ArpON

Last updated
ArpON – ARP handler inspection
Original author(s) Andrea Di Pasquale
Initial releaseJuly 8, 2008;16 years ago (2008-07-08)
Stable release
3.0-ng / January 29, 2016;8 years ago (2016-01-29)
Written in C
Operating system Linux
Platform Unix-like, POSIX
Available in English
Type Network security, Computer security
License BSD license
Website arpon.sourceforge.io

ArpON (ARP handler inspection) [1] is a computer software project to improve network security. [2] It has attracted interest among network managers [3] [4] [5] [6] [7] and academic researchers [8] [9] [10] [11] [12] [13] and is frequently cited as a means of protecting against ARP-based attacks. [14] [15] [16]

Contents

Motivation

The Address Resolution Protocol (ARP) has many security issues. These include the Man In The Middle (MITM) attack through the ARP spoofing, [17] ARP cache poisoning, [18] [19] [20] Denial of Service [21] and ARP poison routing attacks. [22] [23] [24]

Solution

ArpON is a host-based solution that makes the ARP secure and avoids the man-in-the-middle attack through ARP spoofing, ARP cache poisoning or ARP poison routing. This is possible using three kinds of anti-ARP-spoofing techniques:

The goal of ArpON is therefore to provide a secure and efficient network daemon that provides the SARPI, DARPI and HARPI anti-ARP-spoofing technique, thus making the ARP standardized protocol secure from any foreign intrusion.[ citation needed ]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security is the protection of computer software, systems and networks from threats that may result in unauthorized information disclosure, theft of hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. ARP was defined in 1982 by RFC 826, which is Internet Standard STD 37.

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other, as the attacker has inserted themselves between the two user parties.

<span class="mw-page-title-main">ARP spoofing</span> Cyberattack which associates the attackers MAC address with the IP address of another host

In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.

In the context of information security, and especially network security, a spoofing attack is a situation in which a person or program successfully identifies as another by falsifying data, to gain an illegitimate advantage.

In computer security, a side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is implemented, rather than flaws in the design of the protocol or algorithm itself or minor, but potentially devastating, mistakes or oversights in the implementation. Timing information, power consumption, electromagnetic leaks, and sound are examples of extra information which could be exploited to facilitate side-channel attacks.

<span class="mw-page-title-main">Content delivery network</span> Layer in the internet ecosystem addressing bottlenecks

A content delivery network or content distribution network (CDN) is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance ("speed") by distributing the service spatially relative to end users. CDNs came into existence in the late 1990s as a means for alleviating the performance bottlenecks of the Internet as the Internet was starting to become a mission-critical medium for people and enterprises. Since then, CDNs have grown to serve a large portion of the Internet content today, including web objects, downloadable objects, applications, live streaming media, on-demand streaming media, and social media sites.

End-to-end encryption (E2EE) is a private communication system in which only communicating users can participate. As such, no one else, including the communication system provider, telecom providers, Internet providers or malicious actors, can access the cryptographic keys needed to converse. End-to-end encryption is intended to prevent data being read or secretly modified, other than by the true sender and recipient(s). The messages are encrypted by the sender but the third party does not have a means to decrypt them, and stores them encrypted. The recipients retrieve the encrypted data and decrypt it themselves. Because no third parties can decipher the data being communicated or stored, for example, companies that provide end-to-end encryption are unable to hand over texts of their customers' messages to the authorities.

DNS spoofing, also referred to as DNS cache poisoning, is a form of computer security hacking in which corrupt Domain Name System data is introduced into the DNS resolver's cache, causing the name server to return an incorrect result record, e.g. an IP address. This results in traffic being diverted to any computer that the attacker chooses.

