网络安全外文翻译APR欺骗检测一种主动技术手段.docx
《网络安全外文翻译APR欺骗检测一种主动技术手段.docx》由会员分享,可在线阅读,更多相关《网络安全外文翻译APR欺骗检测一种主动技术手段.docx(17页珍藏版)》请在冰点文库上搜索。
网络安全外文翻译APR欺骗检测一种主动技术手段
外文翻译原文及译文
学院
计算机学院
专业
计算机科学与技术
班级
学号
姓名
指导教师
负责教师
2011年6月
DetectingARPSpoofing:
AnActiveTechnique
VivekRamachandranandSukumarNandi
CiscoSystems,Inc.,BangaloreIndia
IndianInstituteofTechnology,Guwahati,Assam,India
Abstract.TheAddressResolutionProtocol(ARP)duetoitsstatelessnessandlackofanauthenticationmechanismforverifyingtheidentityofthesenderhasalonghistoryofbeingpronetospoofingattacks.ARPspoofingissometimesthestartingpointformoresophisticatedLANattackslikedenialofservice,maninthemiddleandsessionhijacking.Thecurrentmethodsofdetectionuseapassiveapproach,monitoringtheARPtrafficandlookingforinconsistenciesintheEthernettoIPaddressmapping.Themaindrawbackofthepassiveapproachisthetimelagbetweenlearninganddetectingspoofing.Thissometimesleadstotheattackbeingdiscoveredlongafterithasbeenorchestrated.Inthispaper,wepresentanactivetechniquetodetectARPspoofing.WeinjectARPrequestandTCPSYNpacketsintothenetworktoprobeforinconsistencies.Thistechniqueisfaster,intelligent,scalableandmorereliableindetectingattacksthanthepassivemethods.ItcanalsoadditionallydetecttherealmappingofMACtoIPaddressestoafairdegreeofaccuracyintheeventofanactualattack.
1.Introduction
TheARPprotocolisoneofthemostbasicbutessentialprotocolsforLANcommunication.TheARPprotocolisusedtoresolvetheMACaddressofahostgivenitsIPaddress.ThisisdonebysendinganARPrequestpacket(broadcasted)onthenetwork.TheconcernedhostnowrepliesbackwithitsMACaddressinanARPreplypacket(unicast).InsomesituationsahostmightbroadcastitsownMACaddressinaspecialGratuitousARPpacket.AllhostsmaintainanARPcachewherealladdressmappingslearntfromthenetwork(dynamicentries)orconfiguredbytheadministrator(staticentries)arekept.Thedynamicentriesageoutafterafixedintervaloftime,whichvariesacrossoperatingsystems.Aftertheentryagesoutitisdeletedfromthecacheandifthehostwantstocommunicatewiththesamepeer,anotherARPrequestismade.Thestaticentriesneverageout.
TheARPprotocolisstateless.HostswillcacheallARPrepliessenttothemeveniftheyhadnotsentanexplicitARPrequestforit.EvenifapreviousunexpireddynamicARPentryisthereintheARPcacheitwillbeoverwrittenbyanewerARPreplypacketonmostoperatingsystems.AllhostsblindlycachetheARPrepliestheyreceive,astheyhavenomechanismtoauthenticatetheirpeer.Thisistherootproblem,whichleadstoARPspoofing.
ARPspoofingistheprocessofforgingARPpacketstobeabletoimpersonateanotherhostonthenetwork.InthemostgeneralformofARPspoofingtheattackersendsspoofedARPresponsestothevictimperiodically.TheperiodbetweenthespoofedresponsesismuchlesserthantheARPcacheentrytimeoutperiodfortheoperatingsystemrunningonthevictimhost.ThiswillensurethatthevictimhostwouldnevermakeanARPrequestforthehostwhoseaddresstheattackerisimpersonating.Followingsubsectionbrieflydiscussthecurrentdetectionandmitigationtechniques.
1.1CurrentMitigationandDetectionTechniques
ExistingARPspoofingdetectiontechniquesarediscussednextsequentially.
1.1.1SecureARPProtocol(S-ARP)
ThishasbeenproposedasareplacementfortheARPprotocolinS-ARP:
aSecureAddressResolutionProtocol.TheS-ARPprotocolisdefinitelyapermanentsolutiontoARPspoofingbutthebiggestdrawbackisthatwewillhavetomakechangestothenetworkstackofallthehosts.Thisisnotveryscalableasgoingforastackupgradeacrossallavailableoperatingsystemsissomethingbothvendorsandcustomerswillnotbehappyabout.AsS-ARPusesDigitalSignatureAlgorithm(DSA)wehavetheadditionaloverheadofcryptographiccalculationsthoughtheauthorsofthepaperhaveclaimedthatthisoverheadisnotsignificant.
1.1.2StaticMACEntries
AddingstaticMACaddressesoneveryhostforallotherhostswillnotallowspoofingbutisnotascalablesolutionatallandmanagingalltheseentriesisafulltimejobbyitself.Thiscanfailmiserablyifmobilehostssuchaslaptopsareperiodicallyintroducedintothenetwork.AlsosomeoperatingsystemsareknowntooverwritestaticARPentriesiftheyreceiveGratuitousARPpackets(GARP).
