Automatic Attack Detection and Correction
System Development
Teerapat Sanguankotchakorn, Senior member IEEE
Telecommunications Field of Study
School of Engineering and Technology
Asian Institute of Technology, Thailand
teerapat@ait.ac.th
Abstract— Recently, there are increasingly numerous
hacking techniques which are used to compromise the
computer systems. One popular hacking technique is
called Man-in-the-Middle attack [1]. This technique uses
the weakness of ARP protocol [5] namely “ARP spoofing”
to damage the users on both confidentiality and privacy
issues. It does not only steal the sensitive information, but
also leads to the collapse of the network communications.
The current methods to secure the users are mainly only
passive detections; for example, to monitor invalid MAC to
IP addresses mappings, and give the alerts to the
administrators. The main disadvantages of this method
are the time lag between learning and detecting spoofing.
Moreover, it does neither correct spoofing automatically,
nor does it not resolve at the root of problems (the
attacker’s host).
In this work, we propose the algorithm called
“SmartARP” to detect and correct the ARP spoofing
attack. The algorithm works as follows: the constructed
ARP-Request and TCP SYN packets are sent to the
network to verify the inconsistencies. When the algorithm
detects ARP spoofing, it will send the correct ARP packets
to the victim’s hosts to correct their ARP caches
automatically. In addition, the invalid ARP-Reply packets
will be sent to update the attacker’s host to deny it. We
measure the performance of our proposed techniques
using various evaluation metrics such as Response time,
Correction time, the Successful Correction ratio, CPU
Usage and Network Utilization. It can be shown that our
proposed techniques are fast, intelligent, scalable and
reliable in detecting and correcting attacks.
Keywords- TCP/IP; ARP protocol; ARP spoofing; ARP
spoofing attack
I. INTRODUCTION
A. Background
The Internet, a network made up of millions of computers
connected together, is growing rapidly every day. All the
information on the Internet is distributed on millions of
computers around the world. People can share their ideas and
point of views across the world, thus providing wider
commercial opportunity.
However, the entire Internet is at risk from the hackers
who are taking advantages from Internet flaws. For instance,
Thanatorn Dechasawatwong
Telecommunications Field of Study
School of Engineering and Technology
Asian Institute of Technology, Thailand
d_tanatorn@hotmail.com
the hackers may imitate webpage of businesses such as bank
or credit card companies to trick people into disclosing
account numbers, passwords and other sensitive information.
Moreover, the hackers may attempt to make a computer
resource unavailable to its intended users using the method
called Denial-of-Service attack [1]. They are able to attack
computer networks and capture information or other secret
data and redirect it to the systems under their control.
Currently, one of the most critical problems is the Man-in-
the-Middle attack [1][6]. It is a form of active eavesdropping
in which the attacker makes independent connections with the
victims, and relays messages between them. The attacker
makes the victims believe that they are talking directly to each
other over a private connection despite in fact the entire
conversation is controlled by the attacker. The attacker is able
to intercept all messages going between the two victims and
inject new ones. It has been shown [1] that the Man-in-the-
Middle attacks can significantly affect the security in an
organization, and might cause other kinds of attacks such as
Denial-of-Service or DNS spoofing [2].
Due to these problems, it is very important to explore the
methods to protect against those attacks, and should have self-
assessment standards for administrators to be able to
determine the risks in the organization. There are many existing
research works on the techniques to detect and protect the ARP spoofing
attack from hackers [3-4,7-11].
In this paper, we propose the technique called SmartARP to detect,
correct and reply to the ARP spoofing attack. We developed the program
to verify our proposed algorithm. We measure the performance of our
proposed algorithm using the criteria such as Response time, Correction
time, the Successful Correction time CPU usage and the Network
Utilization.
This paper is structured as follows: Section 2 details the System
Development and Measurements Tools. Section 3 describes the
Simulation Network Model while Section 4 illustrates the Results and
Discussion. Finally, the conclusion is made in Section 5.
B. Related Works
Secure ARP protocol (S-ARP) [4] is a backward compatible
extension to ARP that relies on public-key cryptography to authenticate
ARP replies. It was proposed as a replacement for the ARP protocol in
order to deal with ARP spoofing. In order to be implemented in a LAN,
