An enhanced secure ARP protocol and LAN ... - ACM Digital Library

0 downloads 0 Views 374KB Size Report
this paper we discuss a security solution to solve the ARP ... ARP protocol, ARP cache poisoning attack, Man-in-the-Middle attack. 1. ..... tcp/ip protocol suite”.
An Enhanced Secure ARP Protocol and LAN Switch for Preveting ARP based Attacks Senda HAMMOUDA

Zouheir TRABELSI

MEDIATRON SUP’COM, Cité El Ghazela 2088 Tunisia

UAE University UAE University, CIT Al Ain, 17555,UAE

[email protected]

[email protected] were proposed to prevent or detect these types of malicious activities.

ABSTRACT After the ARP protocol was drafted, a subtle weakness in the protocol was discovered. In fact, ARP provides no means to establish the authenticity of the source of incoming ARP packets. That’s why any host of a LAN network can forge an ARP message containing malicious information to poison the ARP caches of target hosts. This lack of authentication mechanisms has made ARP vulnerable to a raft of IP-based impersonation, Man-in-the-Middle (MiM) and DoS attacks. In this paper we discuss a security solution to solve the ARP vulnerabilities and authenticity issues. For that purpose, a novel secure extended ARP protocol is proposed. In addition, the LAN switch has been enhanced to assume the role of “Trusted Authority” and assure the hosts authentication while exchanging ARP messages.

In this paper, we present a novel secure extended ARP protocol to solve the ARP vulnerabilities and authenticity issues. The proposed protocol is based on the generation of a random number by every host once it connects to the LAN network. The random number will be considered as the host’s fingerprint and will be used to authenticate the host’s ARP traffic. The proposed extended secure ARP protocol uses some fields in the standard ARP header to embed extra information that it requires. However, the standard ARP has not been discarded. That is, if a host of a LAN doesn’t support the proposed secure extended version of the ARP protocol, it is still able to communicate. In addition, the LAN switch functionalities have been enhanced so that the switch can play the role of a “Trusted Authority” and assure the hosts authentication while exchanging ARP messages.

Categories and Subject Descriptors C.2.1 [Network communications.

Architecture

and

Design]:

Network

The reminder of this paper is organized as follows. In section 2, we present an overview of ARP protocol and ARP based attacks. Section 3 discusses related works. Section 4 discusses the architecture of the proposed extended secure ARP protocol and its operation within LAN networks. Finally, section 5 concludes the paper.

General Terms Security.

Keywords ARP protocol, ARP cache poisoning attack, Man-in-the-Middle attack.

2. BACKGROUND: OVERVIEW OF ARP PROTOCOL AND ARP BASED ATTACK 2.1 ARP protocol

1. INTRODUCTION The Address Resolution Protocol (ARP) [10] is a protocol used by the Internet Protocol (IP) specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol. That’s why ARP is essential to the proper functioning of the network. Unfortunately, ARP is suffering from many serious vulnerabilities [11, 12].

To map a particular IP address to a given hardware address (MAC address) so that packets can be transmitted across a local network, systems use the Address Resolution Protocol (ARP) [10].

Figure 1 shows the fields of ARP header.

In fact, a malicious user can poison ARP caches to impersonate hosts, perform MiM or DoS attacks. Some countermeasures

We should mention too that each host in a network segment has a table, called ARP cache, which maps IP addresses with their correspondent MAC addresses. New entries in the ARP cache can be created or already existing entries can be updated by ARP request or reply messages.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. IWCMC’09, June 21–24, 2009, Leipzig, Germany. Copyright © 2009 ACM 978-1-60558-5697/09/06...$5.00

942

ϬϴϭϲϮϰϯϮ ARP header Hardware type LGR-MAT

LGR-PROT

Protocol Type

3.2 Detection techniques

Operation code=(1 for

They are passive techniques that sniff ARP requests and responses on the network and try to detect misbehaviour. The most popular tools are Arpwatch [1] and snort [2].

request), (2 for reply) Source MAC Address (bytes 0-3) Source MAC Address (bytes 4,5)

Source IP Address (bytes 0,1)

Source IP Address (bytes 2,3)

Destination MAC Address (bytes 0,1)

The main drawback of the passive methods is a time lag between learning and subsequent attack detection. Besides they do not have any intelligence and blindly look for a mismatch in the ARP traffic with their learnt database tables.

Destination MAC Address (bytes 2-5)

In [13] a combination of four different ARP traffic criteria is used to determine network anomaly. Four parameters: Rate, Burstiness, Dark space and Sequential scan were considered.

