The number of internet users is growing too fast in many fields such as industry, education, marketing, social networking, and online shopping. The use of the Internet increased with the growth of using online communications in organizations by using wired and wireless networks and the widespread use of smartphones in social media. Nearly 4.66 billion people were active internet users in January 2021 [1]. Although The number of websites and applications increases rapidly, they expose to attacks. Man-in-the-Middle (MITM) is one of the most dangerous cyberattacks and is considered the main serious concern for many network security [2]. In 2017, American multinational consumer credit reporting agency (Equifax) withdrew its mobile applications after concerns that MITM identified and exploited their vulnerabilities [3].

A MITM can secretly convince two hosts to believe that they are directly communicating with each other. But in fact, they share their transferred data and messages with the attacker as illustrated in figure 1 [4]. MITM firstly targets data confidentiality which eavesdrops on the transferred data between two hosts. Then, it breaks data integrity by intercepting communication and modifying the transferred data between two hosts. Finally, it controls data availability by forcing one of the two hosts to stop communicating with another by modifying or destroying the transferred data [5], [6].

FIGURE 1.

Man in the middle.

Show All

Spoofing-based MITM is one of the most common MITM attacks in which the attacker is a third party that involves intercepting the legitimate path between two hosts. These victim hosts are convinced that communicating with each other, not with an intruder. Many network protocols are vulnerable to spoofing based on MITM, such as Address Resolution Protocol (ARP), Dynamic Host Configuration Protocol (DHCP), Internet Protocol (IP), and Domain Name System (DNS). This work focuses on ARP spoofing based MITM due to the importance of ARP protocol since each frame must contain the destination Media Access Control (MAC) address to be transmitted [7]. Moreover, ARP spoofing attacks can be used to perform many other critical attacks such as Denial-of-Service (DDoS) and Session hijacking attacks.

ARP is one of the most essential protocols for LAN communication which exists in the data link layer. It resolves the network layer address (IP address) assigned by the Network layer to a data link layer address (MAC address). Also, ARP is crucial because any frame transmitted within a network must contain the destination MAC address. Each host has an ARP cache table that consists of <IP, MAC> pairs to communicate with another host to reduce the number of broadcast messages. This table contains two types of entries (i.e., static and dynamic). Static entries are permanent and reside in the ARP cache table, even if the system reboots. The dynamic entires only reside in the ARP cache table for a specific time (usually a few minutes). This time is determined according to the type of operating system. ARP is a stateless protocol, so it has a lacked caching system security. Therefore, it can easily spoof by a MITM attack. ARP spoofing-based MITM attack exploits the weakness of ARP protocol in which an unauthorized third party secretly accesses the communication between two hosts in the same network to read/modify the transferred data between them [8]–​[11].

Three defense mechanisms against ARP spoofing are detection, prevention, and mitigation. Since ARP Spoofing aims to damage the <IP, MAC> correlation in the ARP cache table, the intruder is considered a third party in the communication. Defense mechanisms try to solve the vulnerabilities of sending and receiving ARP packets. To guarantee that the transmitted data reached a legitimate destination, not to the intruder. We detect the spoofing before the source communicates with an illegitimate destination to protect the data and prevent attacks.

This paper introduces a detection and defence scheme for ARP spoofing called D-ARP, which is compatible with the original ARP protocol. D-ARP is a new scheme to detect and prevent ARP spoofing-based MITM by sending an ARP packet signed with a key in parallel with the original ARP packets to associate a correlation between requests and replies. Each host records all types of signing ARP packets (i.e., in a log file). Based on this correlation, D-ARP matches the injected key to detect ARP spoofing if there is a duplicate or conflict in the MAC address.

The D-ARP scheme guarantees the following:

• There is no false positive or false negative probability.

• Fully automated process and there is no headache for Admin.

• No delay in sending or receiving packets.

• No additional overhead.

• No single point of failure.

