Despite the convenience, ubiquitous computing suffers from many threats and security risks. Security considerations in the ubiquitous network are required to create enriched and more secure ubiquitous environments. The address resolution protocol (ARP) is a protocol used to identify the IP address and the physical address of the associated network card. ARP is designed to work without problems in general environments. However, since it does not include security measures against malicious attacks, in its design, an attacker can impersonate another host using ARP spoofing or access important information. In this paper, we propose a new detection scheme for ARP spoofing attacks using a routing trace, which can be used to protect the internal network. Tracing routing can find the change of network movement path. The proposed scheme provides high constancy and compatibility because it does not alter the ARP protocol. In addition, it is simple and stable, as it does not use a complex algorithm or impose extra load on the computer system.
Ubiquitous computing has been perceived as the new paradigm for a comfortable life in recent times. In particular, the use of smart applications has greatly increased. However, a growing number of security concerns in this environment have emerged at the same time. Ubiquitous environments always need connected networks. Therefore, one of the important considerations in ubiquitous environments is network security. A secure network can maintain rich ubiquitous environments. Therefore, security considerations in the ubiquitous networks are required.
An ARP spoofing attack is an attack in which the media access control (MAC) address of a computer is masqueraded as that of another. Although various studies have addressed ARP spoofing attack detection, and presented countermeasure plans, there are numerous fundamental difficulties in finding an optimized solution. Countermeasure schemes, such as the cache table static management, S-ARP, T-ARP, and ARP Table server synchronization method, have been presented. Nevertheless, because of various reasons, such as compatibility with the existing network configurations, protocols, and administrative overhead, applying these schemes poses difficulties. In this paper, we present a new detection scheme for ARP spoofing attacks using local network information and a routing trace, which can protect the internal network from ARP spoofing. The detection is composed of ARP Cache Table periodic surveillance and Routing trace. Additional network configuration and protocol change are not required in the proposed scheme, since it does not increase the system and network overhead.
The remainder of this paper is organized as follows. Section
ARP is used to map the MAC physical address and the IP network address, as presented in Figure
ARP request/reply protocol.
ARP request (Broadcast)
ARP reply (Unicast)
This
As ARP updates the host’s ARP cache table in the absence of reliable mutual agreement procedures while transmitting the request/reply messages, it has a few fundamental security problems. ARP spoofing attacks are described as follows [ Block host: an attacker, using the ARP spoofing technique, can change the ARP cache table. The packets sent by the host, in which the ARP cache table is changed, do not reach the real destination address but reach the attacker. Thus, the host network can be blocked by the attacker. Host impersonation: an attacker can impersonate a host, and, by doing so, can discard the host’s packet and cancel the host’s request. Man-in-the-middle (MITM) attack: an attacker can change the ARP cache table of two hosts and monitor the communication between them.
We can consider the following security requirements as the response scheme for ARP spoofing attacks [ Management costs of hosts should be controlled. The cryptographic processing, which can lower the performance of ARP, should be minimized. Prevention and block should be detected with timely warnings, which will alert the administrator about the attack situation. The solution has to be universal and easily applicable. Hardware costs should be minimized. The solution has to be compatible with ARP. It should not slow down the ARP request/reply communications. If possible, it should consider all the ARP attacks. The network traffic should be contained.
Gouda and Huang [
In this section, the proposed detection scheme for ARP spoofing attack using a routing trace, namely detection scheme for ARP spoofing (DS-ARP), is discussed in detail.
The architecture of the proposed scheme can be divided into the agent and server side. Detection and protection are the key technologies involved, as shown in Figure
Overall architecture of the DS-ARP scheme.
Detection periodically keeps the updated state of the ARP cache table under surveillance. When the ARP cache table is updated, the DS-ARP performs a routing trace to identify the corresponding
Description of Acronym.
Acronym | Description |
---|---|
ACTMM | ARP cache table monitor manger |
PSM | Packet send manager |
TRV | Trace routing validation |
ACTM | ARP cache table manager |
ACTR | ARP cache table repository |
Database | Database |
The detection module periodically keeps the ARP cache table under surveillance and checks changed items. Once a change in the ARP cache table is identified, the DS-ARP determines whether an ARP spoofing attack has taken place through a routing trace.
The protection module converts the
Protocol for the detection stages.
Protocol for the protection stages.
In this section, we analyze the existing schemes and the proposed DS-ARP based on the security requirements described in Section
Comparisons of current schemes versus the proposed scheme.
Classification | T-ARP [ |
Xing [ |
P-ARP [ |
ASA [ |
DS-ARP |
---|---|---|---|---|---|
Host cost minimization | △ | △ | △ | ○ | ○ |
Cryptographic technique minimization | △ |
|
△ | ○ |
|
Warning/detection effectiveness | △ |
|
△ | △ |
|
Universality, easy applicability | △ | ○ | ○ | ○ |
|
Hardware costs minimization | ○ |
|
|
|
|
ARP compatibility |
|
|
|
△ |
|
ARP speed | ○ | ○ |
|
△ |
|
Network loading |
|
|
|
|
|
Security |
|
○ |
|
|
|
The scheme of using the WinPcap library by Xing et al. has the disadvantage of continuously monitoring the ARP packets and repeatedly comparing them with local information. The scheme proposed by Ramachandran and Nandi causes excessive traffic in the network. Although S-ARP and T-ARP are the most infallible schemes for preventing ARP spoofing, using a pair of authorized keys, their disadvantage is the requirement of an ARP protocol change. Port security cannot be a perfect solution, as it is vulnerable to MITM attacks.
The DAI has a drawback in that the network configuration and switches need to be changed. Limmaneewichid and Lilakiatsakun proposed an effective scheme that ensures the integrity of the ARP packet. However this scheme slows down the network to an unacceptable level. Abad and Bonilla defined the requirements to be fulfilled by the ARP spoofing solution schemes. Based on these requirements, the existing schemes and the scheme proposed in this study are compared in Table
The proposed DS-ARP can overcome the problems of the existing schemes and it offers a simple and high-performance solution. The detection and protection scenario for the proposed scheme is discussed in the following two steps.
ARP spoofing detection.
The routing tracing of the network uses the time-exceeded ICMP message of the ICMP protocol. The TTL value of ICMP decreases with each pass through the router. In other words, if the packet is sent after setting the TTL value to one, the first router on the path will cause the time-exceeded message to return. The network path can be traced by increasing the TTL value.
ARP spoofing protection.
We discussed a new detection scheme for ARP spoofing attacks based on routing trace for ubiquitous environments in this paper. This scheme detects ARP attacks through real-time monitoring of the ARP cache table and a routing trace and protects the hosts from attackers through ARP Link Type Control which changes from dynamic to static. In addition, it can solve problems such as host impersonation, man-in-the-middle attack, and block of host. And also, the proposed scheme does not require an ARP protocol change or a complex encryption algorithm; moreover, it does not cause high system load.
Despite the various solutions presented in this paper, new attack techniques can still cause new security problems, since the ARP protocol has a few basic weaknesses. Therefore, further studies on resolving the fundamental security vulnerabilities of the ARP protocol are required.
The authors declare that there is no conflict of interests regarding the publication of this paper.
This research was supported by the MSIP (Ministry of Science, ICT, and Future Planning), Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2014-H0301-14-1021), supervised by the NIPA (National IT Industry Promotion Agency).