Sniffing Attacks Prevention and Detection Techniques
Info: 5415 words (22 pages) Dissertation
Published: 12th Dec 2019
Security in Wired/Wireless Networks: Sniffing Attacks Prevention and Detection Techniques in Wired and Wireless Local Area Networks (LAN)
During the past era, Information Technology made a revolution in R&D. No doubt Internet becomes an essential backbone for all sciences and research nowadays. Accordingly security threats and data banks attacks turn out to be a phenomenon. Thus, granting protection to such crucial information becomes a high demand. While reviewing the latest studies in this area, there are strong signs that attacking information warehouse is the hot topic nowadays.
Moreover, preventing attacks to TCP/IP networks and what are the most efficient techniques to protect it, is the most targeted research area for security experts. For instance, what so called the Man-in-the-Middle attack [MiM] and Denial of Service [DoS] are just some ways of vulnerable attacks to TCP/IP networks, using some tools available free on the internet. They are sniffing the data traffic or causing service denial.
In our research, we evaluated the most famous security solutions and classifying them according to their efficiency against detecting or preventing the types of Address Resolution Protocol [ARP] Spoofing attacks. Based of the surprising experimental results in the security lab, we proposed an optimal algorithm to enhance their ability
Sniffing Attacks, ARP cache poisoning, Man-in-the-Middle [MiM], Intrusion Prevention & Detection technique [IPS/IDS], Denial of Service [DoS]
As we mentioned in the abstract section that this research is focusing on the internal attack within the local area network [LAN] which is forming the major and critical attacks which the network resources are exposed to according to recent studies conducted in the Information Security domain. We will demonstrate two major attacks affecting the Internet users & the local network; The MiM attack (Man-in-the-Middle Attack) and DoS (Denial-of-Service). There are many tools and softwares widely available and for free of cost which can carry out many attacks over the network and violate the privacy of users, such tools like Sniffers monitors data traveling over a network, it either can be of authorized or unauthorized function. It was started initially as a Network Analyzer to help the Administrator to perform health check and maintain the network activities; however it is used today to redirect the traffic and access confidential files.
Traditionally, research in the area of information and communication security focused on helping developers of systems prevent security vulnerabilities in the systems they produce, before the systems are released to customers. the majority of studies on network security, are considering only the external attacks. Internal as well as external are of the outmost importance when it comes to information security, but need to be complemented with more depth research for developing detection and prevention mechanisms, and studying internal threats.
The research plan we followed in our work presented here are as follows:
a. Address Resolution Protocol [ARP]
b. ARP Spoofing attack [Poisoning]
c. ARP Spoofing based MiM & DoS attacks
e. Optimal ARP Spoofing detection algorithm
f. Results & analysis
1.1.1 What is an ARP:
The Address Resolution Protocol (ARP)  is used by computers to map network addresses (IP) to physical addresses or what is usually refer to: Media Access Control addresses (MAC).
It translates IP addresses to Ethernet MAC addresses and classified as a Networking protocol used to find host’s address given its IP address. Some network expert consider it as a DataLink Layer protocol because it only operates on the local area network or point-to-point link that a host is connected to. The Address Resolution Protocol (ARP) is documented in RFC 826 and later it was adopted by other media, such as FDDI. For more details about Internet Protocols Suits; see appendix 
1.1.2 How it works: The ARP Process & RARP
As we stated formerly from an architecture perspective, ARP is a layer 3 function (Network), however in a programming perspective ARP is considered as layer 2 (Datalink) because it calls the LAN data like layer code. RARP is stand for; Reverse Address Resolution Protocol, and it is a network protocol used to resolve a MAC address to the corresponding network layer address, i.e. RARP is used to map a MAC address to an IP address exactly the reverse function of the ARP request/reply.
