System and method for ARP anti-spoofing security

US 8,006,304 B2
Filed: 06/04/2009
Issued: 08/23/2011
Est. Priority Date: 05/21/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A network device comprising:

a plurality of ports for transmitting and receiving packets,wherein the network device is configured to;

determine whether Address Resolution Protocol (ARP) spoof protection is activated for a port in the plurality of ports that an ARP reply packet is received on;

if ARP spoof protection is activated for the port, determining whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and

if an ARP collector is defined, transmitting data included in the ARP reply packet to the ARP collector.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.

Citations

22 Claims

1. A network device comprising:
- a plurality of ports for transmitting and receiving packets,wherein the network device is configured to;
  
  determine whether Address Resolution Protocol (ARP) spoof protection is activated for a port in the plurality of ports that an ARP reply packet is received on;
  
  if ARP spoof protection is activated for the port, determining whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and
  
  if an ARP collector is defined, transmitting data included in the ARP reply packet to the ARP collector.
- View Dependent Claims (2, 3, 4, 5, 6, 13, 14, 15, 16, 17)
- - 2. The network device of claim 1 wherein transmitting data included in the ARP reply packet to the ARP collector comprises:
    - generating a data packet based on the data included in the ARP reply packet;
      
      encrypting the data packet; and
      
      transmitting the data packet to the ARP collector.
  - 3. The network device of claim 2 wherein transmitting data included in the ARP reply packet to the ARP collector further comprises formatting the data packet using a protocol specific to the ARP collector.
  - 4. The network device of claim 3 wherein the protocol is ARP Tunnel Protocol (ATP).
  - 5. The network device of claim 1 wherein ARP spoof protection is activated for a first port in the plurality of ports and is deactivated for a second port in the plurality of ports.
  - 6. The network device of claim 1 wherein the ARP reply packet is received from a network host device.
  - 13. The network device of claim 1 wherein the network device is a Layer 2 or Layer 2/Layer 3 device.
  - 14. The network device of claim 1 wherein the network device is further configured to:
    - if ARP spoof protection is activated for the port, determine whether one or more additional ARP collectors are defined; and
      
      if one or more additional ARP collectors are defined, transmit data included in the ARP reply packet to the one or more additional ARP collectors.
  - 15. The network device of claim 1 wherein the network device is further configured to transmit to the ARP collector, in addition to the data included in the ARP reply packet, an indication of the port on which the ARP reply packet was received.
  - 16. The network device of claim 1 wherein the network device is further configured to:
    - retrieve MAC information included in the ARP reply packet; and
      
      determine a port in the plurality of ports that the ARP reply packet should be transmitted through.
  - 17. The network device of claim 1 wherein the network device is further configured to receive a command from the ARP collector instructing the network device to disable the port on which the ARP reply packet was received for a predefined amount of time.

7. A method comprising:
- determining, by a network device, whether Address Resolution Protocol (ARP) spoof protection is activated for a port of the network device that an ARP reply packet is received on;
  
  if ARP spoof protection is activated for the port, determining, by the network device, whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and
  
  if an ARP collector is defined, transmitting, by the network device, data included in the ARP reply packet to the ARP collector.
- View Dependent Claims (8, 9, 10, 11, 12, 18, 19, 20, 21)
- - 8. The method of claim 7 wherein transmitting data included in the ARP reply packet to the ARP collector comprises:
    - generating a data packet based on the data included in the ARP reply packet, the data packet being formatted using a protocol unique to the ARP collector; and
      
      transmitting the data packet to the ARP collector.
  - 9. The method of claim 8 wherein transmitting data included in the ARP reply packet to the ARP collector further comprises encrypting the data packet.
  - 10. The method of claim 9 wherein the protocol is ARP Tunnel Protocol (ATP).
  - 11. The method of claim 7 wherein ARP spoof protection is activated for a first port in the plurality of ports and is deactivated for a second port in the plurality of ports.
  - 12. The method of claim 7 wherein the ARP reply packet is received from a network host device.
  - 18. The method of claim 7 further comprising:
    - if ARP spoof protection is activated for the port, determining whether one or more additional ARP collectors are defined; and
      
      if one or more additional ARP collectors are defined, transmitting data included in the ARP reply packet to the one or more additional ARP collectors.
  - 19. The method of claim 7 further comprising transmitting to the ARP collector, in addition to the data included in the ARP reply packet, an indication of the port on which the ARP reply packet was received.
  - 20. The method of claim 7 further comprising:
    - retrieving MAC information included in the ARP reply packet; and
      
      determining a port in the plurality of ports that the ARP reply packet should be transmitted through.
  - 21. The method of claim 7 further comprising receiving a command from the ARP collector instructing the network device to disable the port on which the ARP reply packet was received for a predefined amount of time.

22. A network device comprising:
- a plurality of ports for transmitting and receiving packets;
  
  means for determining whether Address Resolution Protocol (ARP) spoof protection is activated for a port in the plurality of ports that an ARP reply packet is received on;
  
  if ARP spoof protection is activated for the port, means for determining whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and
  
  if an ARP collector is defined, means for transmitting data included in the ARP reply packet to the ARP collector.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks LLC (Broadcom, Inc.)
Inventors
Kwan, Philip
Primary Examiner(s)
Dada; Beemnet W

Application Number

US12/478,216
Publication Number

US 20090307773A1
Time in Patent Office

810 Days
Field of Search

726 23- 26, 713/151, 713/154, 713/164, 713/188, 709/223, 709/238
US Class Current

726/23
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

System and method for ARP anti-spoofing security

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for ARP anti-spoofing security

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links