every secured hosts have to be modified to use S-ARP instead of ARP.
The drawbacks of this method are scalability due to the network stack of
all hosts in network and overhead of cryptographic calculations due to
Digital Signature Algorithm (DSA).
Gouda et al. [7] proposed the architecture for resolving IP addresses
into hardware addresses over an Ethernet. This solution is not practical as it
requires changing the ARP protocol implementation of every host with
this new address resolution protocol. In addition, the secured server
represents a single point of failure in the network, and becomes an obvious
target for DoS attacks.
Some high-end Cisco switches have a new feature called Dynamic
ARP Inspection which allows the switch to drop ARP packets with
invalid (IP, MAC) address bindings. The primary disadvantage of this
solution is the high cost of switches. Moreover, it might not be possible to
validate some ARP packets on all switches in the VLAN [8] [9].
Ebtables is a Linux utility used to create programmable
bridging/switching devices to perform Ethernet frame filtering, among
other things. It has been suggested that Ebtables can be used to implement
ARP attack prevention mechanisms [11], but the efficiency of such
method has not been studied. The main drawback of this approach is that
this solution would only filter malicious ARP messages attempting to pass
through the Linux box, while other areas of the network remain
unprotected. In Addition, Ebtables rules to prevent ARP attacks are not
widely available, and the administrator can easily make mistakes when
programming the bridge/switch [10].
Passive Detection is one of the ARP spoofing detection methods. It
sniffs the ARP-Requests and Replies on the network and constructs a
MAC address to IP address mapping database [3]. If it observes any
conflicts between new ARP traffic and (MAC-IP) mapping database, it
concludes that an ARP spoofing attack is occurring. The drawbacks of this
method are a time lag between learning the address mappings and
unreliability.
Active Detection is also one of the ARP spoofing detection methods
[3]. It sniffs the ARP packets and constructs a MAC address to IP address
mapping database. Before inputting the MAC-IP address mapping into
the learnt database, it will verify the ARP packets by sending TCP SYN
packets to source machines. This technique is faster, intelligent, scalable
and more reliable in detecting attacks than the passive methods.
In addition, hackers take advantages of some programs
such as Nmap, Nessus, John the Ripper and SuperScan to
attack and enumerate the computer systems. Occasionally,
common softwares such as ActiveX or Java script are used by
hackers as a hacking tool as well. Even Google which is one
of the popular search-engines, is one of the best hacking tools,
since to simply search in Google and other search engines can
dig out sensitive/dangerous information about any sites, any
servers and companies. This is often called Google hacking.
II. PROPOSED SYSTEM DESCRIPTION, ARCHITECTURE AND
OPERATION
A. ARP Protocol and Behavior of ARP Spoofing Attack due
to Sniffing Packets
ARP protocol is a stateless. Host’s ARP cache will be
updated automatically every time when all ARP replies to
hosts, even though they have not sent any ARP-Request. The
ARP cache will be overwritten by a newer ARP-Reply. The
hosts do not have a mechanism to authenticate their peers.
This is the main problem which causes the ARP spoofing
attack.
The typical behaviors of ARP spoofing attack are
illustrated as follows:
1. An attacker broadcasts ARP-Requests into the entire
network to collect the host’s information such as MAC
and IP address mappings.
2. The attacker selects the pair hosts in order to intercept
some information from them.
3. The attacker sends ARP-Requests to the pair victims by
telling them a lie. After that the attacker sends periodic
ARP-Replies to update ARP cache of the victims.
4. Due to the behaviors of ARP-Requests and ARP-Replies,
the attacker can intercept packets of the pair victims
successfully.
B. Software Application (SmartARP) and Requirements
In this work, we develop network applications with .NET,
using the C# programming language, because .NET is a
capable platform on which to develop almost any solutions,
and it offers substantial support for network programming. In
fact, .NET has more intrinsic support for networking than any
other platforms developed by Microsoft.
Here, to deal with ARP attacks on switched LANs, the
following requirements can be listed:
• Require no change to be made to every host on the network
(e.g., install special software on each host), as this may
increase the administrative costs.
• The use of cryptographic techniques should be minimized or
avoided since it slows down ARP performance.
• Prevention/blocking are preferred to detect, since the latter
depends on how well the administrator is able to handle the
