An Active Host-Based Detection Mechanism for ARP-Related Attacks

Barbhuiya, Ferdous Ahmed; Roopa, S.; Ratti, Ritesh; Hubballi, Neminath; Biswas, Santosh; Sur, Arijit; Nandi, Sukumar; Ramachandran, Vivek

doi:10.1007/978-3-642-17878-8_44

Cited by 12 publications

(2 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The ARP inspection module automatically binds the correct gateway IP -MAC address in static mode. Likewise, Barbhuiya et al [20] used a hostbased intrusion detection system to detect ARP attacks. Their approach checked the integrity and authenticity of ARP replies using a combination of digital signatures and one time passwords based on hash chains.…”

Section: Host-based Approachesmentioning

confidence: 99%

ASA: agent-based secure ARP cache management

Kim

Hong

et al. 2012

IET Commun.

View full text Add to dashboard Cite

Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the 'original' ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.

show abstract

Section: Host-based Approachesmentioning

confidence: 99%

ASA: agent-based secure ARP cache management

Kim

Hong

et al. 2012

IET Commun.

View full text Add to dashboard Cite

show abstract

“…These attacks come in two forms as bandwidth depletion attacks and application layer attacks. First category of attacks target system reneminath@iiti.ac.in Indian Institute of Technology Indore, India sources and affect all applications/services running on the system [3], [15]. Application layer DoS attacks exploit the behavior of applications to target them.…”

Section: Introductionmentioning

confidence: 99%

SlowTrack: Detecting Slow Rate Denial of Service Attacks againstHTTP with Behavioral Parameters

Sood

Hubballi

2022

Preprint

View full text Add to dashboard Cite

Denial of Service (DoS) attacks have evolved from volumetric attacks to target specific applications and can cripple different services with very limited effort. Hypertext Transfer Protocol (HTTP) is vulnerable to a slow rate DoS attack generated through prolonged connections which deliberately send incomplete requests to server. Simple detection methods which use $x$ number of such connections in $y$ time can be easily evaded. In this paper, we present SlowTrack which can detect slow rate DoS attacks against HTTP using a set of behavioral parameters. SlowTrack uses eight behavioral parameters which are validated to be useful in identifying the attack. We correlate these parameters to understand how their values change when attack is launched and subsequently use these observations to propose detection methods. \texttt{SlowTrack} is composed of three detection algorithms which make use of these observations for detecting attacks. We evaluate the detection performance of \texttt{SlowTarck} using experiments done in a testbed and also in a live network to show that these algorithms can detect the slow rate attacks effectively.

show abstract