System and method for ARP anti-spoofing security
First Claim
Patent Images
1. A method comprising:
- storing, by a device in a database, information from ARP Tunnel Protocol (ATP) packets received from a first subnet of a computer network;
storing, by the device in the database, information from ATP packets received from a second subnet of the computer network;
determining, by the device, whether a spoofed ARP reply has been received on a port of the first subnet or a port of the second subnet based on an analysis of the received ATP packets and the information stored in the database;
wherein the ATP packets from the first subnet and the ATP packets from the second subnet include ARP reply information received on ports of network devices in the respective subnets, and wherein information in the ATP packets include information identifying a port on which a particular ARP reply was received.
4 Assignments
0 Petitions
Accused Products
Abstract
A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.
-
Citations
15 Claims
-
1. A method comprising:
-
storing, by a device in a database, information from ARP Tunnel Protocol (ATP) packets received from a first subnet of a computer network; storing, by the device in the database, information from ATP packets received from a second subnet of the computer network; determining, by the device, whether a spoofed ARP reply has been received on a port of the first subnet or a port of the second subnet based on an analysis of the received ATP packets and the information stored in the database; wherein the ATP packets from the first subnet and the ATP packets from the second subnet include ARP reply information received on ports of network devices in the respective subnets, and wherein information in the ATP packets include information identifying a port on which a particular ARP reply was received. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method comprising:
-
receiving, at a network device, a first data packet from a first subnet of a computer network; receiving, at the network device, a second data packet from a second subnet of the computer network; determining, by the network device, whether ARP spoofing has occurred on the first subnet or the second subnet by comparing information included the first and second data packets with information stored in a database accessible to the network device; wherein the first data packet further includes a port of a network device on the first subnet on which the first ARP reply was received, wherein the second data packet further includes a port of a network device on the second subnet on which the second ARP reply was received; and wherein the first and second data packets are ARP Tunnel Protocol (ATP) packets. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A system comprising:
-
one or more ports; and a processing component configured to; receive a first data packet from a first subnet of a computer network; receive a second data packet from a second subnet of the computer network; determine whether ARP spoofing has occurred on the first subnet or the second subnet by comparing information included the first and second data packets with information stored in a database; wherein the first data packet further includes a port of a network device on the first subnet on which the first ARP reply was received, wherein the second data packet further includes a port of a network device on the second subnet on which the second ARP reply was received; and wherein the first and second data packets are ARP Tunnel Protocol (ATP) packets. - View Dependent Claims (12, 13, 14, 15)
-
Specification