteria is used to determine network anomaly. Four parameters: Rate, Burstiness, Dark space and Sequential scan were considered.
Destination IP address (bytes 0-3)
Figure 1. The ARP Header.
3.3 Prevention techniques In stead of waiting for ARP cache poisoning attack to happen and then detect it, some techniques propose to prevent this attack before it happens. The most trivial one is to add statically MAC addresses on every host in the network. This is not practical at all since that adding these entries manually is a full time job and fails if mobile hosts like laptops are periodically introduced in the network.
2.2 ARP cache poisoning attack ARP cache poisoning attack is the malicious act, by a host in a LAN, of introducing a spurious IP address to MAC address mapping in another host’s ARP cache. In principle, to corrupt the entries in the ARP cache of a target host, a malicious host generates ARP request or reply messages including fake IP and MAC addresses.
Another alternative was to propose a new version of ARP protocol to make it take in charge authentication. For example, S-ARP [3] uses asymmetric cryptography utilizing digitally signed ARP replies. At the receiving end, an entry is updated if and only if the signatures are correctly verified. S-ARP is considerably slow as can be deduced from the results presented in [3].
2.3 The MiM attack The MiM attack allows a malicious user to sniff a switched network. The attack consists into rerouting (redirecting) the network traffic between two target hosts to a malicious host. Then, the malicious host will forward the received packets to the original destination, so that the communication between the two target hosts will not be interrupted and the two hosts’ users will not notice that their traffic is sniffed by a malicious host. Using ARP cache poisoning attack, the malicious user should corrupt the ARP caches of the two target hosts, in order to force the two hosts to forward all their packets to his host.
In another approach Gouda and Huang [4] propose the Secure Address Resolution Protocol. In this protocol, a secure server shares secret keys with each host on a subnet. The server maintains a database of IP-address-to-MAC-address. All ARP requests and replies occur between a host and the server, and replies are authenticated using the shared pair keys. The main drawback of this technique is congestion at the server which constitutes a single point of failure in the network.
3. RELATED WORKS Several attempts have been proposed in order to overcome the vulnerabilities and insecurities of ARP protocol. Some of the proposed solutions aim to detect these attacks while others try to prevent them by making ARP more secure.
Another approach was presented in [5] where the authors proposed a cryptographic technique. It is based on the combination of digital signatures and one time passwords based on hash chains. Moreover, in [6], the ARPSec protocol was proposed as an ARP security extension. ARPSec provides an anti-replay protection and authentication using a secret key shared only by the source and the destination of the packet. Unfortunately, no real-time implementation or performance evaluations on actual network systems were performed to quantify their efficiency.
3.1 Mitigation techniques There were some solutions proposed as a way to limit exposure to ARP attacks. In [7], they suggested to divide the network into a large number of subnets with a small number of hosts in each subnet. The drawback of this approach is the extra administrative costs involved. MAC address cloning is an ARP attack used to impersonate a host in the network. These attacks can be prevented using a feature available on many modern switches called port security [8].This solution is very efficient, but does nothing to prevent other types of ARP attacks.
4. AN ENHANCED SECURE ARP PROTOCOL Since no authentication scheme is embedded in ARP, we have chosen to enhance ARP by including in it an authentication mechanism. The switch in our proposed protocol has a fundamental role. In fact, it represents the “Trusted Authority” to the hosts for which it assures the hosts authentications.
Tripunitara et al. [9] proposed a middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning attacks. The proposed solution is to block unsolicited ARP replies and to raise alarms when a reply is inconsistent with the currently cached ARP entry. The main drawback of this scheme is that–since it depends on duplicates to detect attacks–it does not prevent/detect attacks in which the host being spoofed is down or being DoSed.
For that purpose, we need to modify the use of the ordinary ARP header fields. In fact, the “Operation code” field will not have only 1,2,3 and 4 as values, but we will add the values 5,6,7,8,9 and 10 (Table 1). To code these ten possible values we
943
ϬϴϭϲϮϰϯϮ
need only 4 bits from the “Operation code” field and the rest of the bits (12 bits) will have special use in our proposed protocol.