alarms in an effective and timely manner.
• Be widely available and easy to implement.
• Costly hardware should be minimized as much as possible.
• Solution should be backward compatible with ARP.
• ARP-Requests/Replies should not be slowed down
significantly.
• All types of ARP attacks should be blocked.
C. ARP Spoof Detection and Correction Architecture
(AmartARP)
Figure 1. ARP Spoofing Detection and Prevention Architecture (SmartARP)
(modified from [3])
Based on the architecture shown in Fig.1, the SmartARP can
be classified into two phases:
• ARP Spoof Detection Phase
• ARP Spoof Prevention Phase
ARP Spoof Detection Phase
• ARP Sniffer module: used to capture all ARP traffics in
broadcast network.
• Invalid MAC Detection module: used to classify the ARP
traffic into the valid and invalid MAC addresses. It detects the
invalid MAC address by verifying MAC addresses in the
Ethernet frame and ARP header. If both source and/or
destination MAC addresses are not identical, it can be assured
that there are ARP spoofed packets occurring. The valid MAC
address packets will be sent to Host Database Detection
module.
• Host Database Detection module: used to filter the valid
ARP traffic by comparing the IP-MAC address pairings of the
valid ARP traffic with IP-MAC address pairings of the learnt
Database. If there are any conflicts, it can be guaranteed that
there are ARP spoofed packets. All the new IP-MAC address
pairings, which are not in the learnt Database, are sent to the
ARP Spoof Detection module.
• ARP Spoof Detection module: This is the final
verification module. The valid ARP header packets are
input into it. These packets are classified into three
categories: Full ARP cycle, Request and Reply Half
Cycle packets. After applying the ARP Spoof Detection
module, it will send the ARP entry to the Database
module if the ARP entry is correct, or send it to Spoof
Alarm module if it is incorrect. The Database module
will add these verified MAC and IP addresses mapping
into the database. The detailed ARP Spoof Detection
Algorithm is mentioned in Section D.
• Database module: the verified ARP packets will be added
into the database.
• Spoof Alarm module: This module is used to alert the
administrators on detection of ARP spoofing attack.
ARP Spoof Prevention Phase
• ARP Cache Repair module: used to correct ARP cache of
the victim’s hosts by sending ARP-Requests/Replies to
overwrite ARP entries. When the SmartARP detects the
forged ARP packets from the attacker, it will create and send
ARP-Replies to the victim’s hosts to correct the ARP cache
entries.
• Reverse Attack module: an optional module. When an
administrator desires to eliminate the malicious hosts from the
network, it will send forged ARP-Replies to the attacker’s
hosts for updating their ARP cache. The hosts, which have
wrong MAC addresses in ARP cache, will not be able to
communicate to the outside network (Denial-of-Service
Attack).
D. ARP Spoof Detection Algorithm
As mentioned previously, three different ARP Cycle
packets: Full ARP Cycle, Request and Reply Half Cycle
packets, which are detected in different methods by ARP
Spoof Detection module, works based on the following rules:
Rule 1: Firstly, the network interface of hosts will accept
packets sent to its MAC address. If there are IP packets
encapsulations, it will pass on these packets to the IP layer.
The IP layer will accept IP packets to its IP address. If the
accepted packet is a TCP packet, it will be passed on to the
TCP layer. If the TCP layer receives TCP SYN packet, it will
either reply back with a TCP SYN/ACK packet if the
destination port is opened or with a TCP RST packet if the
port is closed.
Rule 2: The attacker can spoof ARP packets to update the
victim’s cache, but he/she cannot stop the real host to reply
from ARP-Requests sent to it which means that the real host is
still alive on the network.
Based on both rules, we can verify the source ARP packets
whether they are real or forged packets. We will generate TCP
SYN packets and send them on the network by using source
MAC and IP addresses in ARP-Requests/Replies sent by the
host. For example, the destination MAC and IP addresses in
the created TCP SYN packet will be the source MAC and IP
addresses advertised in the ARP-Request/Reply. The source
MAC and IP addresses in the created TCP SYN packet would
be the host running the ARP spoof detection (see Fig. 2).
Figure 2. ARP Spoofing Packet and TCP Verifying Packet
From Fig.2, the ARP-Reply is sent from a malicious host,
and the SmartARP will verify packet by sending a TCP SYN
packet to the source of ARP-Reply. When the attacker’s host
receives the verified TCP SYN packet, its network stack
silently discards the TCP SYN packet in accordance with Rule
1. Thus, the ARP Spoof Detection host does not receive any
TCP responses within a specific time. As a result, the host
sending ARP-Reply would be considered as an attacker.
E. Smart ARP Application