Destination IP address (bytes 0-3)

Figure 1. The ARP Header.

3.3 Prevention techniques In stead of waiting for ARP cache poisoning attack to happen and then detect it, some techniques propose to prevent this attack before it happens. The most trivial one is to add statically MAC addresses on every host in the network. This is not practical at all since that adding these entries manually is a full time job and fails if mobile hosts like laptops are periodically introduced in the network.

2.2 ARP cache poisoning attack ARP cache poisoning attack is the malicious act, by a host in a LAN, of introducing a spurious IP address to MAC address mapping in another host’s ARP cache. In principle, to corrupt the entries in the ARP cache of a target host, a malicious host generates ARP request or reply messages including fake IP and MAC addresses.

Another alternative was to propose a new version of ARP protocol to make it take in charge authentication. For example, S-ARP [3] uses asymmetric cryptography utilizing digitally signed ARP replies. At the receiving end, an entry is updated if and only if the signatures are correctly verified. S-ARP is considerably slow as can be deduced from the results presented in [3].

2.3 The MiM attack The MiM attack allows a malicious user to sniff a switched network. The attack consists into rerouting (redirecting) the network traffic between two target hosts to a malicious host. Then, the malicious host will forward the received packets to the original destination, so that the communication between the two target hosts will not be interrupted and the two hosts’ users will not notice that their traffic is sniffed by a malicious host. Using ARP cache poisoning attack, the malicious user should corrupt the ARP caches of the two target hosts, in order to force the two hosts to forward all their packets to his host.

In another approach Gouda and Huang [4] propose the Secure Address Resolution Protocol. In this protocol, a secure server shares secret keys with each host on a subnet. The server maintains a database of IP-address-to-MAC-address. All ARP requests and replies occur between a host and the server, and replies are authenticated using the shared pair keys. The main drawback of this technique is congestion at the server which constitutes a single point of failure in the network.

3. RELATED WORKS Several attempts have been proposed in order to overcome the vulnerabilities and insecurities of ARP protocol. Some of the proposed solutions aim to detect these attacks while others try to prevent them by making ARP more secure.

Another approach was presented in [5] where the authors proposed a cryptographic technique. It is based on the combination of digital signatures and one time passwords based on hash chains. Moreover, in [6], the ARPSec protocol was proposed as an ARP security extension. ARPSec provides an anti-replay protection and authentication using a secret key shared only by the source and the destination of the packet. Unfortunately, no real-time implementation or performance evaluations on actual network systems were performed to quantify their efficiency.

3.1 Mitigation techniques There were some solutions proposed as a way to limit exposure to ARP attacks. In [7], they suggested to divide the network into a large number of subnets with a small number of hosts in each subnet. The drawback of this approach is the extra administrative costs involved. MAC address cloning is an ARP attack used to impersonate a host in the network. These attacks can be prevented using a feature available on many modern switches called port security [8].This solution is very efficient, but does nothing to prevent other types of ARP attacks.

4. AN ENHANCED SECURE ARP PROTOCOL Since no authentication scheme is embedded in ARP, we have chosen to enhance ARP by including in it an authentication mechanism. The switch in our proposed protocol has a fundamental role. In fact, it represents the “Trusted Authority” to the hosts for which it assures the hosts authentications.

Tripunitara et al. [9] proposed a middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning attacks. The proposed solution is to block unsolicited ARP replies and to raise alarms when a reply is inconsistent with the currently cached ARP entry. The main drawback of this scheme is that–since it depends on duplicates to detect attacks–it does not prevent/detect attacks in which the host being spoofed is down or being DoSed.

For that purpose, we need to modify the use of the ordinary ARP header fields. In fact, the “Operation code” field will not have only 1,2,3 and 4 as values, but we will add the values 5,6,7,8,9 and 10 (Table 1). To code these ten possible values we

943

ϬϴϭϲϮϰϯϮ

need only 4 bits from the “Operation code” field and the rest of the bits (12 bits) will have special use in our proposed protocol.