Private peer-to-peer (P2P) systems are peer-to-peer (P2P) systems that allow only mutually trusted peers to participate. This can be achieved by using a central server such as a Direct Connect hub to authenticate clients. Alternatively, users can exchange passwords or cryptographic keys with friends to form a decentralized network. Private peer-to-peer systems can be divided into friend-to-friend (F2F) and group-based systems. Friend-to-friend systems only allow connections between users who know one another, but may also provide automatic anonymous forwarding. Group-based systems allow any user to connect to any other, and thus they cannot grow in size without compromising their users' privacy. Some software, such as WASTE, can be configured to create either group-based or F2F networks.

Cache poisoning refers to a computer security vulnerability where invalid entries can be placed into a cache, which are then assumed to be valid when later used. Two common varieties are DNS cache poisoning and ARP cache poisoning. Web cache poisoning involves the poisoning of web caches. Attacks on other, more specific, caches also exist.

<span class="mw-page-title-main">Aircrack-ng</span> Software suite

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless network interface controller whose driver supports raw monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. Packages are released for Linux and Windows.

<span class="mw-page-title-main">DHCP snooping</span> Techniques to secure DHCP service

In computer networking, DHCP snooping is a series of techniques applied to improve the security of a DHCP infrastructure.

Virgil Dorin Gligor is a Romanian-American professor of electrical and computer engineering who specializes in the research of network security and applied cryptography.

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

<span class="mw-page-title-main">Typhoid adware</span>

Typhoid adware is a type of computer security threat that uses a Man-in-the-middle attack to inject advertising into web pages a user visits when using a public network, like a Wi-Fi hotspot. Researchers from the University of Calgary identified the issue, which does not require the affected computer to have adware installed in order to display advertisements on this computer. The researchers said that the threat was not yet observed, but described its mechanism and potential countermeasures.

Software-defined networking (SDN) is an approach to network management that enables dynamic and programmatically efficient network configuration to improve network performance and monitoring in a manner more akin to cloud computing than to traditional network management. SDN is meant to improve the static architecture of traditional networks and may be employed to centralize network intelligence in one network component by disassociating the forwarding process of network packets from the routing process. The control plane consists of one or more controllers, which are considered the brains of the SDN network, where the whole intelligence is incorporated. However, centralization has certain drawbacks related to security, scalability and elasticity.

The link layer is the lowest layer in the TCP/IP model. It is also referred to as the network interface layer and mostly equivalent to the data link layer plus physical layer in OSI. This particular layer has several unique security vulnerabilities that can be exploited by a determined adversary.

An ARP cache is a collection of Address Resolution Protocol entries, that are created when an IP address is resolved to a MAC address.