In this section, we detail the input of 3 cycles of
ARP Spoof Detection Module.
1. Full ARP Cycle
Full ARP Cycle packets are sent by the spoof detection’s
host in order to collect the legitimate IP and MAC addresses
of the other hosts in the entire network. It broadcasts ARP-
Requests into the network and may receive one or more
Replies from living hosts. If ARP spoofing is on, both attacker
and real host will reply back to the original ARP-Request.
Then the SmartARP sends a constructed TCP SYN packet
using the MAC and IP addresses information in the ARP-
Reply packet(s) to each source address of both ARP-Replies.
The SmartARP may receive two TCP packets as a response
since the attacker redirects the packet along with the real host.
This situation can be identified as occurrence of packet
spoofing. On the other hand, after the SmartARP broadcasts
ARP-Requests to the network, if there is only one ARP-Reply
from the real host, the SmartARP will send a TCP SYN packet
to the source of ARP-Reply for confirmation. If the target is
the real host, it will respond either TCP SYN/ACK or TCP
RST packet to the SmartARP based on Rule 1. The program
will add this entry into database as a legitimate MAC to IP
address mapping. If the target does not respond anything
within a specific time, it can be defined that the host is sending
ARP spoofed packet. An administrator can react to the
attacker by Reverse attack technique.
2. Request Half Cycle
Request Half Cycle packets are sent by hosts in a
network. It can be separated into two parts as follows:
(a) ARP sends Request to the SmartARP: This is the
ARP-Requests that were sent by the other hosts in a
network to the SmartARP. They may come from
attackers or legitimate users. The SmartARP would
verify these packets by broadcasting ARP-Requests to
the network and waiting for the responses. If ARP spoof
is performing, the SmartARP will receive two ARP-
Replies. The first and second packets come from a
legitimate user and attacker, respectively. Therefore, the
SmartARP can verify these ARP-Replies by sending a
TCP SYN packet to each source address of ARP-
Replies. This process is the same as the aforementioned
Full ARP Cycle.
(b) ARP sends Request to the other hosts: This is the ARP-
Requests that were sent by a computer host to the other hosts
in a network. The requested packets may come from a
malicious or legitimate user. The SmartARP will verify these
packets by sending a constructed TCP SYN packet to the
source MAC and IP addresses of the ARP-Request. If the
source addresses are the real host’s addresses, the authentic
hosts will respond either by TCP SYN/ACK, or TCP RST to
the SmartARP. This response can be used to identify whether
the packet is the reality or imitation. If there are not any
responses within the appropriate time, the program will alert
an administrator, and perform ARP Cache Repair technique
automatically. The administrator can counteract to the attacker
by Reverse attack as well.
3. Reply Half Cycle
ARP-Reply Half Cycle would occur in two possible
scenarios as follows:
1. A malicious attacker sends spoofed ARP packets to the
victims. This is one of the most common techniques of ARP
spoofing attack by sending periodic spoofed ARP-Replies to
the victims in order that the spoofed address entry in the
victim’s ARP cache never expires.
2. The detector (SmartARP) has missed the ARP-Request.
This may occur if the SmartARP application is opened after
the ARP-Request was sent. Therefore, it could only sniff the
ARP-Reply. The Reply Half Cycle can be divided into two
situations as follows:
(a) ARP sends Response to the SmartARP: This is
the ARP-Replies that were sent by hosts in a network to
the SmartARP. They may come from attackers or
legitimate users. The detector would verify these
packets by broadcasting ARP-Requests to the network
and waiting for the responses. If ARP spoofing is
performing, the SmartARP will receive two ARP-
Replies. The first and second packets come from a
legitimate user and an attacker, respectively. Therefore,
the SmartARP will verify these ARP-R Replies by
sending a TCP SYN packet to each source address of
ARP-Replies. If there are more than one TCP response
packets, the SmartARP would be able to identify that
there is spoofed packet.
(b) ARP sends Response to the other hosts: This is the
ARP-Replies that were sent by a computer host to the other
hosts in a network. The replied packets may come from a
malicious or legitimate user. The SmartARP will verify these
packets by sending a constructed TCP SYN packet to the
source MAC and IP addresses of the ARP-Reply. If the source
addresses are manipulated by a malicious user, the attacker’s
machine will silently discard this packet because the IP
address is invalid, and does not correspond to any of the host’s
addresses. When the SmartARP does not obtain any responses
within the specific interval, it will alert to an administrator,
