arp欺骗防御手段英文文献

AMiddlewareApproachtoAsynchronousandBackwardCompatibleDetectionandPreventionofARPCachePoisoningMaheshV.TripunitaraCERIASPurdueUniversityWestLafayette,IN,USAtripunit@cerias.purdue.eduParthaDuttaInternetPlatformsOrganizationAT&TLabsSanJose,CAppd@ipo.att.comAbstractThispaperdiscussestheAddressResolutionProtocol(ARP)andtheproblemofARPcachepoisoning.ARPcachepoisoningisthemaliciousact,byahostinaLAN,ofintroducingaspuriousIPaddresstoMAC(Ethernet)addressmappinginanotherhost’sARPcache.Wediscussdesignconstraintsforasolution:thesolutionneedstobeimplementedinmiddleware,withoutaccessorchangetoanyoperatingsystemsourcecode,bebackward-compatibletotheexistingprotocol,andbeasynchronous.WepresentoursolutionandimplementationaspectsofitinaStreamsbasednetworkingsubsystem.Oursolutioncomprisestwoparts:a”bumpinthestack”Streamsmodule,andaseparateStreamwithadriveranduser-levelapplication.WealsopresentthealgorithmthatisexecutedinthemoduleandapplicationtopreventARPcachepoisoningwherepossible,anddetectandraisealarmsotherwise.Wethendiscusssomelimitationswithourapproachandpresentsomepreliminaryperformancenumbersforourimplementation.1.IntroductionTheAddressResolutionProtocol(ARP)[5,9]isusedbyhostsonaLocalAreaNetwork(LAN)tofindalinklayeraddressgivenanetworklayeraddress.Inthecontextofthispaper,anetworklayeraddressisanIP[6]address,andalinklayeraddressisanEthernetaddress.Thisassumptionisnotnecessaryfortheissuesinthispapertobevalid.HostsonaLANmaintaintheIPaddresstoEthernetaddressmappingsinalocaltablecalledanARPcache.Amappingmaybedynamic:theentrycorrespondingtothemappingisremovedafteracertaintimeperiodunlessrefreshed.ARPcachepoisoningistheact,byamalicioushostintheLAN,ofintroducingaspuriousIPtoEthernetaddressmappingintoanotherhost’sARPcache.SomespecificexamplesofARPcachepoisoningarediscussedin[12].ThispaperdiscussesARPcachepoisoningandspecifiesthecontextanddesignconstraintsforasolution.Itthenpresentsasolutionthatsatisfiesthosedesignconstraintsanddiscussesthesecurityandperformancepropertiesofthesolution.Theremainderofthispaperisorganizedasfollows.ThenextsectiondiscussesARPandtheproblemofARPcachepoisoning.Section3discussesthedesignconstraintsandcontextforasolution.ThecontextforthesolutionisanoperatingsystemthatusestheStreamsparadigmforitsnetworkingsubsystem.Section4presentsthesolution.Section5discussessomedisadvantagesandshortcomingswithourapproach.Section6presentssomeperfunctoryperformancestudies.Weconcludeinsection7.2.ARPandARPCachePoisoningInthissection,webrieflydiscusstheAddressResolutionProtocol(ARP)[5,9]andwhatitmeansforahost’sARPcachetobepoisoned.WealsodiscussvariousattackscenariosandspecialcasesintheuseofARP.2.1.ARPWeadoptthescenarioofhostsinaLANcommunicatingusingtheTCP/IPsuite[6,7]overasharedEthernet.IPpacketsneedtobeencapsulatedinEthernetframesbeforetheycanbetransmitted.HostsareidentifiedattheIPlayerwithanIPaddress,andattheEthernetlayerwithanEthernetaddress.Weassumethatthereisaone-to-onemappingbetweenthesetofIPaddressesandthesetofEthernetaddressesfortheLAN.Thisisnecessaryforhoststobeuniquelyidentified,bothattheIPlayerandattheEthernetlayer.BeforeanIPpacketcanbeencapsulatedinanEthernetframe,thesenderneedstherecipient’sEthernetaddresssotheEthernetframecanbeconstructed.GiventhedestinationIPaddress,ARPisusedtofindtheEthernetaddresscorrespondingtothatIPaddress.ARPisemployedwhenstaticconfigurationoftheIPtoEthernetaddressmappingsineachhostintheLANisnotfeasibleorpreferable.Figure1.TheformatofanARPframewhenusedonanEthernet.Thisfigureisadaptedfrom[9].Figure1showstheformatofanARPframe.ARPisarequest–responseprotocol.AnARPrequestisbroadcasttotheLAN.TherequestcontainsthesourceIPandEthernetaddressesandthetargetIPaddress.EachhostontheLANchecksthetargetIPaddressinarequestagainstitsownIPaddress.IfahostisconfiguredwiththetargetIPaddress,itsendsanARPresponsewithitsEthernetaddress.Theresponseisunicast:itisaddressedonlytothesenderoftherequest.ProxyARPmaybeemployedinsituationsinwhichitisdesirabletohaveanARP(proxy)serverrespondtoallorsomeresolutionrequests.Theserverrespondsonbehalfofthetargethost.ProxyARPisdiscussedin[2].2.2.ARPCachePoisoningARPcachepoisoningistheactofamalicioushostintheLAN,ofintroducingaspuriousIPtoEthernetaddressmappinginanotherhost’sARPcache.TheeffectofARPcachepoisoningisthatIPtrafficintendedforonehostisdivertedtoadifferenthost,ortonohost.Followingarewaysinwhichahost’sARPcachecanbepoisoned.WehavetestedthattheseattacksdoworkagainsttheARPimplementationsofSolaris2.6and2.5.1,Windows95,Windows98,WindowNT4.0serverandworkstationandLinux(variousversionsofthekernel).•UnsolicitedResponse:AresponsethatisnotassociatedwitharequestwillbehonoredbyanARPimplementation.AmalicioushostonlyhastosendaresponseARPpacketontheLANwithaspuriousmappingtopoisontheARPcacheofthevictim.ThisresponsecanbebroadcasttopoisontheARPcacheofeveryhostontheLAN.•Request:ARPimplementationscacheentriesbasedonrequeststheyreceive.Thatis,ifhostAsendsoutabroadcastARPrequestforhostB,hostCmightcachethemappinginformationabouthostAbasedontherequesthostAsendsout.Anattackeronlyhastopretendtobesending