Research and application of ARP protocol
vulnerability attack and defense technology
based on trusted network
Cite as: AIP Conference Proceedings 1820, 090019 (2017); https://doi.org/10.1063/1.4977403
Published Online: 13 March 2017
Huixing Xi
ARTICLES YOU MAY BE INTERESTED IN
The research and application of the NDP protocol vulnerability attack and the defense
technology based on SEND
AIP Conference Proceedings 1839, 020195 (2017); https://doi.org/10.1063/1.4982560
The research of computer network security and protection strategy
AIP Conference Proceedings 1839, 020173 (2017); https://doi.org/10.1063/1.4982538
A multi-layer steganographic method based on audio time domain segmented and network
steganography
AIP Conference Proceedings 1967, 020046 (2018); https://doi.org/10.1063/1.5039018
AIP Conference Proceedings 1820, 090019 (2017); https://doi.org/10.1063/1.4977403
© 2017 Author(s).
1820, 090019
Research and Application of ARP Protocol Vulnerability
Attack and Defense Technology Based on Trusted Network
Huixing Xia)
Anshan normal university, Anshan, 114005, China.
a)
Corresponding author: 471748389@qq.com
Abstract. With the continuous development of network technology and the rapid spread of the Internet, computer networks
have been around the world every corner. However, the network attacks frequently occur. The ARP protocol vulnerability
is one of the most common vulnerabilities in the TCP / IP four-layer architecture. The network protocol vulnerabilities can
lead to the intrusion and attack of the information system, and disable or disable the normal defense function of the system
[1]. At present, ARP spoofing Trojans spread widely in the LAN, the network security to run a huge hidden danger, is the
primary threat to LAN security. In this paper, the author summarizes the research status and the key technologies involved
in ARP protocol, analyzes the formation mechanism of ARP protocol vulnerability, and analyzes the feasibility of the
attack technique. Based on the summary of the common defensive methods, the advantages and disadvantages of each
defense method. At the same time, the current defense method is improved, and the advantage of the improved defense
algorithm is given. At the end of this paper, the appropriate test method is selected and the test environment is set up.
Experiment and test are carried out for each proposed improved defense algorithm.
Key words: ARP protocol; ARP vulnerability; network security.
INTRODUCTION TO ARP
ARP (Address Resolution Protocol) is an IP address into physical address Protocol. There are two mapping
methods from IP address to physical address: tabular and non-tabular. In particular, it is the network layer (equivalent
to the OSI structure of the network layer) IP address resolution for the network interface layer (equivalent to OSI
Structure of the data link layer) of the MAC address. ARP packet format shown in Table 1.
TABLE 1. Format of ARP packet
Attribute
destination address
source address
ARP request/replay
type
fill
C language style definition of the ARP protocol header structure:
Struct arp_head
{
unsigned short hardware_type;
unsigned short protocol_type;
unsigned char add_len;
unsigned char pro_len;
unsigned short option;
unsigned char sour_addr[6];
Advances in Materials, Machinery, Electronics I
AIP Conf. Proc. 1820, 090019-1–090019-7; doi: 10.1063/1.4977403
Published by AIP Publishing. 978-0-7354-1488-4/$30.00
090019-1
Size
6byte
2byte
2byte
28byte
18byte
unsigned long sour_ip;
unsigned char dest_addr[6];
unsigned long dest_ip;
unsigned char padding[18];}
ARP works like this: First, the source host will send out a destination IP address of the Ethernet Broadcast packets,
and then the destination host will answer a packet that contains both the IP address and the MAC address. So the
source host will be able to obtain the destination host IP/MAC mapping, and this correspondence into their own ARP
cache. When the two sides need to communicate the next communication, you can directly remove the correspondence
from the ARP cache, omitting unnecessary ARP requests and responses. Like this is shown in Figure 1.
FIGURE 1. Working process of ARP
Formula 1) describes the aging mechanism of the ARP cache table, where T represents the ARP cache table, item
represents entries in the cache table, age represents the aging time of the item, Timeout represents the maximum aging
time specified by the system, and Remove In addition to the corresponding entry. If a row in the table is not used again
during the aging time, it is deleted. This design can greatly reduce the ARP cache table system overhead, while
speeding up the query.