and perform ARP Cache Repair technique automatically. The
administrator can respond to the attacker by Reverse attack
manually.
III. SOFTWARE USED AND SIMULATION NETWORK MODEL
A. ARP Spoofing Attack Simulation Softwares
The software applications for testing are listed here:
• VMware workstation Ver.6.02.
• Installed Microsoft Window XP on VMware.
• Installed Ubuntu version 8.04 on VMware.
• CAIN application Ver.4.9.8: to simulate ARP spoofing
attack.
• Colasoft Packet Builder Ver.1.0: to simulate sending
ARP and TCP/IP packets.
• Wireshark Network Protocol Analyzer Ver.0.99.6a: to
capture and analyze packets traffic.
• SolarWinds Engineer’s edition Ver.8.0: to measure the
system performance.
Figure 3. Proposed Network Simulation Structure
 Fig.3 illustrates the proposed network structure to From Fig.4, we assume that ARP spoofing attack occurs in
simulate the event of ARP spoofing attack. The attacker’s VLAN 10 while the SmartARP computer is connected to the
machine is running CAIN application which captures the mirror port of the switching device in order to observe the
sensitive information between the legitimate user packets traffic of each VLAN. We use the software called
(203.159.97.25), and the gateway router (203.159.97.1). When “CAIN” to simulate ARP spoofing which attacks the
the attacker is capturing the data, the SmartARP alerts to an SmartARP and the other hosts in the network. The SmartARP
administrator, and sends repaired ARP packets to both victims is used to detect and correct the attack. We install VMWare
automatically. Based on this action, we can prevent the attack application on 2 machines where each machine performs 31
completely. Moreover, the administrator can deny the virtual victims; therefore, the total victims are 62 stations.
attacker’s host via Reverse attack. The SmartARP may send a The CAIN application is used to attack many victims
forged ARP packet, which is random MAC address, to the running on virtual machine. SmartARP is used to detect and
attacker’s machine. All these events can be illustrated step-by- correct the attack. The number of victims are increased every
step as follows: two hosts to measure the performance.
1. The attacker is sniffing the sensitive information of both
E. Devices Specifications
victims that communicate to each other (203.159.97.25 and
203.159.97.1) by sending forged ARP-Replies. The devices’ specifications used for performance
2. After the attacker sends forged ARP-Replies to the victims, evaluation are listed in Table 1 as follows:
Table 1 Devices’ Specification
ARP cache of the victim’s hosts will be changed
Processor Ram Software Network Interface
(00:09:43:CA:0F:FF => 00:14:24:88:0A:3C). cards
3. Now, the attacker can steal usernames and passwords of SmartARP Intel ® 512 MS-Windows Two: one card for
victims successfully. Pentium® 4 MB XP mirror port 3Com
CPU 2.4 Professional EtherLink XL
B. ARP Cache Repairing Simulation GHz (5.1, 2600) 10/100 PCI TX
NIC (3C905B-tX)
Colasoft software is used to create and send repaired ARP and another is SiS
packets to the victim’s hosts to protect Man-in-the-Middle 900-Base PCI Fast
attack. After sending the repaired ARP packets, the ARP Ethernet Adapter
cache of victim’s hosts are changed again with the real MAC for Vlan port:
IP(192.168.10.100)
address (00:09:43:CA:0F:FF).
C. Reverse Attack Simulation CAIN Intel® 512 MS-Windows 10/100 Fast
Pentium® 4 MB XP Ethernet
The administrator can deny the hosts identified as the CPU 1.6 Professional
malicious hosts by creating a forged ARP-Reply which is a GHz (5.1, 2600)
Victims* Intel ® 2 MS-Windows Realtek RTL8139
random MAC address, and sending it to the attacker’s host Pentium® 4 GB XP Family PCI Fast
periodically. Then, the ARP cache of the malicious host is CPU 3.0 Professional Ethernet NIC. It
updated with the forged MAC address. Based on this GHz (5.1, 2600) runs VMWare
technique, the attacker will not be able to communicate with Workstation
v.6.5.1 which is
the outside world until he/she restarts the computer. The
enabling many
Colasoft application is used to simulate the Reverse attack hosts (MS-
technique. Windows XP
The ARP cache of the attacker’s host is updated with the Bandwidth Intel® Core 3 MS-Windows Marvell Yukon
forged MAC address (34-56-25-F5-9C-F8) sent by the Gauges ™ 2 duo XP 88E8055 PCI-E
GB
CPU Professional Gigabit Ethernet
SmartARP. T7300@ (5.1, 2600)
2.0GHz
D. Network Topology and Simulation Descriptions
Note: *= 2 machines are used. We use HP J4121A ProCurve
Switch 4000M, revision C.09.G2, ROM C.06.01
/sw/code/build/vgro(msanchez_v09)), Fast Ethernet 64 ports.
It is configured to enable mirror port and SNMP services.
F. System Performance Evaluation
We use SolarWinds software application to evaluate the
following various performance metrics:
• Response Time: the time that the victim receives the
first correct ARP packet from the SmartARP minus the
time that the victim obtains the whole fake ARP packets
from the attacker.