1.1.3 Types of ARP/RARP protocol messages:
There are four types of ARP massages that are sent by an ARP protocol:
a. ARP request
b. ARP reply
c. RARP request
d. RARP reply
As we just said in the definition, ARP is used to map network address (IP) to physical address (MAC) and when a host need to communicate with another host it needs to know its MAC address. Here comes ARP protocol and works by broadcasting a packet (ARP-Request) for any hosts connected over the Ethernet network. The ARP packet contains the IP address of the sender and the IP address of the target it is interested in communicating with. See (1.2) and (1.3):
However, the target host, identifying that the IP address in the ARP request packet is belong to itself, so it returns an answer back in a unicast reply (ARP-Reply) and the host which initiated the ARP request catches the [IP,MAC] pair and keeps it in ARP cache memory. Keeping the host reply in cache will minimize the ARP traffic in the LAN. See (1.4):
So simply when the ARP request is broadcasted to all PC’s on the network it asks the following question:
– Is x.x.x.x is your IP address?, if Yes send back your MAC address.
Then every PC checks if it’s IP address is matching the one in ARP request and sends ARP reply with it’s MAC address.
But the repeated ARP requests especially when it is broadcasted every time a MAC address is required; creates a high traffic in the network, and hence the Operating Systems keep copy of the ARP replies in the computer’s cache memory and update it frequently with any new
By the way ARP spoofing technique which we are going to talk about in the next chapter is occurring when forged ARP replies
The Reverse Address Resolution Protocol [RARP] is broadcasting a RARP request packet with the target MAC address which will be received by all hosts in the Ethernet network. Host which its MAC address is matching the one in the RARP request will reply with its IP address in the RARP reply packet and sends it to the host which initiated the RARP request.
Afterward the IP address which consists of 32 bit will be converted to 48 bit Ethernet address, by the suitable encapsulation mechanism. This is the common practice for the Address Resolution Protocol (ARP), which is documented in RFC 826 .
ARP defines the exchanges between network interfaces connected to an Ethernet media segment in order to map an IP address to a link layer address on demand. Link layer addresses are hardware addresses (although they are not unchallengeable) on Ethernet cards; where the IP addresses are logical addresses assigned to machines attached to the Ethernet. Accordingly a Datalink layer address is known by other names, i.e. Ethernet Addresses, Media Access Control (MAC) Addresses, and even Hardware Addresses. However, the correct term from the kernel’s perspective is “Link Layer Address” because this address can be changed via command line tools .
1.1.4 ARP and RARP message formats:
The ARP packet consists of Ethernet Header and Data packet; the Ethernet header is divided to:
– 6 bytes for the destination address
– 6 bytes for source address
– 2 bytes for the frame type in hexadecimal (e.g. 0806 for ARP & 8035 for RARP)
Where, the data packet structure of ARP packet is encapsulated and the information that every part holds are demonstrated in the following table:
Table 1.1: ARP and RARP packet structure
Bits 0 – 7
Bits 8 – 15
Bits 16 – 31
Hardware type (HTYPE)
Protocol type (PTYPE)
Hardware length (HLEN)
Source hardware address [MAC] (SHA) (first 32 bits)
Source hardware address (last 16 bits)
Source protocol address (first 16 bits)
Sender protocol address (last 16 bits)
Destination hardware address (first 16 bits)
Destination hardware address (THA) (last 32 bits)
Destination protocol address (TPA)
– Hardware address type (2 bytes). 1=Ethernet
– Protocol address type ( 2 bytes). 0800H (hexadecimal) = IP address
– Operation type; 1 = ARP request, 2=ARP reply, 3=RARP request, 4=RARP reply
1.1.5 TCP Standard Ports/Services
The table below is showing, a list of services and ports used by TCP protocol:
Table 1.2: TCP Ports and Services
File Transfer [Default Data]
File Transfer [Control]
TelNet [Telecommunication network ]
Simple Mail Transfer
Host Name Server
Domain Name Server
Post Office Protocol – Version 3
SUN Remote Procedure Call
2.1.1 ARP Spoofing based on MiM and DoS attacks
ARP spoofing is also called; ARP poison routing (ARP) or ARP cache poisoning or ARP Cache Corrupting. It is a method of attacking an Ethernet local area network by updating the target ARP cache with a forged ARP request and reply packets. This will try to change the target MAC address by another one which the attacker has a control on it. Updating ARP cache with a fake entry value is so called “ARP Poisoning”.
