Page 15 - 2023-Vol19-Issue2
P. 15

11 |                                                             Nasser & Hussain

a host with the IP address ’0.0.0.2’. Host(2) with IP address    cache-forcing attack will spoof the source IP address in the
’0.0.0.2’ transmits an ARP response message to the host (1)      ARP packet with the victim’s IP address and the source MAC
to inform it of its MAC address information. After that, using   address with the attacker’s MAC address. If the victim re-
the ARP cache table, hosts (1) and (2) perform a typical         ceives an IP address via an ARP request or response, the IP
communication process, and Fig.2 shows the communication         address assigned to the victim’s machine’s MAC address will
flow after an ARP spoofing attack occurs.Fig.1 shows an ARP      be in the ARP table. When the addresses in the ARP table
request message to find the Host’s MAC address. At this time,    do not match the addresses in the spoofed ARP packet, one
the attacker deceives host (1) that the MAC address of host (2)  model is called to detect the attack and another to prevent and
is ’CC.CC’ and host (2) that the MAC address of the host (1) is  respond. Algorithm1and Fig.3 show the suggested approach.
’CC.CC’. As a result, hosts (1) and (2) appear to communicate
generally with each other, but in fact, they communicate with        Algorithm 1: proposal algorithm
the attacker, resulting in information leakage to the attacker.
                                                                     Begin:
           Fig. 1. Pre-ARP Spoofing Communication                    Input: ARP request packet
                                                                     Output: ARP reply packet.
                                                                     1: Before sending ARP Reply Frame, the dest. host will
                                                                     2: check the MAC address and HDD No.of the source
                                                                 host in blackList.
                                                                     3: If: (MacSource and HDDserial in a blacklist), then
                                                                     4: Display the alert message ”this device is blocked” and
                                                                 drop a packet
                                                                     5: Else:
                                                                     6: If: ( the packet is an ARP packet ), then
                                                                     If: ARP reply (op=2) or ARP request (op=1), then
                                                                     7: get the original mac of the sender from ARPtable and
                                                                 response mac from the ARP Reply packet
                                                                     8: If: (NOT match), then
                                                                     9: detection(responseip,originalmac)
                                                                     response(blackList,responsemac, HDDserial)
                                                                     10: Else:
                                                                     11: ARP Reply/Request Frame will be sent to the source
                                                                 host.
                                                                     12: End if
                                                                     13: End if
                                                                     14: End if
                                                                     15: End if
                                                                     16: (pause 1 second)ARP new entry
                                                                     End:

             Fig. 2. ARP Spoofing communication                  B. Detection model
                                                                    This model gets the IP-MAC, the target address: If the
             IV. PROPOSAL APPROACH
                                                                 firewall has not blocked the attacker’s previously, then we
A. Defense Scenario and the algorithm                            may reassign its actual addresses to the target device (as well
   This algorithm protects all devices in the network from       as the gateway), send an alert to the victim, put a stop to
                                                                 the assault, and return the network to its normal functioning
ARP cache poisoning. An attacker trying to perform an ARP        state. This is done by blocking the attacker from the firewall
                                                                 and then transmitting the original information (the actual IP
                                                                 and MAC of the ”host IP”) to the ”target IP.” the detection
                                                                 Algorithm 2 And Fig.4 Show how the model works.

                                                                     Algorithm 2: detection algorithm

                                                                     Begin:
                                                                     Input: response ip, originalmac.
   10   11   12   13   14   15   16   17   18   19   20