(item T) & (item.age Timeout)
T Remove(item)
(1)
For Windows systems, you can execute the "arp -d" command to manually delete the specified entry. If you want
to empty ARP cache table, you can use the "arp -a" command. This command can be expressed as the following
formula (2): recv is the command received by the ARP cache table, and arpA is the arp -a command.
recv
ar
T I
(2)
As shown in Figure 1, suppose there are three hosts and two gateways in the two network segments. Assume that
host A wants to communicate with the host B communication, if the host B and their own in the same segment, the
host A will check whether their ARP cache host B IP / MAC mapping; if not in the same network segment, it will
send ARP to all hosts Request the broadcast, the request to obtain the host B corresponding MAC address.
Theoretically only host B will respond to this ARP request, and respond to an ARP response packet, the response
packet contains the host B corresponding to the MAC address. Through such a communication, the host A to obtain
the host B's MAC address, and the host B's IP / MAC mapping saved in their own ARP cache table. When Host A
and Host B communicate with each other again, they can find the IP / MAC correspondence in their ARP cache tables.
This entry is removed from the ARP cache table until both parties have stopped communicating for an aging time.
ARP Protocol Vulnerability
Under normal circumstances, ARP cache table can effectively ensure that data packets transmitted to the correct
host. However, ARP protocol design mechanism, there is an obvious loophole: when a host receives an ARP request
or response packet, it does not to verify the authenticity of the packet, but directly to the ARP packet IP / MAC
correspondence into the ARP cache table, replace the ARP cache table in the original entry, the process can be
090019-2
expressed as the formula (3), where fakeArp on behalf of the received forged ARP packets, the property srcIp on
behalf of ARP The source IP address of the packet, the Replace operation replaces the old entry with the new entry.
(item T) & ( fakeArp.srcIp item.srcIp) & ( fakeArp.age item.age)
(3)
T Re place (item , newItem )
This vulnerability can easily be exploited by attackers, as shown in Figure 2. Host A and host C may be intercepted
by a third party, such as host B, for example. First, host B sends an ARP reply packet to host A, declaring gateway 1
to be the MAC address 03-03-03-03-03-03. Host A, after receiving the ARP reply, does not verify whether it is from
host C, but directly refreshes its own ARP cache table. At the same time, host B sends an ARP reply to gateway 1,
indicating that host A's MAC address is 03-03-03-03-03-03. Similarly, Gateway 1 does not have to verify the
authenticity of this ARP response to directly refresh their ARP cache table.
FIGURE 2. Example of ARP spoof
After that, when Host A again wants to communicate with Host C, it will send the packet that should be sent to
Gateway 1 directly to Host B. Host B, after receiving this packet, can make certain changes and then forwarded to the
real gateway 1; when Gateway 1 receives the packet returned from host C, Gateway 1 sends the packet that should be
sent to Host A Sent to the host B. Host B after receiving the data packet, you can make some modifications and then
forwarded to the real host A, complete a complete data communication, so that an ARP spoofing attack is successfully
implemented.
ARP Spoofing Implementation
This section will implement ARP spoofing attacks. In this experiment, ARP packets are sent to all hosts in the
LAN by the user inputting the number of ARP packets and the IP address of the gateway. The attackers are disguised
as gateways so that the victim cannot connect to the Internet. Main Function Description GetSelfMac As shown in
Table 2, the BuildArpPacket is shown in Table 3, and the arp_spoof_api is shown in Table 4.
Attribute
Function prototype
Function introduction
ARP request/replay
Return value
Attribute
Function prototype
Function introduction
ARP request/replay
Return value
TABLE 2. Description of GetSelfMac function
Explain
unsigned char* GetSelfMac (char* pDevName)
Get the MAC address of the specified network card
main parameter
Pointer to the MAC address string
TABLE 3. Description of BuildArpPacket function
Explain
unsigned char* BuildArpPacket (unsigned char* source_mac, unsigned long
Constructing a ARP data packet
source_mac; srcIP;destIP;
Pointer to a ARP data packet
090019-3
Attribute
Function prototype
Function
introduction
ARP request/replay
Return value
TABLE 4. Description of arp_spoof_api function
Explain
int arp_spoof_api (int arp_counts, char gatewayIP[])
ARP cheat thread entry function, responsible for calling other functions and
communication with the graphical interface
arp_counts for ARP package number; GatewayIP for gateway IP address
0 on behalf of the end of normal, -1 on behalf of abnormal exit
The specific process of this thread is as follows:
STEP1: ARP spoofing thread calls pcap_open function to open the network card;
STEP2: After successfully opening the network card, according to the IP and mask the value of the network card
to obtain a valid IP address ip, the machine address from the scope of the attack excluded;
STEP3: GetSelfMAC function call to obtain the local MAC address mac;
STEP4: call BuildArpPacket function to construct an ARP packet, the local MAC address into the ARP packet;
STEP5: call pcap_sendpacket function, will be forged ARP packets sent out to complete the ARP spoofing.