What is sniffer? or (The Network Analyzer); it is a software or a hardware which log the traffic over a network and captures the data packets, then decodes the packets and analyzes the content. Kindly notice in our research that the following terms; Spoofing, Poisoning and Cache Corrupting are referring to the same term .
Furthermore, since ARP is considered as a trusted protocol within the network and is not designed to deal with malicious activities in the network, so attackers found unusual ways to illegitimately penetrate into the network; causing harmful costs.
These harms or costs can be much worse when the attacker tries to impersonate another user, performs Man-in-the-Middle attacks (MiM), or even causes Denial of Service (DoS) on a Server or even the whole Network.
P.S. Spoof means: hoax or imitation. Thanks to the British comedian Arthur Roberts (1852-1933), who introduced the word “spoof” to the world in the 19th century. He invented a game and called it Spoof, it incorporates tricks & nonsense.
Why it is so difficult to detect sniffers?
• The attack is essentially performed in the passive mode, which means it is hidden and working in the backend so the standard user will not recognize such attacks. Besides it is not easily for user to detect the sniffing since this kind of attacks is generating usual traffic over the network.
• The other point is the fact that sniffers can be normally linked to an active intrusion attacks. While talking about the requirement and resources; sniffing is only requiring a standard machine connected over the network with normal hardware configurations and there is no need to special requirements or high performance.
• Threat is always seen as external and many researches shows that most of the attacks are from the internal resources; according to the recent Global security surveys in 2009, another study  shows that internal threat is incredible increased to more than 80% of the security breaches, where external attacks showed about 15% with internal help and 5% just from pure outsiders.
2.1.2 How ARP caches are updated?
Let us recall how the communication happens on an Ethernet LAN. As we early stated that all communications in layer 2 is based on the MAC address, so for any PC wants to talk to a target on the network is has to address it to the target’s MAC address.
If a source computer tries to communicate with another computer in TCP/IP based network it has to translate the target’s IP into the corresponding physical address (MAC) and here where we use an ARP protocol. The translation happens by request/reply ARP broadcast processes. When the ARP requester receives the reply, it catches the
2.1.3 ARP Cache Poisoning (Spoofing) Attack
It is the process of corrupting an ARP cache with fake IP/MAC entries. It also used to perform some other attacks, for instance:
§ Man-in-the-Middle (MiM) attack, also known as (MITM)
§ Denial of Service (DoS) attack (refer to section 3.2)
As we discussed earlier if an entry is exist in the ARP cache, then it can be updated or corrupted using ARP reply or ARP request.
But what about if the entry; is NOT exist in the ARP cache? The answer is: ARP request packets always work to corrupt any Operating System ARP cache whether the entry exists or not in the ARP cache. On the other hand, for hackers, ARP requests allow them to corrupt always the target ARP caches!
A recent study showed by experiment the impact of the ARP request update on different Operating Systems. An experiment revealed which OS with dynamic entries in the ARP cache was vulnerable to the ARP cache poisoning attack.
2.1 , an evaluation for the impact of the ARP request update on different Operating Systems, e.g. Windows XP Professional, Windows 2000, 2003 Server, Linux 2.x, and Solaris 5.9:
Table 2.1: ARP request impact on various OS
Entry exist in
√ = ARP request or reply message is accepted by the system & allows the update or creation of MAC / IP entry
X = ARP request or reply message is rejected by the system & doest NOT allow update & creation MAC/IP entry
The results of the experiment indicated that:
1. If the entry does not exist in the ARP cache, all tested OS’s, except Windows 2000, Free BSD 4.11 and SunOS Solaris 5.9, will not allow the creation of a new entry by an ARP reply message.
2. If the entry does not exist in the ARP cache, all tested OS’s allow the creation of a new entry by an ARP request message.
3. However, if the entry existed already in the ARP cache, all tested OS’s allowed its update by an ARP reply (even in the absence of an ARP request) or request message.
Therefore, when using ARP reply messages, the ARP cache poisoning attack becomes difficult to realize against most OS’s. However, it remains indeed possible when using ARP request messages. In conclusion, most common OS’s are still vulnerable to the ARP cache poisoning attack. Malicious users can first use ARP request messages to create fake IP/MAC entries in the ARP caches of their target hosts. Then, fake ARP reply massages are used to maintain the existence of fake IP/MAC entries in the ARP caches of the target hosts.