This paper is organized as follows: Section II reviews the literature related to this work. Section III provides an overview of ARP spoofing. Section IV describes our proposed scheme in details. Experimental results are presented in section V. And finally, section VI concludes this paper and introduces the future directions.

It is very important to detect malicious nodes in the network [12], [13]. To detect ARP spoofing, sometimes some networks use software tools such as Arpwatch and Wireshark. Arpwatch [14] is used to detect ARP spoofing, but it depends on the administrator to determine the malicious pairs, and this leads to high false positives probability. Also, a Wireshark tool is used to detect spoofing by detecting the duplicate use of IP addresses, but it does not detect all forms of cache spoofing, and it isn’t able to prevent ARP spoofing.

Therefore, there are many defense approaches for ARP spoofing attacks are proposed. These schemes can be classified into cryptographic solutions, server-based solutions, static entries solutions, voting-based solutions, and host-based solutions. Cryptographic solutions, which the most common solution to prevent attacks, such as [15]–​[17] which based on authentication hash functions to generate keys (i.e., public and private keys), but these solutions almost need to update the ARP protocol itself.

A server-based solution such as [18] depends on passing packets via a trusted server to be analyzed. The main limitation of these schemes is that the server itself is considered as a single point of failure. Static entries methods are the simplest way to prevent ARP spoofing depending on assigning IP addresses manually, such as [19], the disadvantage of these methods is that they are not suitable for a dynamic environment and large scale networks. Also, voting-based techniques such as [20]–​[23] provided an enhancement in ARP protocol which depend on other hosts to determine the fake <IP, MAC> mappings, but these have an additional overhead and must follow the new ARP protocol. The proportion of host-based solutions depends on a duplicate of replies or machine learning features. The main drawback of these approaches is that they are not practical, and difficult to decide the level of trustiness and importance of each host.

S-ARP [15] is one of the most common cryptography-based approaches. This approach is considered backward compatible with ARP protocol which provides authentication of ARP replies through public-key cryptography. During the initial contact, all hosts generate public and private key pairs and transmit them to the Authoritative Key Distributor (AKD) with signed certificates. Then the server has been distributes these keys to hosts. By using these keys, any host could identify the legal users. However, S-ARP is the common scheme to prevent ARP spoofing based on authentication.

This scheme has a lot of drawbacks. Firstly, it depends on the Authoritative Key Distributor to authenticate replies, which is considered as a single point of failure in the network. Also, hosts need to communicate with AKD every time they receive an ARP reply in order to request the Public Keys of ARP request senders. If this distributor is down, ARP packets that are sent by a previously unknown host, cannot be verified by the host (i.e., the sender’s public key is not in the destination’s key ring). Secondly, even if the possibility that the AKD is working legitimately, an attacker can impersonate a host that goes down by cloning the hardware address of the host (but only until the cache entry of the host being impersonated, in the host being attacked, expires). Thirdly this scheme is that it does not support the dynamic assignment of IP addresses. Although S-ARP requires dealing with its ARP protocol, it also requires upgrading of the DHCP server called S-DHCP and incremental deployment is not easy, and a host may not accept ARP replies from non-S-ARP hosts. This means that S-ARP requires updates in two protocols. Fourth, one of the most crucial problems with this approach is the processing time to encrypt, decrypt, and send extra packets to get the public key or get the host verified, all this extra time processing is considered a performance overhead compared to the current ARP protocol. Finally, S-ARP will check the ARP replies only while the victims may be deceived by sending an ARP request [24]–​[27].

Authors in [18] proposed a solution to overcome the authentication shortage and solve the voting method issue. The main idea of this solution is using a centralized server. This server has all <IP, MAC> pairs of each host inside this LAN. All Hosts have a table that contains a trusted <IP, MAC> pair, so the host can detect the attack easily and send everything about it to the centralized server.