ARP header

Table 1. The new values of the “Operation code” field Operation code 5 6 7 8 9 10

Use Registration request Registration reply New ARP request New ARP reply Verification request Verification reply

16

Fingerprint sequence or fingerprint Hash

Hardware type

LGR-MAT

LGR-PROT

LGR-MAT

LGR-PROT

=6

=4

Protocol Type=IP Next sequen -ce number

Sequence number

Operat -ion code

=0

=0

=5

S- MAC Address (bytes 0-3)=MAC_A(bytes 0-3)

24

S- MAC Address (bytes 4,5)=MAC_A(bytes 4,5)

S- IP Address (bytes 0,1)=IP_A (bytes 0,1)

S- IP Address (bytes 2,3)=IP_A (bytes 2,3)

Dest- MAC Address (bytes 0,1)= E(Fing_A(bytes 0,1))

Dest- MAC Address (bytes 2-5)=E(Fing_A (bytes 2-5)) Dest- IP address (bytes 0-3)= E(Fing_A (bytes 6-9))

Figure 3. The registration request packet fields.

The “Next sequence number” is interpreted only in verification requests. It is used to indicate to the switch the next sequence number that will be used in the next ARP request or reply. The use of the modified fields will be detailed further. 8

Hardware type=Ethernet

0000

In addition to the “Operation code” field, we will also modify the “Hardware type” field whose length is 2 bytes. This field takes values from 1 to 33, which could be coded in 1 byte. The second byte will be used by our proposed protocol. That’s why, the modified ARP header will be as shown in Figure 2. The “Switch reply” field is interpreted only in a registration reply packet (Operation code=6) or in a verification reply (Operation code=10).

0

Fingerprint sequence =0

If the registration succeeded, the switch sends a registration acceptance (Operation code=6 and Switch reply=0000). Otherwise, it will send a registration reject (Operation code=6 and Switch reply=1111). This registration acceptance (RA) includes the hash of the host’s fingerprint in order to overcome a probable attack of duplication. Only the switch is able to decrypt the fingerprint and hash it. The Registration Acceptance fields are shown in Figure 4.

32

Protocol Type

ϬϴϭϲϮϰϯϮ

Switch reply (4 bits)

Next sequence number

Sequence number (4 bits)

ARP header

Operation code (4 bits)

(4 bits)

Hash of Fingerprint sequence =H(Fing_A)

Hardware type=Ethernet

LGR-MAT

LGR-PROT

=6

=4

Protocol Type=IP

Source MAC Address (bytes 0-3) Source MAC Address (bytes 4,5)

Source IP Address (bytes 0,1)

Source IP Address (bytes 2,3)

Destination MAC Address (bytes 0,1)

Destination MAC Address (bytes 2-5)

Switch reply =0

Next sequen -ce number

Sequence number

Operat -ion code

=0

=0

=6

Source MAC Address (bytes 0-3)=MAC_switch(bytes 0-3)

Destination IP address (bytes 0-3)

Figure 2. The modified ARP header.

4.1 Step1: Registration The registration of the hosts is carried within the switch. Every host entering the network generates a random number that will be considered as its fingerprint in the network since in a LAN network it is hard to generate the same random number by two different hosts. After that, the host sends a registration request containing its fingerprint to the switch which is considered as a “Trusted Authority”. The fingerprint sequence is inserted in the “Destination MAC” field and the “Destination IP” field since they are not used in the “Registration request”.

S- MAC Address (bytes 4,5)=MAC_Switch(bytes 4,5)

S- IP Address (bytes 0,1)=IP_Switch (bytes 0,1)

Source IP Address (bytes 2,3)=IP_Switch (bytes 2,3)

Dest- MAC Address (bytes 0,1)=MAC_A

Dest- MAC Address (bytes 2-5)=MAC_A Dest-IP address (bytes 0-3)=IP_A

Figure 4. The registration acceptance packet fields. Thus, the switch maintains a database (Table 2) in which it maps every host with its fingerprint. Table 2. The fingerprint database MAC Address IP Address Fingerprint MAC_A IP_A Fing_A (10x8 bits)

The registration request (RR) is encrypted with the switch public key. In the following, E(Fing_A) represents the encryption of Fing_A. The Registration Request fields are shown in Figure 3. .

944

MAC_B

IP_B

Fing_B (10x8 bits)

MAC_C

IP_C

Fing_C (10x8 bits)

Fing’1_A, a notification will be sent to host B telling it that is a fake received request and it must ignore it.

The registration doesn’t succeed in two cases. The first one is when host B has generated the same fingerprint as A and gets already registered with. In this case, the switch informs the host A that the registration has failed. Host A will then generate another random number and try to get registered with. The second case is when a registration line with the same IP address already exists. In this case, two hosts try to get registered with the same IP address. We can conclude that strong probable the second one is a malicious user and his request will be discarded.