2.1.4 Example of ARP Cache Spoofing
As mentioned above the ARP Spoofing process is mainly to corrupt the ARP cache of any host over the network with fake IP/MAC pair in order to perform some serious attacks such as Man-in-the-Middle attack [MiM] or Denial-of-Service [DoS]. In the following demonstration we will show the two different steps before and after the ARP cache poisoning is taking place, in the (2.1) and (2.2).
22.214.171.124 ARP Cache Spoofing (before ARP corruption)
In (2.1) it’s clear that the ARP cache table is legitimate for all hosts connected to the network via a switch, where we can see that every IP-address is mapped to a valid and corresponding MAC-address for that host. For instance; in ARP cache table of the host “A” ; the IP-address of the host “B” is mapped with the MAC-address of the host “B”. And the same case is applied on host “C”.
On the other hand, in ARP cache table of the host “B” for example; the IP-address of the host “A” is mapped with the MAC-address of the host “A”. And the same case is applied on host “C”.
– Let us see what changes may occur after the cache poisoning:
126.96.36.199 ARP Cache Spoofing (after corruption)
In (2.2): Host “C” is the malicious host in this scenario. It corrupted the ARP cache tables for both hosts “A” and “B”. The ARP cache table for host “A” is becoming illegitimate now, where we can see that every IP-address is mapped to an invalid and not the corresponding MAC-address for that host. For instance; in ARP cache table of the host “A” ; the IP-address of the host “B” is mapped with the MAC-address of the host “C”. And the same case is applied on host “B”.
In this case whenever the host “A” want to communicate with host “B”, the TCP/IP traffic will be guided to pass by the malicious host “C” instead of “B”..!
Hackers use the process of generating such abnormal ARP request packets to corrupt the ARP cache for certain hosts and perform different attacks over the network (e.g. MiM or DoS).
2.1.5 Gratuitous ARP:
This process is concerned about IP address duplication attack. Such a situation is due to the case when a host sends an ARP request to look for its MAC. This may occur when the host reboots, or once changing its Ethernet Number or the IP address.
Gratuitous ARP is doing the following tasks:
i. Finding IP address conflicts in the Network by verifying if there is another host that has the same IP address and displaying this message:
« duplicate IP address sent from Ethernet address: a:b:c:d:e:f» .
ii. If a host changing its MAC or IP address by sending an ARP request, then it will force to update the ARP cache on the Network with the new MAC/IP address
P.S. ARP Gratuitous is mainly influence old Operation Systems, such as; Windows XP SP1 or older.
2.1.6 MiM attack:
The man-in-the-middle attack, (abbreviated as: MiM, or sometimes: MITM) comes from the Packet-Sniffing. MiM doesn’t listen to all the packets that walk along the network as the Sniffer works, however it interfere with one or more hosts in the network and starts snooping between them. Such hosts been listened by a MiM are commonly called victims. A victim can be a normal host (e.g. PC or Notebook), gateway or even a router!
An attacker who is mainly spying between two or more victims; is establishing a autonomous connections between the victims and convey messages between them as if they are directly connected. And hence we call him: Man-in-the-Middle.
So far MiM is just listening to the traffic passing through two victims. Although this kind of outrage is illegitimate and can reach sensitive information like passwords, e-mail messages, encryption keys…etc. however it become worse and worse when he tries to go further than and inject false and fake packets and convey them between the deceived victims.
According to MiM attack is classified as an active attack, because the hacker manages the traffic in the network between the source and the destinations.
MiM is very famous approach used by hackers nowadays and uses the ARP protocol in order to attack the ARP-Cache tables and hence control the targets. By poisoning the ARP tables for all hosts in the network for example; will instruct the hosts to reroute the traffic to the Attacker host instead of the Gateway, where he starts interfering between any two or more victims.
One more thing needs to be mentioned that the attacker has to forward all the interrupted packets to the original destination, so that the synchronized connection will remain and doesn’t time out…!