Rupal et. al. [28] introduced a detection and prevention algorithm for ARP spoofing depending on hosts’ authentication. This algorithm sends ICMP packets to construct a table that involves a combination of IP address and its corresponding MAC address for all hosts in the network, this table is called secondary cache. The main idea of this scheme is the duplication of MAC Address in ARP reply in the secondary cache, which is responsible for checking IP-MAC addresses respective the system in the network.

B. Prabadevi [29] presented a system based on analyzing packets to mitigate ARP spoofing using timestamps. It analyzed the contents of all ARP packets (request and replies) to check whether the Ethernet header is consistent with the ARP header or not. Then, a broadcast alert message is generated for ARP packets with a timestamp for these valid messages, and every 20 minutes the system clears the ARP cache.

Hijazi et al. [19] proposed a client/server solution. It does not need to install any special software since the server is responsible for detecting the attack. The solution depends on collecting all <IP, MAC> pairs automatically from ARP cache tables. After validations of <IP, MAC> Pairs, it constructed a table containing these pairs and then registered them in a proxy server which detected the attacker when it connected with the server with the same registered IP address.

A defense method presented in [30] depends on semi-static ARP entries to prevent ARP spoofing. Their main idea is to validate and manage the static entries of ARP and remove manual adding entries into the cache table. It does not need any modification of ARP protocol and devices. Also, it can not work in dynamically addressing environments and is not suitable for large-scale networks.

Xia et al. [31] proposed a defense solution for ARP spoofing oriented to the OpenFlow platform. This mechanism is implemented as a module of the POX controller, which exploits the SDN advantages to make OpenFlow defense against ARP spoofing. Active ARP inspection (AAI) is a centralized unit implemented on OpenFlow to manage its features. All ARP packets on the local subnet are forwarded to the controller to be processed by AAI subsequently. This mechanism is not flexible enough to integrate.

Singh et al. [32] presented a mechanism to validate the new association. Each host maintains a secondary table file to store the <IP, MAC> binding. When the host has received a new binding, it is validated by sending two ICMP probe packets one to the previous binding, and the other to the new one. For new entry of host without a previous entry in ARP cache, is validated by using ARP packets to find all the claiming hosts to that IP, used together with ICMP packet to provide a two-phase validation.

Authors in [33] presented a scheme in the SDN environment to detect and prevent spoofed ARP packets by extending the SDN controller to check every packet within networks. The mechanism depends on using the POX controller with the L2 learning module, an OvS switch, and a DHCP server which determines DHCP offer packets. On the connected switches, flow rules are established to forward all ARP and DHCP packets to the controller. POX also maintains a primary table containing IP to MAC address pairs for each device on the network, which is generated from received DHCP offer packets. POX tells switches to ignore received ARP packets with MAC addresses that aren’t in the primary table, also a flow rule is then installed for the originating OvS port. The drawback of this solution appears when the network expands and the traffic increase.

The algorithm in [34] is used to detect Man-in-the-middle and its location which depends on studying the nature of ARP Spoofing itself. The algorithm is considered a switch-based detection approach. First, it used data structure to save data from ARP Packets. Then, the switch can determine the spoofing place.

A host-side solution based on ARP analysis to detect attacks is proposed in [35]. This solution conjugates machine learning and signal processing to detect MITM attacks which presents a “statefulness” into the ARP protocol by adding a padding layer to the frame and encoding a binary value and a sequence number to match a corresponding ARP request to its reply. The detection mechanism depends on the time taken for an ARP request to be sent directly from one host to another, which varies from the instance where an attacker intercepts the traffic.

Girdler et al. [36] proposed a solution to ARP Spoofing and Blacklist MAC address. This solution is a Software-Defined Networking (SDN)-based Intrusion Detection and Prevention System (IDPS). This is accomplished by dynamically adjusting SDN’s operating parameters to detect malicious network traffic. For each incoming packet, after it is accepted by PacketIn events, it is processed by one of four functions (i.e., ARP Request Spoofing, ARP Reply Spoofing, ARP Reply Destination Spoofing, and Blacklisted MAC Addresses) to detect the type of spoofing. Also, the IDPS can identify devices whose MAC address has previously been blacklisted by the IDPS configuration tool.