Figure 4. Proposed Network Topology (observe all VLANs)

• Correction Time: the total time that the SmartARP (1) Response Time
sends ARP packets to correct every victim’s ARP
Response Time
caches.
• Successful Correction Ratio:
1.8
Amount of Successful Correction
Successful Correction (%) = x100 1.6
Total Number of Attacks

Response Time (s )
1.4
1.2
• CPU Usage: indicates how much of the CPU's 1
Response Time
0.8
capacity is in use. 0.6
0.4
• Network Utilization: the ratio between the used 0.2
bandwidth and the available bandwidth. 0

2
6
10
14
18
22
26
30
34
38
42
46
50
54
58
62
Number of Victims (hosts)
IV. RESULTS AND DISCUSSIONS
Figure 5. Response Time
In all cases, the CAIN generates ARP-Replies to update
ARP cache of the victims every default time interval (30 From Fig. 5, the Response Time increases significantly till
seconds) while the SmartARP detects and sends ARP-Replies the amount of victims reaches 14 hosts. After that the response
to correct ARP cache of the victims as well. time changes gradually, with the mean value of 1.3 seconds.
(2) Correction Time
A. The Software Implementation (Proof of Concept Code:
SmartARP.cs) Correct Time

The following application is developed in order to 25.000

demonstrate the feasibility of the ARP spoofing detection and 20.000

Correct Time (S)

prevention. It detects forge ARP packets and sends correct
15.000
ARP packets to update ARP cache of victims. C orrect Time
10.000
• The SmartARP configuration page: When we need to
perform the SmartARP, we would select a monitoring 5.000

