S-ARP: a Secure Address Resolution Protocol
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Data Communications and Networking (McGraw-Hill Forouzan Networking)
Data Communications and Networking (McGraw-Hill Forouzan Networking)
An Analysis on the Schemes for Detecting and Preventing ARP Cache Poisoning Attacks
ICDCSW '07 Proceedings of the 27th International Conference on Distributed Computing Systems Workshops
TARP: Ticket-based address resolution protocol
Computer Networks: The International Journal of Computer and Telecommunications Networking
An active intrusion detection system for LAN specific attacks
AST/UCMA/ISA/ACN'10 Proceedings of the 2010 international conference on Advances in computer science and information technology
An efficient solution to the ARP cache poisoning problem
ACISP'05 Proceedings of the 10th Australasian conference on Information Security and Privacy
| Hi-index | 0.00 |
Address Resolution Protocol (ARP) is used to map the network address (IP address) to a physical address (MAC address). Being a stateless protocol and lacking proper authentication mechanism in the ARP messages, ARP is vulnerable for cache poisoning attack. Attacker can perform Man-In-The-Middle (MITM) attack or Denial of Service (DoS) attack and can access sensitive information, modify the contents, or deny the host from getting services. Different techniques for the detection and prevention of ARP cache poisoning attack have been proposed. Detection techniques (such as ARPWatch and Intrusion Detection techniques) generate false positives. Some prevention technique makes change in the switch itself and some uses cryptographic techniques. Secure-ARP and Ticket based ARP (TARP) are cryptographic techniques but suffer from single point failure and ticket flooding attacks respectively. ARP is a stateless protocol and ARP messages lacks the address authentication mechanism. As an ARP reply is unicast, all host systems in the LAN are not aware of the attacker present in the LAN. In this paper, we have proposed a protocol known as "Genuine Address Resolution Protocol (GARP)". Two novel concepts, viz., broadcastbased reply, and the Certifier for proof of IP address ownership have been proposed in GARP. As a reply is broadcast, the host, whose IP the attacker is using for attack, is aware of the attacker and subsequently makes other hosts in the LAN also aware of the attacker. Thus, the protocol prevents possible attack from the same attacker in the future. Statefulness is achieved by two tables, viz., the pending table and the blacklist table. The pending table holds the reply till its genuineness is proved and the blacklist table holds the MAC of attacker. Furthermore, the Certificate Authority is responsible for monitoring the ARP activities, which intervenes with appropriate messages at appropriate instances. The Dynamic Host Configuration Protocol (DHCP) server could be loaded with the additional service of monitoring ARP activities. The protocol has been implemented on Linux operating system. GARP was tested for various possible cases of ARP cache poisoning attack. From the results, it could be inferred that the GARP provides security against ARP cache poisoning attacks.