ARP header
Table 1. The new values of the “Operation code” field Operation code 5 6 7 8 9 10
Use Registration request Registration reply New ARP request New ARP reply Verification request Verification reply
16
Fingerprint sequence or fingerprint Hash
Hardware type
LGR-MAT
LGR-PROT
LGR-MAT
LGR-PROT
=6
=4
Protocol Type=IP Next sequen -ce number
Sequence number
Operat -ion code
=0
=0
=5
S- MAC Address (bytes 0-3)=MAC_A(bytes 0-3)
24
S- MAC Address (bytes 4,5)=MAC_A(bytes 4,5)
S- IP Address (bytes 0,1)=IP_A (bytes 0,1)
S- IP Address (bytes 2,3)=IP_A (bytes 2,3)
Dest- MAC Address (bytes 0,1)= E(Fing_A(bytes 0,1))
Dest- MAC Address (bytes 2-5)=E(Fing_A (bytes 2-5)) Dest- IP address (bytes 0-3)= E(Fing_A (bytes 6-9))
Figure 3. The registration request packet fields.
The “Next sequence number” is interpreted only in verification requests. It is used to indicate to the switch the next sequence number that will be used in the next ARP request or reply. The use of the modified fields will be detailed further. 8
Hardware type=Ethernet
0000
In addition to the “Operation code” field, we will also modify the “Hardware type” field whose length is 2 bytes. This field takes values from 1 to 33, which could be coded in 1 byte. The second byte will be used by our proposed protocol. That’s why, the modified ARP header will be as shown in Figure 2. The “Switch reply” field is interpreted only in a registration reply packet (Operation code=6) or in a verification reply (Operation code=10).
0
Fingerprint sequence =0
If the registration succeeded, the switch sends a registration acceptance (Operation code=6 and Switch reply=0000). Otherwise, it will send a registration reject (Operation code=6 and Switch reply=1111). This registration acceptance (RA) includes the hash of the host’s fingerprint in order to overcome a probable attack of duplication. Only the switch is able to decrypt the fingerprint and hash it. The Registration Acceptance fields are shown in Figure 4.
32
Protocol Type
ϬϴϭϲϮϰϯϮ
Switch reply (4 bits)
Next sequence number
Sequence number (4 bits)
ARP header
Operation code (4 bits)
(4 bits)
Hash of Fingerprint sequence =H(Fing_A)
Hardware type=Ethernet
LGR-MAT
LGR-PROT
=6
=4
Protocol Type=IP
Source MAC Address (bytes 0-3) Source MAC Address (bytes 4,5)
Source IP Address (bytes 0,1)
Source IP Address (bytes 2,3)
Destination MAC Address (bytes 0,1)
Destination MAC Address (bytes 2-5)
Switch reply =0
Next sequen -ce number
Sequence number
Operat -ion code
=0
=0
=6
Source MAC Address (bytes 0-3)=MAC_switch(bytes 0-3)
Destination IP address (bytes 0-3)
Figure 2. The modified ARP header.
4.1 Step1: Registration The registration of the hosts is carried within the switch. Every host entering the network generates a random number that will be considered as its fingerprint in the network since in a LAN network it is hard to generate the same random number by two different hosts. After that, the host sends a registration request containing its fingerprint to the switch which is considered as a “Trusted Authority”. The fingerprint sequence is inserted in the “Destination MAC” field and the “Destination IP” field since they are not used in the “Registration request”.
S- MAC Address (bytes 4,5)=MAC_Switch(bytes 4,5)
S- IP Address (bytes 0,1)=IP_Switch (bytes 0,1)
Source IP Address (bytes 2,3)=IP_Switch (bytes 2,3)
Dest- MAC Address (bytes 0,1)=MAC_A
Dest- MAC Address (bytes 2-5)=MAC_A Dest-IP address (bytes 0-3)=IP_A
Figure 4. The registration acceptance packet fields. Thus, the switch maintains a database (Table 2) in which it maps every host with its fingerprint. Table 2. The fingerprint database MAC Address IP Address Fingerprint MAC_A IP_A Fing_A (10x8 bits)
The registration request (RR) is encrypted with the switch public key. In the following, E(Fing_A) represents the encryption of Fing_A. The Registration Request fields are shown in Figure 3. .
944
MAC_B
IP_B
Fing_B (10x8 bits)
MAC_C
IP_C
Fing_C (10x8 bits)
Fing’1_A, a notification will be sent to host B telling it that is a fake received request and it must ignore it.
The registration doesn’t succeed in two cases. The first one is when host B has generated the same fingerprint as A and gets already registered with. In this case, the switch informs the host A that the registration has failed. Host A will then generate another random number and try to get registered with. The second case is when a registration line with the same IP address already exists. In this case, two hosts try to get registered with the same IP address. We can conclude that strong probable the second one is a malicious user and his request will be discarded.
