SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY

US 20090265785A1
Filed: 06/04/2009
Published: 10/22/2009
Est. Priority Date: 05/21/2003
Status: Active Grant

First Claim

Patent Images

1-8. -8. (canceled)

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.

68 Citations

View as Search Results

33 Claims

1-8. -8. (canceled)

9. In an ARP collector a method for detecting ARP spoofing, the method comprising:
- receiving ATP packets from a first subnet of a computer network;
  
  receiving ATP packets from a second subnet of the computer network;
  
  storing information from the ATP packets from the first subnet in a database of the ARP collector;
  
  storing information from the ATP packets from the second subnet in the database of the ARP collector; and
  
  analyzing received ATP packets and information in ARP collector database to determine when a spoofed ARP reply has been received on a port of the computer network.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprising:
    - blocking a port of the computer network which received a spoofed ARP reply.
  - 11. The method of claim 9, further comprising:
    - identifying a MAC address as a source for a spoofed ARP reply; and
      
      filtering the identified MAC address at a port of the computer network which received the spoofed ARP reply.
  - 12. The method of claim 9, wherein the ATP packets from the first subnet, and the ATP packets from the second subnet include ARP reply information received on ports of network devices in the respective subnets.
  - 13. The method of claim 9, wherein the ATP packets from the first subnet, and the ATP packets from the second subnet include ARP reply information received on ports of network devices in the respective subnets, and information in the ATP packets includes information identifying a port on which a particular ARP reply was received.
  - 14. The method of claim 9, wherein the storing information from the ATP packets from the first subnet, and the storing information from the ATP packets from the second subnet, includes:
    - storing ARP reply information indicating a MAC address which is identified as a source of an ARP reply,storing ARP reply information indicating an IP address which is identified as a source of an ARP reply; and
      
      storing information indicating a port on which an ARP reply was received.

15-19. -19. (canceled)

20. A method comprising:
- receiving, at a network device, a first data packet from a first subnet of a computer network;
  
  receiving, at the network device, a second data packet from a second subnet of the computer network;
  
  comparing, by the network device, information included the first and second data packets with information stored in a database accessible to the network device to determine whether ARP spoofing has occurred.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The method of claim 20 wherein the first data packet includes a first MAC address and first IP address identifying a source of a first ARP reply, and wherein the second data packet includes a second MAC address and second IP address identifying a source of a second ARP reply.
  - 22. The method of claim 21 wherein the first data packet further includes a port of a network device on the first subnet on which the first ARP reply was received, and wherein the second data packet further includes a port of a network device on the second subnet on which the second ARP reply was received.
  - 23. The method of claim 22 wherein if it is determined that ARP spoofing has occurred, causing the port of the network device on the first subnet or the port of the network device on the second subnet to be blocked.
  - 24. The method of claim 21 wherein comparing information included the first and second data packets with information stored in the database comprises comparing the first MAC address and first IP address with MAC address and IP address pairs stored in the database, and comparing the second MAC address and second IP address with MAC address and IP address pairs stored in the database.
  - 25. The method of claim 20 further comprising storing the information included the first and second data packets in the database.
  - 26. The method of claim 20 wherein the first and second data packets are ARP Tunnel Protocol (ATP) packets.

27. A system comprising:
- a database;
  
  one or more ports; and
  
  a processing component configured to;
  
  receive a first data packet from a first subnet of a computer network;
  
  receive a second data packet from a second subnet of the computer network; and
  
  compare information included the first and second data packets with information stored in the database to determine whether ARP spoofing has occurred.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The system of claim 27 wherein the first data packet includes a first MAC address and first IP address identifying a source of a first ARP reply, and wherein the second data packet includes a second MAC address and second IP address identifying a source of a second ARP reply.
  - 29. The system of claim 28 wherein the first data packet further includes a port of a network device on the first subnet on which the first ARP reply was received, and wherein the second data packet further includes a port of a network device on the second subnet on which the second ARP reply was received.
  - 30. The system of claim 29 wherein if it is determined that ARP spoofing has occurred, the processing component causes the port of the network device on the first subnet or the port of the network device on the second subnet to be blocked.
  - 31. The system of claim 28 wherein comparing information included the first and second data packets with information stored in the database comprises comparing the first MAC address and first IP address with MAC address and IP address pairs stored in the database, and comparing the second MAC address and second IP address with MAC address and IP address pairs stored in the database.
  - 32. The system of claim 27 wherein the processing component is further configured to store the information included the first and second data packets in the database.
  - 33. The system of claim 27 wherein the first and second data packets are ARP Tunnel Protocol (ATP) packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks Incorporated (Broadcom, Inc.)
Inventors
Kwan, Philip

Granted Patent

US 8,245,300 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links