System and method for ARP anti-spoofing security

US 8,245,300 B2
Filed: 06/04/2009
Issued: 08/14/2012
Est. Priority Date: 05/21/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

storing, by a device in a database, information from ARP Tunnel Protocol (ATP) packets received from a first subnet of a computer network;

storing, by the device in the database, information from ATP packets received from a second subnet of the computer network;

determining, by the device, whether a spoofed ARP reply has been received on a port of the first subnet or a port of the second subnet based on an analysis of the received ATP packets and the information stored in the database;

wherein the ATP packets from the first subnet and the ATP packets from the second subnet include ARP reply information received on ports of network devices in the respective subnets, and wherein information in the ATP packets include information identifying a port on which a particular ARP reply was received.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.

Citations

15 Claims

1. A method comprising:
- storing, by a device in a database, information from ARP Tunnel Protocol (ATP) packets received from a first subnet of a computer network;
  
  storing, by the device in the database, information from ATP packets received from a second subnet of the computer network;
  
  determining, by the device, whether a spoofed ARP reply has been received on a port of the first subnet or a port of the second subnet based on an analysis of the received ATP packets and the information stored in the database;
  
  wherein the ATP packets from the first subnet and the ATP packets from the second subnet include ARP reply information received on ports of network devices in the respective subnets, and wherein information in the ATP packets include information identifying a port on which a particular ARP reply was received.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - blocking a port of the first subnet or a port of the second subnet which received a spoofed ARP reply.
  - 3. The method of claim 1, further comprising:
    - identifying a MAC address as a source for a spoofed ARP reply; and
      
      filtering the identified MAC address at a port of the first subnet or a port of the second subnet which received the spoofed ARP reply.
  - 4. The method of claim 1, wherein the ATP packets from the first subnet and the ATP packets from the second subnet include ARP reply information received on ports of network devices in the respective subnets.
  - 5. The method of claim 1, wherein storing the information from the ATP packets from the first subnet and storing the information from the ATP packets from the second subnet-comprises:
    - storing ARP reply information indicating a MAC address which is identified as a source of an ARP reply,storing ARP reply information indicating an IP address which is identified as a source of an ARP reply; and
      
      storing information indicating a port on which an ARP reply was received.

6. A method comprising:
- receiving, at a network device, a first data packet from a first subnet of a computer network;
  
  receiving, at the network device, a second data packet from a second subnet of the computer network;
  
  determining, by the network device, whether ARP spoofing has occurred on the first subnet or the second subnet by comparing information included the first and second data packets with information stored in a database accessible to the network device;
  
  wherein the first data packet further includes a port of a network device on the first subnet on which the first ARP reply was received, wherein the second data packet further includes a port of a network device on the second subnet on which the second ARP reply was received; and
  
  wherein the first and second data packets are ARP Tunnel Protocol (ATP) packets.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The method of claim 6 wherein the first data packet includes a first MAC address and first IP address identifying a source of a first ARP reply, and wherein the second data packet includes a second MAC address and second IP address identifying a source of a second ARP reply.
  - 8. The method of claim 7 wherein if it is determined that ARP spoofing has occurred, causing the port of the network device on the first subnet or the port of the network device on the second subnet to be blocked.
  - 9. The method of claim 7 wherein comparing information included the first and second data packets with information stored in the database comprises comparing the first MAC address and first IP address with MAC address and IP address pairs stored in the database, and comparing the second MAC address and second IP address with MAC address and IP address pairs stored in the database.
  - 10. The method of claim 6 further comprising storing the information included the first and second data packets in the database.

11. A system comprising:
- one or more ports; and
  
  a processing component configured to;
  
  receive a first data packet from a first subnet of a computer network;
  
  receive a second data packet from a second subnet of the computer network;
  
  determine whether ARP spoofing has occurred on the first subnet or the second subnet by comparing information included the first and second data packets with information stored in a database;
  
  wherein the first data packet further includes a port of a network device on the first subnet on which the first ARP reply was received, wherein the second data packet further includes a port of a network device on the second subnet on which the second ARP reply was received; and
  
  wherein the first and second data packets are ARP Tunnel Protocol (ATP) packets.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The system of claim 11 wherein the first data packet includes a first MAC address and first IP address identifying a source of a first ARP reply, and wherein the second data packet includes a second MAC address and second IP address identifying a source of a second ARP reply.
  - 13. The system of claim 11 wherein if it is determined that ARP spoofing has occurred, the processing component causes the port of the network device on the first subnet or the port of the network device on the second subnet to be blocked.
  - 14. The system of claim 12 wherein comparing information included the first and second data packets with information stored in the database comprises comparing the first MAC address and first IP address with MAC address and IP address pairs stored in the database, and comparing the second MAC address and second IP address with MAC address and IP address pairs stored in the database.
  - 15. The system of claim 11 wherein the processing component is further configured to store the information included the first and second data packets in the database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks LLC (Broadcom, Inc.)
Inventors
Kwan, Philip
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US12/478,229
Publication Number

US 20090265785A1
Time in Patent Office

1,167 Days
Field of Search

726 22- 25, 713/151, 713/154, 713/164, 713/188, 709/223, 709/238
US Class Current

726/23
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

System and method for ARP anti-spoofing security

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for ARP anti-spoofing security

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links