1.1.3KernelBasedPatches
KernelbasedpatchessuchasAnticapandAntidotehavemadeanattempttoprotectfromARPspoofingataindividualhostlevel.AnticapdoesnotallowupdatingofthehostARPcachebyanARPreplythatcarriesadifferentMACaddressthentheonealreadyinthecache.ThisunfortunatelymakesitdroplegalgratuitousARPrepliesaswell,whichisaviolationtotheARPprotocolspecification.AntidoteonreceivinganARPreplywhoseMACaddressdiffersfromthepreviouslycachedonetriestocheckifthepreviouslylearntMACisstillalive.IfthepreviouslylearntMACisstillalivethentheupdateisrejectedandtheoffendingMACaddressisaddedtoalistofbannedaddresses.
BoththeabovetechniquesrelyonthefactthattheARPentryinthecacheisthelegitimateone.Thiscreatesaracesituationbetweentheattackerandthevictim.IftheattackergetshisspoofedARPentryintothehost’scachebeforetherealhostcan,thentherealMACaddressisbanned.Thiscanonlybeundonebyadministrativeintervention.ThuswecanconcludethatwronglearningmaycausethesetoolstofailindetectingARPspoofing.
1.1.4PassiveDetection
InPassiveDetectionwesnifftheARPrequests/responsesonthenetworkandconstructaMACaddresstoIPaddressmappingdatabase.IfwenoticeachangeinanyofthesemappingsinfutureARPtrafficthenweraiseanalarmandconcludethatanARPspoofingattackisunderway.ThemostpopulartoolinthiscategoryisARPWATCH.
Themaindrawbackofthepassivemethodisatimelagbetweenlearningtheaddressmappingsandsubsequentattackdetection.InasituationwheretheARPspoofingbeganbeforethedetectiontoolwasstartedforthefirsttime,thetoolwilllearntheforgedrepliesinit’sIPtoMACaddressmappingdatabase.Nowonlyafterthevictimstartscommunicatingwithsomeotherhosttheinconsistencywillbedetectedandanalarmrose.Theattackermayhavemadehisgetawaybecauseofthisdelay.Alsoaspoofedentrylearnedasintheabovescenariowouldhavetobemanuallyundonebythenetworkadministrator.Theonlysolutiontothisproblemistomanuallyfeedthecorrectaddressmappingsintothedatabasebeforestartingthetoolorcreateanattackfreelearningtraffic.Bothoftheseareunreasonableduetoscalabilityandmobilityissues.Anidealexamplewouldbemobilehostse.g.laptopsbroughtinbycustomersorvisitorstoacompany.Thisslowlearningcurvemakesitimpossibletoinstallpassivetoolsonalargenetwork(1000+hosts)andexpectthemtoidentifyattacksinstantaneously.
ThepassivetechniquesdonothaveanyintelligenceandblindlylookforamismatchintheARPtrafficwiththeirlearntdatabasetables.IfanARPspoofingisdetectedthanthereisnowayofascertainingifthenewlyseenaddressmappingisbecauseofaspoofingattemptorthepreviouslylearntonewasactuallyaspoofedone.OurtechniquewilldeterminetherealMACtoIPmappingduringanactualattacktoafairdegreeofaccuracy.
Thepassivelearningtechniqueisalsoveryunreliable.AnewaddressmappingislearntwhenARPtrafficisseenfromthem.ThusaswitchARPCachetableoverflowattemptbythegenerationofrandomARPreplypacketspersecondwitharbitraryMACandIPaddresseswilljustresultinnewstationsbeingdiscoveredinsteadofbeingreportedasattacktraffic.Toovercomeproblemsinearliertechniques,wepresentanewARPspoofingdetectiontechnique.OurtechniqueusesanactiveapproachtodetectARPspoofing.WesendoutARPrequestandTCPSYNpacketstoprobetheauthenticityoftheARPtrafficweseeinthenetwork.Theapproachisfaster,intelligent,scalableandmorereliableindetectingattacksthanthepassivemethods.ItcanalsoadditionallydetecttherealmappingofMACtoIPaddressestoafairdegreeofaccuracyintheeventofanactualattack.Adescriptionofthetechniqueindetailisreportedinfollowingsections.
2TheProposedActiveDetectionTechniqueforARPspoofing
TheproposedtechniqueactivelyinteractswiththenetworktogaugethepresenceofARPspoofingattacks.Wewillhenceforthassumethefollowingaboutthenetworkwedesiretoprotect.
2.1Assumptions
1.Theattacker’scomputerhasanormalnetworkstack.Thisassumptionwillholdformostoftheattacksas“readytouse”ARPspoofingtoolshavealwaysbeentheattacker’smostpopularchoice.IftheattackerdoesuseacustomizedstackthenourtechniquewillstilldetectARPspoofingbutwillnotbeabletopredictthecorrectaddressmappingsanymore.Wewilldiscussperformanceinthepresenceofacustomizedstackinsection2.5.
2.TheindividualhostswedesiretoprotectonthenetworkmayuseapersonalfirewallbutatleastoneTCPportshouldbeallowedthroughthefirewall.Thisistoallowourprobepackets(TCPSYNpackets)togothrough.ThisisareasonableassumptionasevenifafirewallisinstalledsomeLANbasedservicessuchasNETBIOSetcarenormallyallowedthroughitforLANcommunication.
3.Weassumethatalldevices,whichweprotect,haveaTCP/IPnetworkstackupandrunning.
2.2Terminology
Wenowintroducetheterminologyusedintherestofthispaper.
1.Thresholdinterval:
ARPrepliestoanARPrequestmustbereceivedwithinaspecifiedtimeinterval.Afterthistimehaselapse