Authors in [37] presented an algorithm that depends on sniffing and analyzing all incoming ARP packets. The basic step is to compare between the real MAC Address and the response MAC Address of the ARP Packet sniffed to detect conflicts. After capturing the ARP packet, it is analyzed to obtain the source MAC address of the sniffed ARP packet and the real physical address of the sender. If there is a conflict between the real MAC Address and the response MAC address, then there is an ARP attack. Also, this paper relies on static entries to prevent ARP spoofing.

A client/server-based intrusion detection system (CSIDS) was proposed in [38]. This protocol depends on a client/server model for exchanging and controlling the resolution messages between system members. CSIDS requires sending a control message to the server for every suspicious packet to check whether a host is in its cache table or not. If it is not in its cache table, CSIDS uses the voting technique for each host in the LAN, and upon receiving the answers, the server then replies to the requested client with a positive or negative packet. Although the system is effective, the voting process takes time, and this leads to an increase in the delay time between sending the query packet to the server and waiting for the response from the server.

This section proposes the overall architecture of D-ARP scheme for detection and prevention of ARP spoofing, then introduces the three modules of D-ARP in detail (i.e., host, admin, and DHCP modules).

B. Host Module

D-ARP is a host-based solution, so it manages all ARP packets to detect and prevent ARP spoofing. Figure 5 illustrates the host GUI which is divided into two parts (i.e., left and right). The left part contains:

• IP and MAC addresses of the host itself.

• Interface used to pass a packet.

• The IP address of the destination host which used in sending a broadcast packet.

• Send ARP request button.

The right part contains all received requests and replies information. Here, there are two types of replies:

1. Original reply without key.

2. D-ARP reply with a key.

FIGURE 5.

Host interface.

Show All

1) Key Generation

Key generation is an essential step in the scheme implementation. Many cryptographic hash functions are used to generate digital signatures for preventing attacks, such as the Secure Hash Algorithm (SHA)-3 and Rivest Shamir Adleman (RSA) algorithm [48], [49].

The main purpose for using the key is to bind a request with its reply and to distinguish (i.e., differentiate) between different requests, so this key should be very lightweight, as described before. To achieve this target we use a simple function for light calculations and make the host itself immune to other attacks. Also, simple calculations lead to saving time and avoiding delays in sending requests [50], [51].

Each host generates a different key for each broadcast request using a simple function. The key generates from a collection of random characters consisting of letters, numbers, and symbols, then the output of this function is encrypted by the Cipher algorithm [52], which is a simple cryptographic hash function that doesn’t need either complex calculations or time. The complexity of the key generator is constant. The key consists of eight characters such as f#QK 2bM, f6Zdv@cl, 9ZWn$\$$ q6, and !@NTeK@O. The default size of all ARP packets (i.e., requests or replies) is 28 bytes, while the size of D-ARP packets after adding a key field is 36 bytes as shown in figure 6. Therefore the length of each key is 8 bytes since it is available to extend the ARP packet size to 60 bytes [35] for experimental purposes.

FIGURE 6.

D-ARP packet header.

Show All

Since D-ARP uses a maximum of 8 bytes generated keys, and this limits the key space to (26 alphabets +10 numbers + 8 symbols = 44, then $44^{8} = 1.4048224e+13$ ) possible unique keys. Therefore, each host in the proposed scheme may generate a $1.4048224e+13$ key to increase the variety of generations and reduce the chance of repeating the key. The verification of D-ARP requests depends on the sender’s IP address, key, and MAC address together from the Log file.

Another more secure way is to apply a cryptography technique to generate a digital signature for each request’s key. We use the RSA cryptosystem combined with the Secure Hash Algorithm (SHA-256) in the proposed scheme [53]. We use (SHA-256) hash function to generate a random key for each request packet then the RSA algorithm is used to encrypt it.

