System and method for ARP anti-spoofing security
First Claim
Patent Images
1. A network device comprising:
- a plurality of ports for transmitting and receiving packets,wherein the network device is configured to;
determine whether Address Resolution Protocol (ARP) spoof protection is activated for a port in the plurality of ports that an ARP reply packet is received on;
if ARP spoof protection is activated for the port, determining whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and
if an ARP collector is defined, transmitting data included in the ARP reply packet to the ARP collector.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.
-
Citations
22 Claims
-
1. A network device comprising:
-
a plurality of ports for transmitting and receiving packets, wherein the network device is configured to; determine whether Address Resolution Protocol (ARP) spoof protection is activated for a port in the plurality of ports that an ARP reply packet is received on; if ARP spoof protection is activated for the port, determining whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and if an ARP collector is defined, transmitting data included in the ARP reply packet to the ARP collector. - View Dependent Claims (2, 3, 4, 5, 6, 13, 14, 15, 16, 17)
-
-
7. A method comprising:
-
determining, by a network device, whether Address Resolution Protocol (ARP) spoof protection is activated for a port of the network device that an ARP reply packet is received on; if ARP spoof protection is activated for the port, determining, by the network device, whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and if an ARP collector is defined, transmitting, by the network device, data included in the ARP reply packet to the ARP collector. - View Dependent Claims (8, 9, 10, 11, 12, 18, 19, 20, 21)
-
-
22. A network device comprising:
-
a plurality of ports for transmitting and receiving packets; means for determining whether Address Resolution Protocol (ARP) spoof protection is activated for a port in the plurality of ports that an ARP reply packet is received on; if ARP spoof protection is activated for the port, means for determining whether an ARP collector is defined, the ARP collector representing an entity configured to analyze ARP reply information to determine whether ARP spoofing has occurred; and if an ARP collector is defined, means for transmitting data included in the ARP reply packet to the ARP collector.
-
Specification