ABSTRACT
The field of academic security education today is dominated by defensive techniques. However, recently, offensive techniques which were originally developed by hackers, are gaining widespread approval. Many information security educators believe that teaching offensive methods yields better security professionals than teaching defensive techniques alone. In addition, every course in IT security should be accompanied by a basic discussion of legal implications and ethics.
In this paper, we describe a case study of the implementation of comprehensive hands-on lab exercises that are essential to security education. The lab exercises are about how to perform Denial of Service (DoS) and Man-in-the-Middle (MiM) attacks using ARP (Address Resolution Protocol) cache poisoning. The available defense techniques for detecting and preventing malicious ARP cache poisoning activities are also presented. The consequence of offering offensive lab exercises is that the overall students performance improved; but a major ethical concern has been identified. That is, the number of injected malicious ARP packets in the university network, from the students' laptops, increases considerably each time the students experiment the attacks in an isolated network laboratory environment.
- P. J. Denning. Great principles of computing. Communications of the ACM, 46(11):15--20, 2003. Google ScholarDigital Library
- Plummer, David C., "An Ethernet Address Resolution Protocol-Converting Network Protocol to 48 bit Ethernet Address for Transmission on Ethernet Hardware", RFC-826, November 1982.Google Scholar
- J. Harris. Maintaining ethical standards for computer security curriculum. In InfoSecCD '04: Proceedings of the 1st Annual Conference on Information Security Curriculum Development, pages 46--48, New York, NY, USA, 2004, ACM Press. Google ScholarDigital Library
- ARP Spoof Tool, http://www.imfirewall.com/en/arpspoof.htm.Google Scholar
- Cain & Abel, http://www.oxid.it/cain.html.Google Scholar
- SwitchSniffer, http://www.nextsecurity.net/software/SwitchSniffer.html.Google Scholar
- Winarp, http://www.arp-sk.org.Google Scholar
- WinArpSpoof, http://www.nextsecurity.net/software/Windows_ARP_Spoofer.html.Google Scholar
- WinArpAttacker, URL: http://www.xfocus.net/tools/200606/WinArpAttacker3.50.RarGoogle Scholar
- Zouheir Trabelsi, and Wassim El-Hajj, "On Investigating ARP Spoofing Security Solutions", International Journal of Internet Protocol Technology (IJIPT), Special Issue on "Recent Advances in Network Security Attacks and Defences", Int. J. of Internet Protocol Technology, Volume 5, Number 1--2, 2010, page: 92--100. Google ScholarDigital Library
- LBNL's Network Research Group, "Arpwatch: Ethernet Monitor Program", http://www-nrg.ee.lbl.gov.Google Scholar
- Snort: http://www.snort.org/Google Scholar
- Bruschi, D. Ornaghi, A. Rosti, E., "S-ARP: a secure address resolution protocol", Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC 2003), Page(s): 66--74, 8--12 December 2003, Las Vegas, NV, USA. Google ScholarDigital Library
- Pandey Omkant, "O-ARP: a secure and fast Address Resolution Protocol", http://www.itbhu.ac.in/departments/comp/crypto/o-arp.pdf.Google Scholar
- Wesam Lootah, William Enck, and Patrick McDaniel, "TARP: Ticket-based Address Resolution Protocol", 21st Annual Computer Security Applications Conference (ACSAC 2005), December 5--9, 2005, Tucson, Arizona, USA. Google ScholarDigital Library
- Goyal Vipul, Tripathy Rohit, Boyd Colin, and González Juan M., "An efficient solution to the ARP cache poisoning problem", Lecture Notes in Computer Science, Australasian conference on information security and privacy (ACISP), No10, vol. 3574, pp. 40--51, 4--6 July 2005, Brisbane, AUSTRALIA. Google ScholarDigital Library
- Jerome Etienne, "ARPSec, an ARP security extension", 2000 Linux Symposium, July 19--22nd, Ottawa, Canada.Google Scholar
- Anatomy of an ARP poisoning attack. http://www.watchguard.com/infocenter/editorial/135324.asp.Google Scholar
