Identification of an intelligent attacker in ARP spoofing

Abstract

ARP spoofing is a most powerful and simplest internal attack that can be done in internal network. There are many techniques have been proposed to secure Address Resolution Protocol (ARP). It includes cryptographic and non-cryptographic techniques. Non-cryptographic techniques are mainly based on probe packets. These techniques have less processing time in compared to cryptographic techniques but we observed that an intelligent attacker can easily bypass the techniques which are based on probe packets.

Ramachandran et. al. [1] suggested a clear separation between weak and strong attacker. We are considering strong attacker as intelligent attacker be-cause a strong attacker can bypass probe packet based ARP defense techniques by generating appropriate response. These two attacking model can be used to analyze any ARP defense technique. It only detects the ARP spoofing attack but doesn't identify the attacker, similarly other techniques have their own limitations.

We enhanced the probe packet based technique to identify an intelligent attacker. Our proposed technique enables test host to imitate as normal host so that an attacker can't differentiate the test host from others. Meanwhile attacker can be caught using the response of probe packets.

We did experiments and concluded that the proposed technique is effective for defense of ARP spoofing.