Page 15 - 2023-Vol19-Issue2
P. 15
11 | Nasser & Hussain
a host with the IP address ’0.0.0.2’. Host(2) with IP address cache-forcing attack will spoof the source IP address in the
’0.0.0.2’ transmits an ARP response message to the host (1) ARP packet with the victim’s IP address and the source MAC
to inform it of its MAC address information. After that, using address with the attacker’s MAC address. If the victim re-
the ARP cache table, hosts (1) and (2) perform a typical ceives an IP address via an ARP request or response, the IP
communication process, and Fig.2 shows the communication address assigned to the victim’s machine’s MAC address will
flow after an ARP spoofing attack occurs.Fig.1 shows an ARP be in the ARP table. When the addresses in the ARP table
request message to find the Host’s MAC address. At this time, do not match the addresses in the spoofed ARP packet, one
the attacker deceives host (1) that the MAC address of host (2) model is called to detect the attack and another to prevent and
is ’CC.CC’ and host (2) that the MAC address of the host (1) is respond. Algorithm1and Fig.3 show the suggested approach.
’CC.CC’. As a result, hosts (1) and (2) appear to communicate
generally with each other, but in fact, they communicate with Algorithm 1: proposal algorithm
the attacker, resulting in information leakage to the attacker.
Begin:
Fig. 1. Pre-ARP Spoofing Communication Input: ARP request packet
Output: ARP reply packet.
1: Before sending ARP Reply Frame, the dest. host will
2: check the MAC address and HDD No.of the source
host in blackList.
3: If: (MacSource and HDDserial in a blacklist), then
4: Display the alert message ”this device is blocked” and
drop a packet
5: Else:
6: If: ( the packet is an ARP packet ), then
If: ARP reply (op=2) or ARP request (op=1), then
7: get the original mac of the sender from ARPtable and
response mac from the ARP Reply packet
8: If: (NOT match), then
9: detection(responseip,originalmac)
response(blackList,responsemac, HDDserial)
10: Else:
11: ARP Reply/Request Frame will be sent to the source
host.
12: End if
13: End if
14: End if
15: End if
16: (pause 1 second)ARP new entry
End:
Fig. 2. ARP Spoofing communication B. Detection model
This model gets the IP-MAC, the target address: If the
IV. PROPOSAL APPROACH
firewall has not blocked the attacker’s previously, then we
A. Defense Scenario and the algorithm may reassign its actual addresses to the target device (as well
This algorithm protects all devices in the network from as the gateway), send an alert to the victim, put a stop to
the assault, and return the network to its normal functioning
ARP cache poisoning. An attacker trying to perform an ARP state. This is done by blocking the attacker from the firewall
and then transmitting the original information (the actual IP
and MAC of the ”host IP”) to the ”target IP.” the detection
Algorithm 2 And Fig.4 Show how the model works.
Algorithm 2: detection algorithm
Begin:
Input: response ip, originalmac.