RSA is a secure asymmetric cryptography algorithm for the reliability of data transmission, which uses a public key for encryption and requires another key (i.e., private) known only to the intended destination to be kept secret for decryption [54]. RSA can be used either for encryption purposes (i.e., ensuring that the attacker cannot read packets that sends to the intended destination from a specific source) or for signing requests to guarantee that they are transmitted from a legitimate host. Thus, we ensure that spoofing can’t be accomplished by sending a request or gratuitous request.

The proposed scheme aims to protect ARP cache entries from attacks by generating a signature for signing each request. Also, the proposed scheme requires generating public and private keys and encrypting them using RSA for each host. Keys are generated and distributed by the administrator via secure channels. On the sender side, the sender encrypts the signature with its private key because it doesn’t know the destination and then sends the broadcast request with a signature. On the destination side, the host decrypts the signature with the sender’s public key to send a unicast reply. Therefore, the intended host only can send a unicast encrypted reply and the attack can be easily detected.

2) Request/Reply Scenario

By using the “Send ARP request” button, we can send a D-ARP broadcast packet to all hosts in this LAN. The details of the request will appear at the bottom of the left-hand side. At the same time, other hosts’ cache tables will be updated with <IP, MAC> pairs after validation from the DHCP-Nmap list to be compatible with the original ARP protocol. The pseudocode of the proposed sending a request in the sender-side is given in the algorithm 1.

Algorithm 1 Sending a Request Algorithm (Sender Side)

Input

Destination IP address

Output

key, ARP broadcast request

1:

boolean isExist=checkARPCacheTable(destIP)

2:

if $!$ isExist then

3:

key=generatekey()

4:

appendInLogFile(sndrIP,sndrMac, destIP, destMac, key)

5:

ARPpkt=structARPRequestpkt(sndrIP, sndrMac, destIP, destMac, key)

6:

sendARPpkt(ARPpkt)

7:

updateGUI(ARPpkt)

8:

else

9:

ARPpkt=getInformationFromARPCacheTable()

10:

sendARPpkt(ARPpkt)

11:

appendInLogFile(ARPpkt)

12:

updateGUI(ARPpkt)

13:

end if

Figures 7 and 8 illustrated a normal case of sending and receiving packets using cipher algorithm and RSA algorithm respectively.

FIGURE 7.

Normal case using cipher algorithm.

Show All

FIGURE 8.

Normal case using RSA algorithm.

Show All

When the destination host receives request packets, it checks the validation of <IP, MAC> pair before update the cache table. Each host has a small file called a log file that contains specific information in the D-ARP header packet such as key, type of packet request or reply, sender IP, sender MAC, destination IP, and destination MAC. After checking the validity of the request, it sends a D-ARP reply and updates the log file with request details. In case of any mismatch, it drops these packets, which means it is a detection of forged requests. The pseudocode of the proposed destination side algorithm when the host receives a request and detects spoofing from forged requests is given in Algorithm 2.

Algorithm 2 Receiving Requests and Detecting Spoofing (Destination Side)

Input

receiving request packet, host IP address

Output

update GUI and cache table, send ARP reply

1:

ARP pkt = recievedARPpkt()

2:

update$GUI$ (pkt)

3:

if $!$ !pkt.getKey().isEmpty() then If pkt.isRequest()

4:

if pkt.getDestIP() == getMyIP() then

5:

if isValidated(pkt.getsndrIP(),pkt.getSndrMAC() then

6:

appendInLogFile(pkt)

7:

ARPpkt = structAndSendARPReppkt(pkt)

8:

else

9:

Alert:Spoof detected Forged Request

10:

removeFromCacheTableandLogfile(spoofedpkt)

11:

informAdmin(spoofedpkt)

12:

isSpoofed = true

13:

end if

14:

end if

15:

else

16:

if isValidated(pkt.getsndrIP(),pkt.getSndrMAC()) then

17:

appendInLogFile(pkt)

18:

else

19:

Alert:Spoof detected Forged Request

20:

removeFromCacheTableandLog file(pkt)

21:

informAdmin(pkt)

22:

isSpoofed = true

23:

end if

24:

end if

After recording signed packets in a log file, D-ARP will check <IP, MAC> pair and keys for all received replies. If there is any conflict in MAC addresses, the host notifies that there is an attacker. Also, an alert message appears containing attacker information, and the host removes these packets from a log file. Then the spoofing data is sent to the admin, and the attacker is blocked automatically.