Attack display: (1) ARP cache before the victim is ARP spoofed, as shown in Figure 3.
FIGURE 3. ARP cache of victim before spoofing
(2) The attacker starts ARP spoofing, as shown in Figure 4.
FIGURE 4. Attacker start ARP spoofing
(3) ARP spoofing success, the ARP cache after the victim is attacked, as shown in Figure 5.
FIGURE 5. ARP cache of victim after spoofing
090019-4
After the victim is attacked, the IP address corresponding to the gateway IP in the ARP cache is modified as the
attacker's MAC address to achieve the expected attack effect and the ARP spoofing succeeds.
ARP SPOOFING DEFENSE TECHNOLOGY
This section will focus on the ARP spoofing defense approach. First of all, study the common methods of ARP
spoofing defense, summed up the common principles and advantages and disadvantages of defense methods. Then,
an improved defense algorithm is proposed to improve the shortcomings of the current defense methods. Finally, the
advantages of improved defense methods will be analyzed.
ARP Spoofing Defense Method Research
On the ARP address resolution protocol and algorithm-related improvements, many anti-virus experts and scholars
have carried out some research on this issue, the main work is summarized as follows:
(1) BMSchiW proposed an S-ARP algorithm, the algorithm in the sender of the ARP detection certificate to
increase the digital signature technology, that is, when the source host sends ARP detection, the summary signature,
in this ARP Dayton reach the destination And then to verify the signature, using this method to avoid forgery ARP
detective attacks [2].
(2) Lin Honggang proposed an active detection and prevention of ARP attack algorithm research. In this algorithm,
the ARP packet header sent and received by the host is checked for consistency, the ARP packets with inconsistent
ARP header information are discarded, a specific packet is constructed based on the received ARP packet information,
and the active detection method is used for the sender Authentication is performed, packets that have not been
authenticated are rejected, ARP replies are acknowledged according to the receiving response rule after the request is
sent first, and an unsolicited response is rejected [3].
(3) Wenbin Zheng W proposed a new algorithm to prevent ARP spoofing, and added the ARP request to the ARP
protocol first, and then received ARP response to avoid the ARP spoofing attack. This algorithm is suitable for the
LAN network of higher security requirements [4].
(4) QingGui Hu proposed a new scheme of ARP protocol, and a security algorithm is designed. If the conditions
are met, the ARP cache table is updated [5].
ARP Spoofing Defense Method Improvements
According to the ARP protocol vulnerabilities described in section 1.2, ARP attacks are denial-of-service attacks,
clone attacks, and man-in-the-middle attacks. Man-in-the-middle attack is that an attacker intervenes between two
target hosts by inserting their host into the communication path between the two target hosts. In order not to interrupt
the communication, the attacker will set up his own host Forward packets from two target hosts. ARP attack from the
way they can be divided into two categories:
(1) An ARP reply has been sent without a request. ARP protocol works on the premise that mutual trust between
the hosts, so the victim receives an ARP response immediately after the update ARP cache table.
(2) Send forged ARP request. Similarly, the victim will be based on the attacker forged ARP requests within the
IP/MAC correspondence to update their ARP cache table.
In this paper, we propose an improved defense algorithm based on ARP protocol for these two types of ARP
attacks. The defending algorithm uses the probe ARP request to determine the authenticity of the source host. When
receiving the ARP packets sent by other hosts, the ARP packets are compared with the ARP cache table of the ARP
packets. If it is the same, the ARP packet is ignored by default; if not, two probe ARP requests are constructed, one
containing the newly received IP/MAC correspondence, and the other containing the old IP/MAC correspondence in
the ARP cache table Relationship, and sent out at the same time. Using arpPkt1 and arpPkt2 to construct the two
probing ARP requests, we have formula 4.