In the above ; ARP spoofing occurs when sending a fake and spoofed ARP reply to the target, i.e. if the Attacker has an IP: [10.10.1.10] and wants to sniff the traffic between the Victim who has an IP: [10.10.1.20] and the Gateway which has an IP: [10.10.1.254] it simply sends fake ARP replies to associate it’s own MAC address with the Gateway IP [10.10.1.254]. The Victim then is trapped and starts sending all the packets intended to the Gateway to the Attacker address as in the above illustration.
2.1.7 Denial of Service [DoS]:
DoS attacks; occurring when any suspicious host over the network performs ARP cache poisoning and receives any packet designated to the original target to the suspicious host and cause a block in the connection between the host and the target which is being attacked. Kindly notice that more details regarding Denial of Service [DoS] will be discussed in section (3.2) in chapter No. 3.
2.2 Evaluation Of Common Intrusion Detection Systems And Intrusion Prevention Systems
2.2.1 ARP cache poisoning and MiM attacks:
The ARP cache spoofing attack and the Man-in-the-Middle attack are usually maintained and controlled by humans. There are many solutions proposed in solving this type of security threat, based on different mechanisms or protocols at different OSI model layers; such as; Application layer, Network layer and Data link layer.
2.2.2 Detection of ARP cache poisoning attack:
Arpwatch and Snort are tools that are able to detect ARP cache poisoning attack by checking each packet contents. To do that, these tools monitor Ethernet activities and keep databases of Ethernet MAC/IP address pairs. If an analyzed packet has an Ethernet MAC/IP address pair, which does not appear in their databases, then the system administrator is alerted. Arpwatch and Snort are sensors that need to have access to monitoring ports on the switches (usually, known under the name of SPAN port, or mirroring port) or be placed in locations where they can see all the network traffic. Therefore, it would be more interesting and efficient to detect any ARP anomalies without the use of any access privilege or special ports on the switches. This is the case since substantial performance impact can be caused when port mirroring is in effect. This strategy makes ARP spoofing detection based on sniffing not quite viable on switched LAN networks.
2.2.3 Packets sniffing and MiM attacks:
On shared broadcast LAN networks, such as hubbed and wireless networks, packets sniffing can easily be achieved with minimal efforts. However, a switched LAN environment presents a different problem with few available techniques for sniffing. The first technique consists of connecting to an administrative port on the Switch and setting it to broadcast mode. The administrative port will now receive all traffic. A second technique is summarized by sending a large number of spoofed packets, which is usually an ARP packet (Address Resolution Protocol) to the Switch so it fails to open and sends all packets to all ports. However, a recent study shows that only old switches models are vulnerable to this attack. Another technique, which is based on the MiM attack, is to tell target hosts on the LAN network to use an attacker’s MAC address in order to get to any other host. This technique is based on the generation of malicious ARP traffic. The attacker host takes a copy of the received traffic then forwards it to the correct host.
Today, security devices, such IDS’s (An intrusion detection system)  and IPS’s (An Intrusion Prevention System), have become a standard component of security solutions used to protect computing assets from hostile attacks. IDSs are able to detect many types of attacks, such as denial of service (DoS) and IP spoofing attacks. But, their ability and reliability to detect certain attacks are still questionable, notably the MiM attack. Prevention mechanisms, such as S-ARP and O-ARP lack efficient implementation on real systems and for a performance evaluation
2.2.4 Prevention mechanisms based on secure ARP protocols:
A number of cryptographic protocols have targeted issues related to ARP security. For example, S-ARP is a popular ARP security protocol that uses asymmetric cryptography utilizing digitally signed ARP replies. At the receiving end, an entry is updated if and only if the signatures are correctly verified. S-ARP is considerably slow as can be deduced from the results presented in. Furthermore, S-ARP can not prevent against cache poisoning attacks.
a. O-ARP technique:
O-ARP is a secure ARP technique that is similar to S-ARP with regards to its message format and key management. However, it uses cryptography only when necessary and tries to avoid it when ever possible. The authors in claim that O-ARP is much faster than S-ARP on the average, and can be used as security measure to prevent against cache poisoning attacks. Meanwhile, the authors did not implement O-ARP in any operating system to obtain measurements for its performance.