References

  1. "ArpON(8) manual page".
  2. "ArpON – Google books".
  3. Kaspersky lab. "Storage Cloud Infrastructures – Detection and Mitigation of MITM Attacks" (PDF). Archived from the original (PDF) on 2015-12-24. Retrieved 2015-05-28.
  4. Prowell, Stacy; et al. (2010-06-02). Seven Deadliest Network Attacks. Elsevier. p. 135. ISBN   9781597495509.
  5. Gary Bahadur, Jason Inasi; et al. (2011-10-10). Securing the Clicks Network Security in the Age of Social Media. McGraw Hill Professional. p. 96. ISBN   9780071769051.
  6. Wason, Rohan (2014-06-26). A Professional guide to Ethical Hacking: All about Hacking.
  7. Prowse, David L (2014-09-05). CompTIA Security+ SY0-401 Cert Guide, Academic Edition. Pearson IT Certification. ISBN   9780133925869.
  8. Stanford University. "An Introduction to Computer Networks" (PDF).
  9. Martin Zaefferer, Yavuz Selim Inanir; et al. "Intrusion Detection: Case Study" (PDF).
  10. Jaroslaw Paduch, Jamie Levy; et al. "Using a Secure Permutational Covert Channel to Detect Local and Wide Area Interposition Attacks" (PDF). Archived from the original (PDF) on 2015-04-02. Retrieved 2015-03-31.
  11. Xiaohong Yuan, David Matthews; et al. "Laboratory Exercises for Wireless Network Attacks and Defenses" (PDF).
  12. Hofbauer, Stefan. "A privacy conserving approach for the development of Sip security services to prevent certain types of MITM and Toll fraud attacks in VOIP systems" (PDF).
  13. D. M. de Castro, E. Lin; et al. "Typhoid Adware" (PDF).
  14. Jing (Dave) Tian, Kevin R. B. Butler; et al. "Securing ARP From the Ground Up" (PDF). Archived from the original (PDF) on 2015-04-02. Retrieved 2015-03-31.
  15. Palm, Patrik. "ARP Spoofing" (PDF).
  16. T. Mirzoev, J. S. White (2014). "The role of client isolation in protecting Wi-Fi users from ARP Spoofing attacks". I-managers Journal on Information Technology. 1 (2). arXiv: 1404.2172 . Bibcode:2014arXiv1404.2172M.
  17. Trabelsi, Zouheir; El-Hajj, Wassim (2009-09-25). "ARP spoofing: A comparative study for education purposes". 2009 Information Security Curriculum Development Conference. InfoSecCD '09. New York, NY, USA: Association for Computing Machinery. pp. 60–66. doi:10.1145/1940976.1940989. ISBN   978-1-60558-661-8. S2CID   10341159.
  18. Goyal, Vipul; Tripathy, Rohit (2005). "An Efficient Solution to the ARP Cache Poisoning Problem". In Boyd, Colin; González Nieto, Juan Manuel (eds.). Information Security and Privacy. Lecture Notes in Computer Science. Vol. 3574. Berlin, Heidelberg: Springer. pp. 40–51. doi:10.1007/11506157_4. ISBN   978-3-540-31684-8.
  19. Shah, Zawar; Cosgrove, Steve (2019). "Mitigating ARP Cache Poisoning Attack in Software-Defined Networking (SDN): A Survey". Electronics. 8 (10): 1095. doi: 10.3390/electronics8101095 . ISSN   2079-9292.
  20. Meghana, Jitta Sai; Subashri, T.; Vimal, K.R. (2017). "A survey on ARP cache poisoning and techniques for detection and mitigation". 2017 Fourth International Conference on Signal Processing, Communication and Networking (ICSCN). pp. 1–6. doi:10.1109/ICSCN.2017.8085417. ISBN   978-1-5090-4740-6. S2CID   23515882.
  21. Alharbi, Talal; Durando, Dario; Pakzad, Farzaneh; Portmann, Marius (2016). "Securing ARP in Software Defined Networks". 2016 IEEE 41st Conference on Local Computer Networks (LCN). pp. 523–526. doi:10.1109/LCN.2016.83. ISBN   978-1-5090-2054-6. S2CID   15480749.
  22. Nachreiner, Corey. "Anatomy of an ARP Poisoning Attack" (PDF). Retrieved 2023-08-24.
  23. Nam, Seung Yeob; Kim, Dongwon; Kim, Jeongeun (2010). "Enhanced ARP: preventing ARP poisoning-based man-in-the-middle attacks". IEEE Communications Letters. 14 (2): 187–189. doi:10.1109/LCOMM.2010.02.092108. ISSN   1558-2558. S2CID   8353460.
  24. Bicakci, Kemal; Tavli, Bulent (2009-09-01). "Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks". Computer Standards & Interfaces. Specification, Standards and Information Management for Distributed Systems. 31 (5): 931–941. doi:10.1016/j.csi.2008.09.038. ISSN   0920-5489.
  25. 1 2 3 Bruschi, Danilo; Di Pasquale, Andrea; Ghilardi, Silvio; Lanzi, Andrea; Pagani, Elena (2022). "A Formal Verification of ArpON – A Tool for Avoiding Man-in-the-Middle Attacks in Ethernet Networks". IEEE Transactions on Dependable and Secure Computing. 19 (6): 4082–4098. doi: 10.1109/TDSC.2021.3118448 . hdl: 2434/903256 . ISSN   1941-0018. S2CID   242519128.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.