ϬϴϭϲϮϰϯϮ ARP header
4.2 Step2: ARP Request AÆ ÆB
Fingerprint sequence =Fing’1_A
Hardware type=Ethernet
LGR-MAT
LGR-PROT
=6
=4
0000
Host A needs to resolve an IP address of host B into its corresponding hardware address. Host A sends a broadcast ARP request :Request(IP_B,1,Fing1_A)(Figure 5).
ϬϴϭϲϮϰϯϮ
Hardware type=Ethernet
LGR-MAT
LGR-PROT
Protocol Type=IP
000 0 =6
=4
Next sequence number
Sequence number
=0
=1
Source IP Address (bytes 2,3)=IP_A (bytes 2,3)
Dest- MAC Address (bytes 0,1)=broadcast
Source IP Address (bytes 2,3)=IP_B (bytes 2,3)
Dest- MAC Address (bytes 0,1)=MAC-switch(bytes 0,1)
Dest- MAC Address (bytes 2-5)= MAC-switch(bytes 2-5)
ϬϴϭϲϮϰϯϮ ARP header
Figure 5. The ARP request packet fields. In fact, each host fragments its fingerprint into sequences of 8 bits. The first sequence corresponds to the first 8 bits of the fingerprint and so on. Thus, FING_A is fragmented into FING1_A, FING2_A, etc...
1 (8 bits)
Hardware type=Ethernet
LGR-MAT
LGR-PROT
=6
Protocol Type=IP
=4
Next sequence number
Sequence number
Operation code
=1
=1
=10
Source MAC Address (bytes 0-3)= MAC-switch (bytes 0-3)
Table 3. The ARP traffic database
IP_B
Hash of Fingerprint sequence =H(Fing’1_B)
0000
The “Sequence number” identifies the order of the fingerprint embedded in the ARP packet. Since the ARP request is sent in broadcast, the switch will receive a copy of the request and will maintain Table 3.
IP_A
=9
Otherwise, if Fing1_A is equal to Fing’1_A, the switch will delete the corresponding entry in its database, send an OK to host B and add a new entry in Table 2 indicating that host B will send a reply to host A with a sequence number=1.
Dest-IP address (bytes 0-3)=IP_B
Request
=1
S- IP Address (bytes 0,1)=IP_B (bytes 0,1)
Dest- MAC Address (bytes 2-5)=broadcast
Sequence number
=1
Figure 6. Verification request packet fields for host A.
=7
S- IP Address (bytes 0,1)=IP_A (bytes 0,1)
Destination host
Operation code
Dest-IP address (bytes 0-3)=IP_switch
S- MAC Address (bytes 4,5)=MAC_A(bytes 4,5)
Source host
Sequence number
S- MAC Address (bytes 4,5)=MAC_B(bytes 4,5)
Operation code
Source MAC Address (bytes 0-3)=MAC_A(bytes 0-3)
ARP request or reply
Next sequence number
Source MAC Address (bytes 0-3)=MAC_B(bytes 0-3)
ARP header Fingerprint sequence =Fing1_A
Protocol Type=IP
S- MAC Address (bytes 4,5)= MAC-switch (bytes 4,5)
S- IP Address (bytes 0,1)=IP_switch (bytes 0,1)
Source IP Address (bytes 2,3)=IP_switch (bytes 2,3)
Dest- MAC Address (bytes 0,1)= MAC_B (bytes 0,1)
Dest- MAC Address (bytes 2-5)= MAC-B(bytes 2-5) Dest-IP address (bytes 0-3)=IP_B
4.3 Step 3: Verification of host A identity
Figure 7. The verification response packet fields for host B.
Host B receives the request, extract the “Fingerprint sequence” and the “Sequence number” and sends a verification request to the switch. The request contains the following information: the sequence number of the request, the fingerprint sequence and the sequence number of the potential reply of host B (Figure 6).
Based on the “Potential reply sequence number” which is 1 in this case, the OK message will include a hash of Fing1_B. This is done in order to avoid duplication attack and to prove to host B that the switch has sent the packet since only it has the fingerprint(Figure 7).
The switch will verify the information sent by host B. If the ARP traffic database doesn’t contain an entry corresponding to the information sent by host B or if Fing1_A is not equal to
Thus, even if an adversary sniffs this reply and tries to impersonate the switch, he will not be able to do that since only the switch knows Fing1_B and H(Fing1_B).
945
functionalities of the LAN’ switches. The switch assures the role of a trusted authority that certifies the identity of the hosts while exchanging ARP messages.