We classified the ARP spoofing detection into two cases:

• case1 D-ARP detects the attacker: when the host receives a request or a reply and its IP and MAC pair differ from which exists in the DHCP-Nmap list. After detecting the spoofing, we prevent the attacker by blocking the MAC address.

• case2 D-ARP detects the attacker: When the host receives more than one reply, and it detects a conflict or duplication of MAC addresses for the same IP or duplication of keys. After detecting the spoofing, D-ARP collects all MAC addresses from the replies. Through the DHCP-Nmap list, D-ARP easily determines the forged MAC address and prevents it.

The pseudocode of the proposed algorithm in case of receiving replies is given in algorithm 3. When the spoofing has occurred, hosts are notified and information will send to the admin who decides the attacker.

Algorithm 3 Algorithm of Detection of ARP Spoofing on Host Side

Input

ARP Pckts

Output

Detect the spoofing

1:

ARP pkt = recievedARPPkt()

2:

updateGUI(pkt)

3:

signedpkt=pktcontainskey

4:

appendInLogFile(signedpkt)

5:

ARPreq=getARPReqByIPFromLogFile(pkt.SndrIP())

6:

ARP[]reps=getARPRepByIPFromLogFile(pkt.SndrIP())

7:

numOfreps = 0

8:

boolean isSpoofed = false

9:

if $!$ req.isNull() AND $!$ isSpoofed then

10:

for <ARPrep:reps> do

11:

if req.getSndrIP()==rep.getDestinationIP() AND req.getSndrMAC()$!=$ rep.getDestinationMAC() then

12:

numberOfreps++

13:

end if

14:

end for

15:

if numOfreps>2ANDreq.getSign()==rep.getSign() then

16:

Alert:Spoof detected two reps with same password

17:

removeFromCacheTableandLogfile(Spoofedreq, Spoofedreps)

18:

informAdmin(Spoofedreq, Spoofedreps)

19:

isSpoofed = true

20:

else if numOfreps>2 AND rep.getSign()$!=$ req.getSign() then

21:

Alert:Spoof detected two reps with different keys

22:

removeFromCacheTableandLogfile(Spoofedreq, Spoofedreps)

23:

informAdmin((Spoofedreq, Spoofedreps)

24:

isSpoofed = true

25:

end if

26:

else

27:

Alert:Spoof detected rep without req

28:

removeFromCacheTableandLogfile(Spoofedreq, Spoofedrep)

29:

informAdmin(Spoofedreq, Spoofedrep)

30:

isSpoofed = true

31:

end if

32:

if $!$ isSpoofed then

33:

if isValidated(pkt.getSndrIP(), pkt.getSndrMAC()) then

34:

updateGUIAndARPCacheTable(pkt)

35:

else

36:

Alert:Spoof detected Forged rep

37:

removeFromCacheTableandLogfile(Spoofedreq, Spoofedreps)

38:

informAdmin(Spoofedreq, Spoofedreps)

39:

isSpoofed = false

40:

end if

41:

end if

D. Admin Module

As shown in figure 9 Admin GUI has five tabs.

1. Online hosts: it is discussed in details in subsection IV-C.

2. Trusted hosts: they are added by the network administrator, and it has three fields host name, IP, and MAC addresses. The administrator has privileges to create, add or remove any entry in the trusted list. These entries are inserted into hosts’ cache tables automatically while added to the list and removed when removed from the list.

