Preventing ARP Attacks using a Fuzzy-Based Stateful ARP Cache Zouheir Trabelsi College of Information Technology UAE University United Arab Emirates Email: trabelsi@uaeu.ac.ae Wassim El-Hajj College of Information Technology UAE University United Arab Emirates Email: welhajj@uaeu.ac.ae Abstract— ARP cache poisoning is considered to be one of the easiest and dangerous attacks in local area networks. This paper proposes a solution to the ARP poisoning problem by extending the current ARP protocol implementation. Instead of the traditional stateless ARP cache, we use a stateful ARP cache in order to manage and secure the ARP cache. We also use a novel Fuzzy Logic approach to differentiate between normal and malicious ARP replies. The Fuzzy Logic controller uses a dynamically populated data base that adapts to network changes. The limits of the current approaches are discussed and analyzed. Keywords: ARP cache poisoning, Man-in-the-Middle (MiM) attack, Denial of Service (DoS) attack, Cloning attack, stateful ARP cache, Fuzzy Logic. I. I NTRODUCTION Local Area Networks (LAN) use ARP, the Address Resolution Protocol, to resolve IP addresses into hardware, or MAC (Medium Access Controllers), addresses [1]. The LAN’s hosts keep caches of resolved addresses, called the ARP caches. ARP resolution is invoked when a new IP address has to be resolved or an entry in the ARP cache expires. ARP has proved to work well under regular circumstances, but it was not designed to cope with malicious hosts performing ARP cache poisoning or spoofing attacks. The ARP poisoning attacks are often used as part of other serious attacks: Man-in-the-Middle (MiM) attack, and Denial of Service (DoS) attack. With a MiM attack, traffic between two hosts is redirected to a third host, which is usually the attacker’s host. This attack allows the attacker to sniff the traffic exchanged between the two victim hosts. With DoS attack, a target host is denied from communicating with other hosts. This paper proposes a solution to the ARP poisoning problem by extending the existing ARP protocol. The new extension includes (1) statefull ARP cache, (2) Fuzzy Logic controller, (3) cross layer design, and (4) adaptive database manipulation. The limits of current approaches are discussed. The rest of the paper is organized as following: Section II provides some background about ARP attacks. Section III provides an overview of the related work done in this area. Section IV discusses the proposed approaches. Section V concludes the paper and presents future research directions. II. BACKGROUND: ARP CACHE POISONING AND ARP SPOOFING When a host adds an incorrect <IP, MAC> mapping to its ARP cache, this is known as ARP cache poisoning or ARP spoofing. The last terminology refers to the fact that an attacker uses fake or ”spoofed” ARP packets to poison an ARP cache. In an ARP cache poisoning attack, the attacker sends ARP replies or requests with fake <IP, MAC> mappings, in an attempt to poison the ARP caches of other hosts on the LAN. Based on our experience’s results in [2], skilled attackers use mostly ARP requests to poison their target ARP caches, since ARP requests can always corrupt any ARP cache even if the sender’s IP address is not in the target ARP cache. The ARP poisoning attacks are often used as part of other serious attacks: • DoS attacks: An attacker can poison an ARP cache of a host with a fake <IP, MAC> pairing so that every packet that host sends is sent to a fake host, or to the attacker’s host instead of its real destination. In the latter case, the attacker blocks the communication from the host being attacked. • Host impersonation: Instead of just dropping the packets received from the host being attacked, the attacker can respond, impersonating any host in the network. • MiM attacks: By spoofing two hosts in the network at the same time, an attacker can silently sit in between the hosts so that they think they are communicating with each other. Then, the attacker is able to listen to the traffic sent in both directions. With a MiM attack, the attacker can gain access to sensitive information (e.g. passwords, emails’ contents) or he/she can even modify the data being sent, compromising the data’s integrity. • Cloning attack (MAC spoofing attack): In this attack, the malicious host changes its IP and MAC to become identical to those of the victim host. Once this change is done, there will be two hosts in the network with the same IP and MAC addresses. For the victim host, this situation will cause some network disconnection troubles 1-4244-0353-7/07/$25.00 ©2007 IEEE This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 2007 proceedings. 1355