Table 3will become as the following (Table 4): Table 4. The updated ARP traffic database ARP request or reply
Source host
Destination host
Sequence number
Reply
IP_B
IP_A
1
Future work includes implementing the proposed enhanced secure ARP protocol and evaluating it and switches performance using a variety of malicious ARP traffic.
6. REFERENCES
4.4 Step 4: ARP reply BÆ ÆA
[1] LBNL's Network Research Group, “Arpwatch: Ethernet Monitor Program”, http://wwwnrg.ee.lbl.gov.pht.com/antisniff/.
When host B receives the response from the switch, it will check if H(Fing’1_B) = H(Fing1_B) to be sure that it is really the switch who has sent the packet. Besides, host B is sure now that host A has sent the request and will reply embedding in its reply the first sequence of its fingerprint as it indicated to the switch (Figure 8).
[2] Snort: http://www.snort.org/.
ϬϴϭϲϮϰϯϮ ARP header Fingerprint sequence =Fing1_B
Hardware type=Ethernet
LGR-MAT
LGR-PROT
=6
=4
Protocol Type=IP
0000
Next sequence number
Sequence number
Operation code
=1
=1
=8
S- IP Address (bytes 0,1)=IP_B (bytes 0,1)
Source IP Address (bytes 2,3)=IP_B (bytes 2,3)
Dest- MAC Address (bytes 0,1)= MAC_A(bytes 0,1)
[4] Mohamed G. Gouda and Chin-Tser Huang, “A Secure Address Resolution Protocol”, The International Journal of Computer and Telecommunications Networking, Computer Networks, Elsevier, Volume 41, Issue 1, pages: 57-71, January, 2003. [5] K. Seo, C. Lynn, and S. Kent. Public-Key Infrastructure for the Secure Border Gateway Protocol (S-BGP). In Proceedings of DARPA Information Survivability Conference and Exposition II. IEEE, June 2001.
Source MAC Address (bytes 0-3)= MAC-B (bytes 0-3) S- MAC Address (bytes 4,5)= MAC-B (bytes 4,5)
[3] Bruschi, D. Ornaghi, A. Rosti, E., “S-ARP: a secure address resolution protocol”, Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003), Page(s): 66 – 74, 8-12 December 2003, Las Vegas, NV, USATavel, P. 2007 Modeling and Simulation Design. AK Peters Ltd.
[6] D. Song. dsniff: a collection of tools for network auditing and penetration testing. http://www.monkey.org/ dugsong/dsniff, accessed May 2005. [7] T. Demuth and A. Leitner. ARP spoofing and poisoning:Traffic tricks. Linux Magazine, 56:26–31, July 2005.
Dest- MAC Address (bytes 2-5)= MAC-A(bytes 2-5) Dest-IP address (bytes 0-3)=IP_A
[8] C. Schluting. Configure your Catalyst for a more secure layer 2, Jan. 2005. . (Last accessed April 17, 2006).
Figure 8. The ARP reply from host B.
4.5 Step5: Verification of host B identity As host B did to verify host A identity, host A will send a verification request to the switch in order to verify host B identity.
[9] M. Tripunitara and P. Dutta. A middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning. In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC ’99), Dec. 1999.
In this case, and as the switch did in step 3, if everything is ok, the switch will send a response packet to A. Host A will check whether H(Fing’2_A) embedded in the switch response is equal to H(Fing2_A). Then, host A will add the MAC address of host B to its ARP cache.
[10] D. C. Plummer. An Ethernet address resolution protocol or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware. RFC 826, November 1982.
We should mention that our proposed enhanced ARP protocol maintains a compatibility with the ordinary ARP. In fact, if “Operation code” field contains a value from 1 to 4, it is concluded that the ARP packet is an ordinary one.
[11] S. M. Bellovin. Security problems in the tcp/ip protocol suite. Computer Communications Review, 2(19):32–48, April 1989.
5. CONCLUSION
[12] S. M. Bellovin. A look back at”security problems in the tcp/ip protocol suite”. In 20th Annual Computer Security Application Conference (ACSAC), pages 229–249, December 2004.
The paper presents a security solution to the problem of ARP poisoning attacks. The cause of ARP poisoning is the lack of authentication mechanism within the ARP protocol. Any malicious host in the LAN is able to spoof messages pretending to be someone else. We proposed an authentication scheme for ARP messages by enhancing the ARP protocol and the
[13] M. Farahmand, A. Azarfar, A. Jafari, V. Zargari: A Multivariate Adaptive Method for Detecting ARP Anomaly in Local Area Networks. ICSNC 2006: 53.
946