3. Monitoring: it contains two tabs, one for requests and the other for replies which carry all information of D-ARP requests and replies packets such as sender IP and MAC. The monitoring category in admin modules collects these packets for checking as shown in figure 10 and figure 11

4. DHCP-NMAP list: it has a two-dimensional DHCP and Nmap. Nmap is a Linux feature used to view all up hosts in the LAN with their pairs of <IP, MAC>. The second dimension is the DHCP server, which shows all hosts get their IP addresses from it. As shown in figure 12.

5. ARP Spoofing detection: after detecting the spoofing in the host, this tab displays all details about the spoofing, such as spoofing type, when the spoofing occurs, request details, and reply details.

FIGURE 9.

Trusted list.

Show All

FIGURE 10.

Admin monitoring requests.

Show All

FIGURE 11.

Admin monitoring replies.

Show All

FIGURE 12.

DHCP-Nmap lists.

Show All

D-ARP is implemented via a virtual workstation pro. The virtual workstation consists of six virtual machines: DHCP server, Admin, Host A, Host B, Host C, and an Attacker as illustrated in figure 13. Ubuntu desktop version 20.04.2.0 is the virtual machines operating system. To verify the effectiveness and creditably of the proposed scheme. The pairs of IP and MAC addresses are shown in table 1.

TABLE 1 Network Components

FIGURE 13.

Network topology.

Show All

As shown in table 1, the DHCP server assigns IP addresses to hosts on this LAN from 192.168.1.30 to 192.168.1.150. It is available to increase or decrease this range.

After each host takes its IP address and starts the listener in the D-ARP scheme interface, this will appear on online hosts on the admin interface as shown in figure 14.

FIGURE 14.

Online hosts.

Show All

In order to reduce the number of broadcast requests in the LAN, admin creates a trusted list which is inserted automatically in all hosts cache tables within LAN. We verify it by adding hosts PC1, PC2 with IP addresses 192.168.1.35, 192.168.1.36, 192.168.1.37 and MAC addresses 00:0c:29:aa:aa:aa, 00:0c:29:bb:bb:bb, 00:0c:29:cc:cc:cc respectively. As shown in figure 15, all hosts in the trusted list in figure 9 are inserted in the cache table of host A.

FIGURE 15.

Host A cache table.

Show All

D-ARP displays every ARP packet transmitted within this LAN and takes them into consideration to be compatible with the original ARP.

Then we have the detection scenarios:

A. First Scenario

If the victim host received two replies for the same request with the same key and different MAC addresses, an alarm message will be appeared to inform there is an attacker and its MAC address, as shown in figure 16.

FIGURE 16.

Scenario 1: two replies with same key.

Show All

Then information in the replies packets will be sent automatically to the admin to identify the attacker itself. As shown in figure 17.

FIGURE 17.

Admin: two replies with same key.

Show All

B. Second Scenario

If the victim host received more than one reply for the same request with different keys and different MAC addresses, an alarm will be appeared to inform there is an attacker and its MAC address as shown in figure 18. Also, this information is sent to admin in figure 19.

FIGURE 18.

Scenario 2: two replies with different keys.

Show All

FIGURE 19.

Admin: two replies with different keys.

Show All

In table 2, we compare between our proposed scheme D-ARP and related methods. This table shows clearly that D-ARP proved its efficiency as it outperforms the previous prevention methods S-ARP [15], [29], [55] and [36].

TABLE 2 Comparison Between D-ARP and Related Methods

In this paper, we propose a D-ARP scheme for detecting and preventing ARP spoofing-based MITM which can be installed easily on all hosts. We successfully proved the efficiency and credibility of the D-ARP scheme. It is considered a complete solution to detect all forms of ARP spoofing and identify the attacker without any changes in ARP protocol. D-ARP is effective to reduce network congestion since D-ARP injects a trusted list in hosts cache tables. Finally, D-ARP detects the attacks immediately without any false negative or false positive and prevents them according to the trusted list and DHCP-Nmap list. In future work, we will improve our scheme to detect DDoS and Hijacking attacks and implement it on other platforms.