Abstract
Network security has become a concern with the rapid growth and expansion of the Internet. While there are several ways to provide security for communications at the application, transport, or network layers, the data link layer security has not yet been adequately addressed. Dynamic Host Configuration Protocol (DHCP) and Address Resolution Protocol (ARP) are link layer protocols that are essential for network operation. They were designed without any security features. Therefore, they are vulnerable to a number of attacks such as the rogue DHCP server, DHCP starvation, host impersonation, man-in-the-middle, and denial of service attacks. Vulnerabilities in ARP and DHCP threaten the operation of any network. The existing solutions to secure ARP and DHCP could not mitigate DHCP starvation and host impersonation attacks. This work introduces a new solution to secure ARP and DHCP for preventing and mitigating these LAN attacks. The proposed solution provides integrity and authenticity for ARP and DHCP messages. Security properties and performance of the proposed schemes are investigated and compared to other related schemes.
Similar content being viewed by others
References
Altunbasak H C 2006 Layer 2 security inter-layering in networks. Thesis dissertation, Georgia Institute of Technology
Droms R 1997 Dynamic host configuration protocol, RFC 2131
Plummer D C 1982 An Ethernet address resolution protocol or converting network protocol addresses to 48 bit Ethernet address for transmission on Ethernet hardware, RFC 826
Singh J, Kaur G and Malhotra J A 2015 Comprehensive survey of current trends and challenges to mitigate ARP attacks. In: International Conference on Electrical, Electronics, Signals, Communication and Optimization (EESCO), Visakhapatnam
Yu Yao and Yao Y 2010 A switch-based ARP attack containment strategy. In: Second International Conference on Communication Systems, Networks and Applications (ICCSNA)
Dessouky M M, Elkilany W and Alfishawy N 2010 A hardware approach for detecting the ARP attack. In: 7th International Conference on Informatics and Systems (INFOS)
L. N. R. Group, arpwatch, the Ethernet monitor program; for keeping track of ethernet/ip address pairings, Last accessed September 17, 2016
ARP-Guard, http://www.arp-guard.com, Accessed October 2016
Puangpropitag S and Masusai N 2009 An efficient and feasible solution to ARP Spoof problem. In: 6th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology, vol. 02, pp. 910–913
Bhirud D S G and Katkar V 2011 Light weight approach for IP-ARP spoofing. In: The Second Asian Himalayas International Conference on Internet (AH-ICI), pp. 1–5
Hou X, Jiang Z and Tian X 2010 The detection and prevention for ARP spoofing based on Snort. In: The International Conference on Computer Application and System Modeling (ICCASM), pp. 137–139
Ortega A P, Marcos X E, Chiang L D and Abad C L 2009 Preventing ARP cache poisoning attacks: A proof of concept using OpenWrt. In: Latin American Network Operations and Management Symposium (LANOMS), pp. 1–9
Qian A Z 2000 The automatic prevention and control research of ARP deception and implementation. In: World Congress on Computer Science and Information Engineering, pp. 555–558
Boughrara A and Mammar S 2012 Implementation of a SNORT’s Output Plug-In in reaction to ARP Spoofing’s attack. In: 6th International Conference on Sciences of Electronics, Technologies of Information and Telecommunications (SETIT), pp. 643–647
Md. Ataullah and N Chauhan 2012 ES-ARP: an efficient and secure address resolution protocol. In: Conference on Electrical, Electronics and Computer Science (SCEECS), Bhopal, pp. 1–5
Cisco Systems, Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, 12.2(25) EW. http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html. Accessed October 2016
Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Configuring DHCP Snooping. http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.pdf. Accessed September 2016
Catalyst 6500 Release 12.2SX Software Configuration Guide, Dynamic ARP Inspection, http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/dynarp.html. Accessed September 2016
Gouda M and Huang C 2003 A secure address resolution protocol. Comput. Netw. 41: 860–921
Bruschi D, Ornaghi A and Rosti E 2003 S-ARP: a secure address resolution protocol. In: Proceedings of 19th Annual Computer Security Applications Conference, pp. 66–74
Jerschow Y I, Lochert C, Scheuermann B and Mauve M 2008 CLL: a cryptographic link layer for local area networks, security and cryptography for networks. In: Lecture Notes in Computer Science, vol. 5229, pp. 21–38
Lootah W, Enck W and McDaniel P 2007 TARP: ticket-based address resolution protocol. Comput. Netw. 51: 4322–4337
Droms R and Arbaugh W 2001 Authentication for DHCP messages, RFC 3118
Stevens M M J 2007 On collisions for MD5. Master Thesis, Eindhoven University of Technology
Xu Y, Manning S and Wong M 2011 An authentication method based on certificate for DHCP. DHC Internet Draft
Glazer G, Hussey C and Shea R 2003 Certificate-based authentication for DHCP. http://www.cs.ucla.edu/~chussey/proj/dhcp_cert/cbda.pdf. Accessed 20 Oct 2016
Duangphasuk S, Kungpisdan S and Hankla S 2011 Design and implementation of improved security protocols for DHCP using digital certificates. 2011 In: ICON, Singapore
De Graaf K, Liddy J, Raison P, Scano J C and Wadhwa S 2011 Dynamic Host Configuration Protocol (DHCP) authentication using challenge handshake authentication protocol (CHAP) challenge. United States Patent Application Publication
K Hornstein, T Lemon, B Adoba and J Trostle 2001 DHCP Authentication Via Kerberos V. In: IETF DHC Working Group
Ricciardi F 2007 Kerberos Protocol Tutorial. National Institute of Nuclear Physics Computing and Network Services, LECCE, Italy
Dinu D D and Togan M 2014 DHCP server authentication using digital certificates. In: The 10th International Conference on COMMUNICATIONS (COMM2014), Bucharest, May
Dinu D D and Togan M 2015 DHCPAuth—a DHCP message authentication module. In: 2015 IEEE 10th Jubilee International Symposium on Applied Computational Intelligence and Informatics, Timisoara, pp. 405–410
Kent S and Seo K 2005 Security architecture for the internet protocol. RFC 4301
Dierks T and Rescorla E 2006 The Transport Layer Security (TLS) Protocol Version RFC 4346
Song D 2016 dsniff: a collection of tools for network auditing and penetration testing. http://www.monkey.org/dugsong/dsniff. Accessed November 2016
Ellison C and Schneier B 2000 Top 10 PKI risks. Comput. Secur. J. 16(1): 1–7
Jonczy J, Wuthrich M and Haenni R 2006 A probabilistic trust model for GnuPG. In: 23rd Chaos Communication Congress, Berlin
Simpson W 1996 PPP Challenge Handshake Authentication Protocol (CHAP), RFC 1994
Aboba B, Blunk L, Vollbrecht J, Carlson J and Levkowetz H 2004 Extensible Authentication Protocol (EAP), RFC 3748
Agrawal M and Mishra P 2012 A comparative survey on symmetric key encryption techniques. Int. J. Comput. Sci. Eng. 4: 877–882
Mahajan P and Sachdeva A 2015 A study of encryption algorithms AES, DES, and RSA for security. Glob. J. Comput. Sci. Technol. 13(15): 12–21
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Younes, O.S. Securing ARP and DHCP for mitigating link layer attacks. Sādhanā 42, 2041–2053 (2017). https://doi.org/10.1007/s12046-017-0749-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12046-017-0749-y