- Cisco Systems. Catalyst 4500 Series Switch Cisco IOS Software Configuration Guide, http://www.cisco.com. Google ScholarDigital Library
- Martin Mink and Felix C. Freiling, Is Attack Better Than Defense? Teaching Information Security the Right Way, Proceedings of the 3rd annual conference on Information security curriculum development, InfoSecCD'06, pp. 44--48, Kennesaw, Georgia, 2006. Google ScholarDigital Library
- I. Arce and G. McGraw. Guest Editors' introduction: Why attacking systems is a good idea. IEEE Security & Privacy, 2(4): 17--19, July Aug. 2004. Google ScholarDigital Library
- K. P. Arnett and M. B. Schmidt. Busting the ghost in the machine. Communications of the ACM, 48(8):92--95, Aug. 2005. Google ScholarDigital Library
- M. Dornseif, F. C. Gartner, T. Holz, and M. Mink. An Offensive Approach to teaching Information Security: "Aachen Summer School Applied IT Security". Technical Report AIB-2005-02, RWTH Aachen, Jan. 2005.Google Scholar
- G. Vigna. Teaching network security through live exercises. In C. E. Irvine and H. L. Armstrong, editors, World Conference on Information Security Education, volume 253 of IFIP Conference Proceedings, pages 3--18. Kluwer, 2003. Google ScholarDigital Library
- Dongqing Yuan, and Jiling Zhong. A lab implementation of SYN flood attack and defense, SIGITE '08 Proceedings of the 9th ACM SIGITE conference on Information technology education, pp. 57--58, Cincinnati, Ohio, USA, 2008. Google ScholarDigital Library
- Sergio Caltagirone, Paul Ortman, Sean Melton, David Manz, Kyle King, and Paul Oman. Design and Implementation of a Multi-Use Attack-Defend Computer Security Lab, Proceedings of the 39th Annual Hawaii International Conference on System Sciences - HICSS, USA, 2006. Google ScholarDigital Library
- "The state of infosec education in academia: Present and future directions," in National Colloquium on Information System Security Education, 1997, pp. 19--33.Google Scholar
- M. Bishop and D. Frincke, "Who watches the security educators?" IEEE Security and Privacy, vol. 1, no. 3, pp. 56--58, 2003. Google ScholarDigital Library
- J. M. Hill, C. A. Carver Jr., J. W. Humphries, and U. W. Pooch, "Using an isolated network laboratory to teach advanced networks and security," in 32nd SIGCSE Technical Symposium on Computer Science Education. Charlotte, North Carolina, United States: ACM Press, 2001, pp. 36--40. Google ScholarDigital Library
- P. Mullins, J. Wolfe, M. Fry, E. Wynters, W. Calhoun, R. Montante, and W. Oblitey, "Panel on integrating security concepts into existing computer courses," SIGCSE Bulletin, vol. 34, no. 1, pp. 365--366, 2002. Google ScholarDigital Library
Index Terms
- Hands-on lab exercises implementation of DoS and MiM attacks using ARP cache poisoning
Recommendations
TSCBA-A Mitigation System for ARP Cache Poisoning Attacks
AbstractAddress Resolution Protocol (ARP) cache poisoning results in numerous attacks. A novel mitigation system for ARP cache poisoning presented here avoids ARP cache poisoning attacks by introducing timestamps and counters in the ARP messages and ARP ...
ARP Cache Poisoning Mitigation and Forensics Investigation
TRUSTCOM '15: Proceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 01Address Resolution Protocol (ARP) cache spoofing or poisoning is an OSI layer 2 attack that exploits the statelessness vulnerability of the protocol to make network hosts susceptible to issues such as Man in the Middle attack, host impersonation, Denial ...
A mitigation system for ARP cache poisoning attacks
ICC '17: Proceedings of the Second International Conference on Internet of things, Data and Cloud ComputingThough the telecommunication protocol ARP provides the most prominent service for data transmission in the network by providing the physical layer address for any host's network layer address, its stateless nature remains one of the most well-known ...
Comments