arpPkt1 Build (item .ip item.mac vctm.ip vctm.mac ethr.hdr)
arpPkt2 Build (newItem.ip newItem.mac vctm.ip vctm.mac ethr.hdr)
(4)
Ret1 and ret2, respectively, two detective ARP request corresponding to the ARP response, ret on behalf of the
final decision, this time can be divided into four kinds of situations discussed:
090019-5
(1) Receive no response, that is ret1 = ‫׎‬, ret2 = ‫׎‬. This means that at least the new correspondence is falsified and
should be discarded:
ret Drop(arpPkt1, arpPkt2)
(2) Receive the response of the new correspondence relation only, namely ret1 = ‫׎‬, ret2 ≠ ‫׎‬. This shows that the
corresponding relationship between the source hosts has changed, you should update the machine's ARP cache table:
ret Drop(arpPkt1)
T
Re place (item , arpPkt2)
(3) Receive the old correspondence of the response only, that is ret2 = ‫׎‬, ret1 ≠ ‫׎‬. This means that the new
correspondence is forged and should be discarded:
ret Drop(arpPkt2)
T
Update(item .age)
(4) Receive two responses at the same time that is ret1 ≠ ‫׎‬, ret2 ≠ ‫׎‬. This shows that LAN IP conflict occurs, the
default to ignore the ARP packet:
ret Drop(arpPkt1, arpPkt2)
The advantage of this algorithm is that the overhead of the system is small. It only needs to construct two probe
ARP requests and send them out after receiving the ARP packets, without consuming too much system resources. The
disadvantage is that it takes a short time to wait for the ARP reply, but because of the delay of the ARP response of
the LAN under normal circumstances, this algorithm has little effect on the normal communication.
APPLICATION AND TESTING OF VULNERABILITY DEFENSE TECHNOLOGY
Test Program
Program testing is divided into black-box testing and white-box testing of two test methods. Black box testing is
mainly focused on the external function of the program, testing software interface and function, regardless of the
internal structure, this paper will use black box test method (Table 5).
Test environment
attribute
CPU
operating system
virtual machine
TABLE 5 Test environment
configuration parameter
Intel Core 2 Duo P7370 @2.00GHz
Windows 7
VMWare Workstation 8 Windows XP, Windows 7
Test cases and test results
This section will test the effectiveness of the improved ARP defense method. This method of defense deployment
to work for the way of monitoring, ARP spoofing attacks to capture and alarm. ARP defense thread first call the
pcap_open function to open the network card, listening to send the ARP packet to the machine. When ARP packets
are captured, the ARP defense algorithm is enabled to determine the authenticity of ARP packets. When the received
ARP packet is judged to be forged packets, then that an attacker to initiate ARP spoofing, immediately issued an alarm.
Defensive effect display:
(1) The defense thread only received the old response of the corresponding response, indicating that the new
relationship is counterfeit. Therefore, an alarm is generated. It is recommended to discard the ARP packet. As shown
in Figure 6.
090019-6
FIGURE 6. Judgment result by defense algorithm
(2) After the ARP packet is determined, the defense algorithm will be turned off and the ARP packets sent to the
host will continue to be monitored. After the victim is attacked, the ARP defense thread can detect the attack and
generate an alarm. The ARP defense algorithm runs normally and achieves the expected defense effect.
CONCLUSION
The improved ARP defense algorithm proposed in this paper has high performance and low system overhead. It
only needs to send two probe ARP requests and wait for a short period of time after receiving the ARP packets, which
has little effect on the normal communication. Of course, the ARP defense algorithm takes a short time to wait for the
ARP response, will cause a certain delay on the communication burden of the LAN, there are still some problems. It
can be further improved by setting the waiting time-out period to dynamically adjust according to the network load
condition.
ACKNOWLEDGMENTS
Anshan normal university, experimentalist. Master graduate student, research direction of software engineering.
Liaoning Jinzhou people, born in May 1981, Manchu.
REFERENCES
1.
2.
3.
4.
5.
Xiangning Hou, Zhiping Jiang, Xinli Tian. The detection and prevention for ARP Spoofing based on Snort,
Computer Application and System Modeling (ICCASM), 2010 International Conference on, vol.5, no.pp.V5137, V5-139, 22-24 Oct. 2010.
Lootah W, Enck W, McDaniel P.TARP ticket-based address resolution protocol [A]. Computer Security
Applications Conference ACSAC 2005, 21st Annual [c]. Tucson, Arizona, 2005.
Honggang Lin, Yanwei Lin, Research on an algorithm for active detection and prevention of ARP attack, Journal
of Sichuan University, 2008, 40, pp.143-149.
Wenbin Zheng, Chengzhong Li, ARP spoofing principle and a guard algorithm, journal of Jiang Nan university,
2003, pp.574-577.
QingGui Hu, A new improved scheme of ARP protocol, Shanxi University of Science and Technology, 2011,
pp.81-86.
090019-7