interface to detect the ARP spoofing attack, and pick a VLAN 0.000
2
6
10
14
18
22
26
30
34
38
42
46
50
54
58
62
interface to correct the attack on that VLAN. Then, we can Number of Victims (hosts)
adjust the time interval for updating the SmartARP’s database;
we can set the waiting time of response packets. Moreover, we Figure 6. Correction Time
can select a TCP port of computers that we need to observe. From Fig. 6, the Correction Time always raises when we
• The SmartARP monitoring page: Firstly, the Real Host increase the amount of victims from 2 to 62. The correction
List illustrates the actual computers that the SmartARP time is lower than 5 seconds when the number of machines is
collects from the local network. Secondly, the Victim List between 2 and 20, which is practical in general situation.
displays the computers which are attacked. It presents IP (3) Successful Correction Ratio
address, MAC address, Status, and Repaired Status. Finally,
We simulate the total attack of 10 times in every number
The Attacker List presents the attacker’s computer by
of victims.
detecting ARP packets that hackers send into the network.
%successful correction
• The Logs of the application: It shows the real time
working process of the SmartARP in every packet that the 120%
C orrec t s uc c es s ful (%)

SmartARP sends or receives. 100%

80%
B. The SmartARP Evaluation with the Proposed Network
60% C orrect s ucces s ful
Topology 40%
In Fig. 4, we assume that the SmartARP detects and 20%

corrects the attack for only VLAN10. The CAIN application, 0%

installed on VLAN10, starts sending forged ARP-Replies

2

14

20

26

32

38

44

50

56

62

every 30 seconds to update ARP cache of the victims. The Number of victims (hosts)

SmartARP machine, which has two interface cards, detects the Figure 7. The percentage of successful correction
fake ARP packets passing through the mirror port, and sends
From Fig.7, the percentage of Successful Correction
repaired ARP packets on the VLAN interface automatically.
is 100% when the number of victims is less than 38
We simulate the victim hosts by installing VMWare
stations whereas the SmartARP spends lower than 10
application on victim1 and victim2 hosts which are totally 62
seconds of correction time. The Successful Correction
virtual victims. In addition, we use the Bandwidth Gauges
Ratio decreases slightly when the number of victims
application, installed on the other machine, to measure the
exceeds 40. The lowest Successful Correction Ratio is
bandwidth of the system by using SNMP protocol. The
about 50% when the number of victims is 60 stations
simulation results are illustrated as follows:
whereas the Correction Time is lower than 20 seconds.
(4) CPU Usage Victim1 utilization

CPU Usage
0.06

Network utilization (%)

100% 0.05

80% 0.04
C P U Usage (%)

0.03 Victim1's utilization

60%
CP U Usage 0.02
40%
0.01
20% 0
0%

8
14

20

26

32

38

44

50

56

62
2
6
10
14
18
22
26
30
34
38
42
46
50
54
58
62
Number of victims (hosts)
Number of victims (hosts)
Figure 11. Victim-1’s Network Utilization
Figure 8. CPU Usage
We capture the CPU Usage while the SmartARP is Victim2 utilization
detecting and correcting the attack. From Fig. 8, the CPU
0.06
Usage of the SmartARP fluctuates around 80% in all number

Network utiliz atio n (%)

0.05
of victims. It can be concluded that the CPU usage does not
depend on the number of victims. 0.04
0.03 Victim2's utilization
(5) Network Utilization 0.02
The SmartARP, CAIN, and victims’ Network Utilizations 0.01
are measured by the Bandwidth Gauges application using 0
SNMP protocol. The maximum traffic of each port is 200
2

8
14

20

26

32

38

44

50

56

62
Mbps (including both sending and receiving). The media used Number of victims (hosts)
for testing is UTP CAT5 100BASE-TX Ethernet.
In order to simulate 62 machines in victim1 and victim 2’s Figure 12. Victim-2’s Network Utilization
scenarios, two VMWare applications are installed, since one From Fig.9-12, it is obvious that the Network Utilizations
VMWare application can accommodate up to only 31 virtual of all applications are very low. Therefore, by implementing
machines. We assume that each victim1 and victim2 has 31 all proposed components, it does not affect the network
virtual machines. system. The fluctuations in some points are due to the
SmartARP Utilization instability of traffics.