ϬϴϭϲϮϰϯϮ ARP header

4.2 Step2: ARP Request AÆ ÆB

Fingerprint sequence =Fing’1_A

Hardware type=Ethernet

LGR-MAT

LGR-PROT

=6

=4

0000

Host A needs to resolve an IP address of host B into its corresponding hardware address. Host A sends a broadcast ARP request :Request(IP_B,1,Fing1_A)(Figure 5).

ϬϴϭϲϮϰϯϮ

Hardware type=Ethernet

LGR-MAT

LGR-PROT

Protocol Type=IP

000 0 =6

=4

Next sequence number

Sequence number

=0

=1

Source IP Address (bytes 2,3)=IP_A (bytes 2,3)

Dest- MAC Address (bytes 0,1)=broadcast

Source IP Address (bytes 2,3)=IP_B (bytes 2,3)

Dest- MAC Address (bytes 0,1)=MAC-switch(bytes 0,1)

Dest- MAC Address (bytes 2-5)= MAC-switch(bytes 2-5)

ϬϴϭϲϮϰϯϮ ARP header

Figure 5. The ARP request packet fields. In fact, each host fragments its fingerprint into sequences of 8 bits. The first sequence corresponds to the first 8 bits of the fingerprint and so on. Thus, FING_A is fragmented into FING1_A, FING2_A, etc...

1 (8 bits)

Hardware type=Ethernet

LGR-MAT

LGR-PROT

=6

Protocol Type=IP

=4

Next sequence number

Sequence number

Operation code

=1

=1

=10

Source MAC Address (bytes 0-3)= MAC-switch (bytes 0-3)

Table 3. The ARP traffic database

IP_B

Hash of Fingerprint sequence =H(Fing’1_B)

0000

The “Sequence number” identifies the order of the fingerprint embedded in the ARP packet. Since the ARP request is sent in broadcast, the switch will receive a copy of the request and will maintain Table 3.

IP_A

=9

Otherwise, if Fing1_A is equal to Fing’1_A, the switch will delete the corresponding entry in its database, send an OK to host B and add a new entry in Table 2 indicating that host B will send a reply to host A with a sequence number=1.

Dest-IP address (bytes 0-3)=IP_B

Request

=1

S- IP Address (bytes 0,1)=IP_B (bytes 0,1)

Dest- MAC Address (bytes 2-5)=broadcast

Sequence number

=1

Figure 6. Verification request packet fields for host A.

=7

S- IP Address (bytes 0,1)=IP_A (bytes 0,1)

Destination host

Operation code

Dest-IP address (bytes 0-3)=IP_switch

S- MAC Address (bytes 4,5)=MAC_A(bytes 4,5)

Source host

Sequence number

S- MAC Address (bytes 4,5)=MAC_B(bytes 4,5)

Operation code

Source MAC Address (bytes 0-3)=MAC_A(bytes 0-3)

ARP request or reply

Next sequence number

Source MAC Address (bytes 0-3)=MAC_B(bytes 0-3)

ARP header Fingerprint sequence =Fing1_A

Protocol Type=IP

S- MAC Address (bytes 4,5)= MAC-switch (bytes 4,5)

S- IP Address (bytes 0,1)=IP_switch (bytes 0,1)

Source IP Address (bytes 2,3)=IP_switch (bytes 2,3)

Dest- MAC Address (bytes 0,1)= MAC_B (bytes 0,1)

Dest- MAC Address (bytes 2-5)= MAC-B(bytes 2-5) Dest-IP address (bytes 0-3)=IP_B

4.3 Step 3: Verification of host A identity

Figure 7. The verification response packet fields for host B.

Host B receives the request, extract the “Fingerprint sequence” and the “Sequence number” and sends a verification request to the switch. The request contains the following information: the sequence number of the request, the fingerprint sequence and the sequence number of the potential reply of host B (Figure 6).

Based on the “Potential reply sequence number” which is 1 in this case, the OK message will include a hash of Fing1_B. This is done in order to avoid duplication attack and to prove to host B that the switch has sent the packet since only it has the fingerprint(Figure 7).

The switch will verify the information sent by host B. If the ARP traffic database doesn’t contain an entry corresponding to the information sent by host B or if Fing1_A is not equal to

Thus, even if an adversary sniffs this reply and tries to impersonate the switch, he will not be able to do that since only the switch knows Fing1_B and H(Fing1_B).

945

functionalities of the LAN’ switches. The switch assures the role of a trusted authority that certifies the identity of the hosts while exchanging ARP messages.

