arp欺骗防御手段英文文献.docVIP

A Middleware Approach to Asynchronous and Backward Compatible Detection and Prevention of ARP Cache Poisoning Mahesh V. Tripunitara CERIAS Purdue University West Lafayette, IN, USA tripunit@ Partha Dutta Internet Platforms Organization ATT Labs San Jose, CA ppd@ Abstract This paper discusses the Address Resolution Protocol (ARP) and the problem of ARP cache poisoning. ARP cache poisoning is the malicious act, by a host in a LAN, of introducing a spurious IP address to MAC (Ethernet) address mapping in another host’s ARP cache. We discuss design constraints for a solution: the solution needs to be implemented in middleware, without access or change to any operating system source code, be backward-compatible to the existing protocol, and be asynchronous. We present our solution and implementation aspects of it in a Streams based networking subsystem. Our solution comprises two parts: a ”bump in the stack” Streams module, and a separate Stream with a driver and user-level application. We also present the algorithm that is executed in the module and application to prevent ARP cache poisoning where possible, and detect and raise alarms otherwise. We then discuss some limitations with our approach and present some preliminary performance numbers for our implementation. 1.Introduction The Address Resolution Protocol (ARP)[5,9] is used by hosts on a Local Area Network(LAN) to find a link layer address given a network layer address. In the context of this paper, a network layer address is an IP[6] address, and a link layer address is an Ethernet address. This assumption is not necessary for the issues in this paper to be valid. Hosts on a LAN maintain the IP address to Ethernet address mappings in a local table called an ARP cache. A mapping may be dynamic: the entry corresponding to the mapping is removed after a certain time period unless refreshed. ARP cache poisoning is the act, by a malicious host in the LAN, of introducing a spurious IP to Ethernet address mapping int