0.035 V. CONCLUSIONS
Netwo rk utiliz atio n (%)

0.03 In this research, we study the various hacking techniques.

0.025
One of the most critical problems is Man-in-the-Middle attack
0.02
S martARP Utilization via ARP spoofing technique in LAN (local area network),
0.015
because the attackers can intercept and manipulate all
0.01
messages communicating between two victims.
0.005
We propose the technique called SmartARP to detect and
0
correct the ARP spoofing attack. The proposed SmartARP
2
6
10
14
18
22
26
30
34
38
42
46
50
54
58
62

Number of victims (hosts) application works in the promiscuous mode, and filters only
the ARP packages traffic. It verifies whether the Ethernet
Figure 9. SmartARP’s Network Utilization frame and ARP header have the same MAC addresses or not.
If they are the same, ARP package will be re-checked by the
Cain Utilization
learnt database. However, if the learnt database does not have
0.08 the IP-MAC address pairings, the new ARP package will be
sent to ARP Spoof Detection module in order to be re-verified
Network utilization (%)

0.07
0.06 again.
0.05
We develop various software applications to simulate our
0.04 Cain Utilization
0.03
proposed techniques and evaluate the performance of the
0.02 application by simulation using the criteria namely Response
0.01 Time, Correction Time, Successful Correction Ratio, CPU
0 Usage and Network Utilization. Based on the simulation
2
6
10
14
18
22
26
30
34
38
42
46
50
54
58
62

Number of victims (hosts)

results, it can be concluded that our proposed techniques are
fast, intelligent, scalable and reliable in detecting and
Figure 10. CAIN’s Network Utilization correcting attacks. It can, for example, detect the ARP
spoofing attack and can correct 100% of the ARP caches of
victims within 10 seconds at the 38 machines. Typically, when
attackers want to steal the sensitive information, they always
concentrate on a few targets, since they desire to get only the
specific information. In addition, since more data will be
redirected to the attacker’s machine which can cause their
computers slowing down, therefore, it is obvious that the
performance of the proposed SmartARP is acceptable in
realistic. Moreover, the Network Utilization of all components
is very low; therefore, it does not affect the network system
under normal condition.
REFERENCES
[1] Matthew Strebe: Network Security Foundations, SYBEX Inc, 2004.
[2] Doug Sax:DNS Spoofing (Malicious Cache Poisoning), 22 Oct 2008
<http://www.giac.org/certified_professionals/practicals/gsec/0189.php>.
[3] Vivek Ramachandran:Information System Security, Detecting ARP
Spoofing: An Active Technique, ICISS 2005, Volume 3803/2005,
ISBN: 978-3-540-30706-8, P.239-250, Springer Berlin / Heidelberg,
2005.
[4] Danilo Bruschi, Alberto Ornaghi, Emilia Rosti, “S-ARP: a Secure
Address Resolution Protocol, 19th Annual Computer Security
Applications Conference, 2003, www.acsac.org/2003/papers/111.pdf.
[5] David C. Plummer: An Ethernet Address Resolution Protocol, RFC-826,
USC Information Science Institute, California, November 1982.
[6] S. Whalen: An Introduction to ARP Spoofing,
http://packetstormsecurity.org/papers/protocols/intro_to_arp_spoofing.p
df
[7] M. Gouda and C.-T. Huang.: A secure address resolution protocol,
Computer Networks, January 2003.
[8] Cisco Systems:Configuring Dynamic ARP Inspection, chapter 39, pages
1–22., Catalyst 6500 Series Switch Cisco IOS Sofware Configuration
Guide, Release 12.2SX, 2006.
[9] C. Schluting: Configure your Catalyst for a more secure layer 2,
<http://www.enterprisenetworkingplanet.com/netsecur/article.php/34622
11>. (Last accessed November, 2008).
[10] B. D. Schuymer: ebtables: Ethernet bridge tables,
http://ebtables.sourceforge.net, March 2006.
[11] M. Carnut and J. Gondim: ARP spoofing detection on switched Ethernet
networks: A feasibility study, In Proceedings of the 5th Symposium on
Security in Informatics., Nov, 2003.