Table 3will become as the following (Table 4): Table 4. The updated ARP traffic database ARP request or reply

Source host

Destination host

Sequence number

Reply

IP_B

IP_A

1

Future work includes implementing the proposed enhanced secure ARP protocol and evaluating it and switches performance using a variety of malicious ARP traffic.

6. REFERENCES

4.4 Step 4: ARP reply BÆ ÆA

[1] LBNL's Network Research Group, “Arpwatch: Ethernet Monitor Program”, http://wwwnrg.ee.lbl.gov.pht.com/antisniff/.

When host B receives the response from the switch, it will check if H(Fing’1_B) = H(Fing1_B) to be sure that it is really the switch who has sent the packet. Besides, host B is sure now that host A has sent the request and will reply embedding in its reply the first sequence of its fingerprint as it indicated to the switch (Figure 8).

[2] Snort: http://www.snort.org/.

ϬϴϭϲϮϰϯϮ ARP header Fingerprint sequence =Fing1_B

Hardware type=Ethernet

LGR-MAT

LGR-PROT

=6

=4

Protocol Type=IP

0000

Next sequence number

Sequence number

Operation code

=1

=1

=8

S- IP Address (bytes 0,1)=IP_B (bytes 0,1)

Source IP Address (bytes 2,3)=IP_B (bytes 2,3)

Dest- MAC Address (bytes 0,1)= MAC_A(bytes 0,1)

[4] Mohamed G. Gouda and Chin-Tser Huang, “A Secure Address Resolution Protocol”, The International Journal of Computer and Telecommunications Networking, Computer Networks, Elsevier, Volume 41, Issue 1, pages: 57-71, January, 2003. [5] K. Seo, C. Lynn, and S. Kent. Public-Key Infrastructure for the Secure Border Gateway Protocol (S-BGP). In Proceedings of DARPA Information Survivability Conference and Exposition II. IEEE, June 2001.

Source MAC Address (bytes 0-3)= MAC-B (bytes 0-3) S- MAC Address (bytes 4,5)= MAC-B (bytes 4,5)

[3] Bruschi, D. Ornaghi, A. Rosti, E., “S-ARP: a secure address resolution protocol”, Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003), Page(s): 66 – 74, 8-12 December 2003, Las Vegas, NV, USATavel, P. 2007 Modeling and Simulation Design. AK Peters Ltd.

[6] D. Song. dsniff: a collection of tools for network auditing and penetration testing. http://www.monkey.org/ dugsong/dsniff, accessed May 2005. [7] T. Demuth and A. Leitner. ARP spoofing and poisoning:Traffic tricks. Linux Magazine, 56:26–31, July 2005.

Dest- MAC Address (bytes 2-5)= MAC-A(bytes 2-5) Dest-IP address (bytes 0-3)=IP_A

[8] C. Schluting. Configure your Catalyst for a more secure layer 2, Jan. 2005. . (Last accessed April 17, 2006).

Figure 8. The ARP reply from host B.

4.5 Step5: Verification of host B identity As host B did to verify host A identity, host A will send a verification request to the switch in order to verify host B identity.

[9] M. Tripunitara and P. Dutta. A middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning. In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC ’99), Dec. 1999.

In this case, and as the switch did in step 3, if everything is ok, the switch will send a response packet to A. Host A will check whether H(Fing’2_A) embedded in the switch response is equal to H(Fing2_A). Then, host A will add the MAC address of host B to its ARP cache.

[10] D. C. Plummer. An Ethernet address resolution protocol or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware. RFC 826, November 1982.

We should mention that our proposed enhanced ARP protocol maintains a compatibility with the ordinary ARP. In fact, if “Operation code” field contains a value from 1 to 4, it is concluded that the ARP packet is an ordinary one.

[11] S. M. Bellovin. Security problems in the tcp/ip protocol suite. Computer Communications Review, 2(19):32–48, April 1989.

5. CONCLUSION

[12] S. M. Bellovin. A look back at”security problems in the tcp/ip protocol suite”. In 20th Annual Computer Security Application Conference (ACSAC), pages 229–249, December 2004.

The paper presents a security solution to the problem of ARP poisoning attacks. The cause of ARP poisoning is the lack of authentication mechanism within the ARP protocol. Any malicious host in the LAN is able to spoof messages pretending to be someone else. We proposed an authentication scheme for ARP messages by enhancing the ARP protocol and the

[13] M. Farahmand, A. Azarfar, A. Jafari, V. Zargari: A Multivariate Adaptive Method for Detecting ARP Anomaly in Local Area Networks. ICSNC 2006: 53.

946