SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY

US 20090307773A1
Filed: 06/04/2009
Published: 12/10/2009
Est. Priority Date: 05/21/2003
Status: Active Grant

First Claim

Patent Images

1-19. -19. (canceled)

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.

121 Citations

View as Search Results

37 Claims

1-19. -19. (canceled)

20. A network device comprising:
- a plurality of ports for transmitting and receiving packets,wherein the network device is configured to;
  
  determine whether Address Resolution Protocol (ARP) spoof protection is activated for a port in the plurality of ports that an ARP reply packet is received on;
  
  if ARP spoof protection is activated for the port, determining whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and
  
  if an ARP collector is defined, transmitting data included in the ARP reply packet to the ARP collector.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. The network device of claim 20 wherein transmitting data included in the ARP reply packet to the ARP collector comprises:
    - generating a data packet based on the data included in the ARP reply packet;
      
      encrypting the data packet; and
      
      transmitting the data packet to the ARP collector.
  - 22. The network device of claim 21 wherein transmitting data included in the ARP reply packet to the ARP collector further comprises formatting the data packet using a protocol specific to the ARP collector.
  - 23. The network device of claim 22 wherein the protocol is ARP Tunnel Protocol (ATP).
  - 24. The network device of claim 20 wherein ARP spoof protection is activated for a first port in the plurality of ports and is deactivated for a second port in the plurality of ports.
  - 25. The network device of claim 20 wherein the ARP reply packet is received from a network host device.

26. A method comprising:
- determining, by a network device, whether Address Resolution Protocol (ARP) spoof protection is activated for a port of the network device that an ARP reply packet is received on;
  
  if ARP spoof protection is activated for the port, determining, by the network device, whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and
  
  if an ARP collector is defined, transmitting, by the network device, data included in the ARP reply packet to the ARP collector.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. The method of claim 26 wherein transmitting data included in the ARP reply packet to the ARP collector comprises:
    - generating a data packet based on the data included in the ARP reply packet, the data packet being formatted using a protocol unique to the ARP collector; and
      
      transmitting the data packet to the ARP collector.
  - 28. The method of claim 27 wherein transmitting data included in the ARP reply packet to the ARP collector further comprises encrypting the data packet.
  - 29. The method of claim 28 wherein the protocol is ARP Tunnel Protocol (ATP).
  - 30. The method of claim 26 wherein ARP spoof protection is activated for a first port in the plurality of ports and is deactivated for a second port in the plurality of ports.
  - 31. The method of claim 26 wherein the ARP reply packet is received from a network host device.

32. A system comprising:
- a database for storing Address Resolution Protocol (ARP) reply information;
  
  an interface for receiving packets; and
  
  a processing component configured to;
  
  determine whether a received packet is authentic;
  
  if the received packet is determined to be not authentic, drop the received packet; and
  
  if the received packet is determined to be authentic, determine, based on ARP reply information included in the received packet and ARP reply information stored in the database, whether ARP spoofing has occurred.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. The system of claim 32 wherein determining whether the received packet is authentic comprises determining whether the received packet is formatted according to a protocol unique to the system.
  - 34. The system of claim 33 wherein the protocol is ARP Tunnel Protocol (ATP).
  - 35. The system of claim 32 wherein determining whether ARP spoofing has occurred comprises comparing the ARP reply information included in the received packet with at least two ARP reply entries stored in the database.
  - 36. The system of claim 35 wherein the comparing takes into account a time associated with the received packet and times associated with the at least two ARP reply entries stored in the database.
  - 37. The system of claim 35 wherein the ARP reply information included in the received packet comprises a MAC address that is identical to MAC addresses included in the at least two ARP reply entries.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks Incorporated (Broadcom, Inc.)
Inventors
Kwan, Philip

Granted Patent

US 8,006,304 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

121 Citations

37 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR ARP ANTI-SPOOFING SECURITY

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

37 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links