In the authors proposed another Secure Address Resolution Protocol. In this protocol, a secure server shares secret keys with each host on a subnet. The server maintains a database of MAC/IP address mappings, which is updated periodically through communication with each host. All ARP requests and replies occur between a host and the server, and replies are authenticated using the shared pair keys. The main drawback of this technique is congestion at the server, which constitutes a single point of failure in the network.
b. Ticket-based Address Resolution Protocol
Ticket-based Address Resolution Protocol (TARP) is another secure ARP protocol. TARP is built as an extension to ARP. TARP implements security by distributing centrally issued secure MAC/IP address mapping attestations through existing ARP messages. These attestations, called tickets are given to clients as they join the network and are subsequently distributed through existing ARP messages. Unlike other popular ARP-based solutions, the costs per resolution are reduced to one public key validation per request/reply pair in the worst case. However, networks implementing TARP are vulnerable to two types of attacks-active host impersonation, and DoS through ticket flooding. In addition, TARP does not include support for dynamic environments, mainly when host’s IP addresses changes dynamically.
c. Cryptographic Technique
Another approach was presented in, where the authors proposed a cryptographic technique. The technique is based on the combination of digital signatures and one time passwords based on hash chains.
d. ARPSec protocol
Moreover, in, the ARPSec protocol was proposed as an ARP security extension that intends to solve the security weaknesses of the ARP protocol. ARPSec provides an anti-replay protection and authentication using a secret key shared only by the source and the destination of the packet computed by an authenticated Diffie-Hellman exchange. Unfortunately, no real-time implementation or performance evaluations on actual network systems were performed to quantify their efficiency.
At the network layer, the IPSec protocol can be used to facilitate the confidentiality, integrity, and authentication of information communicated using the IP protocol. IPSec proposes solutions for many security issues within the IP protocol, but does not prevent any malicious users from manipulating ARP packets, at the Data link layer, or redirecting target network IP traffic to other destinations. IPSec guaranties the confidentiality and integrity of the redirected IP traffic, but cannot prevent malicious users from causing DoS attacks on target hosts.
2.2.5 Protection mechanisms at the Application layer:
Recently, several security protection mechanisms have been proposed at the Application layer. However, such mechanisms might not be effective against certain attacks at the lower layers, mainly at the Data Link layer. For example, in, the authors argued that most deployed user authentication mechanisms fail to provide protection against the MiM attack, even when they run on top of the SSL/TLS protocol or other similar protocols. The authors then introduced the notion of SSL/TLS session-aware user authentication, and elaborated on possibilities to implement it. Another example is the Interlock protocol, proposed in, which was later shown to be vulnerable to attacks when used for authentication. For enhanced security at the Application layer, in a new proposed technique called Delayed Password Disclosure (DPD) was shown to complement a password-based authentication and key exchange protocol to protect against a special form of the MiM attack, the doppelganger window attack. On the other hand, in the authors proposed the notion of a Password Protection Module (PPM) that provides protection against the MiM attack for certain situations. PPMs are effective only if they take into account network-related information, such as IP addresses and URLs. This makes PPMs very difficult to deploy and manage. Additional protection mechanisms were proposed in to secure tunneled authentication protocols against the MiM attack. In most cases, prevention mechanisms at the Application layer guarantee the confidentiality and integrity of the traffic exchanged but do not prevent malicious users from redirecting network traffic to their hosts.
2.2.6 External protection mechanisms:
Several attempts have been made to address the above security issues through methods external to the ARP protocol. For example, it has been proposed that hosts can statically be cond . This would incur a huge administrative overhead and is largely intractable for dynamic environments. Conversely, the port security features available in recent switches restrict the use of physical ports to con MAC addresses. If an attacker forges its own MAC address and includes an additional frame header containing malicious mapping, poisoning a victim’s ARP cache can still be possible. This approach only prevents certain kinds of MAC hijacking, but does nothing to prevent MiM attack. Hence, it is only a partial and in many ways limited solutionShare this: Facebook Twitter Reddit LinkedIn WhatsApp