System and method for ARP anti-spoofing security

US 8,918,875 B2
Filed: 07/18/2011
Issued: 12/23/2014
Est. Priority Date: 05/21/2003
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a database configured to store Address Resolution Protocol (ARP) reply information;

an interface configured to receive packets;

a processor; and

a non-transitory computer readable medium having stored thereon program code that, when executed by the processor, causes the processor to;

determine whether a received packet is formatted according to a tunnel protocol understood by the system; and

if the received packet is formatted according to the tunnel protocol, determine, based on ARP reply information included in the received packet and the ARP reply information stored in the database, whether ARP spoofing has occurred.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.

145 Citations

20 Claims

1. A system comprising:
- a database configured to store Address Resolution Protocol (ARP) reply information;
  
  an interface configured to receive packets;
  
  a processor; and
  
  a non-transitory computer readable medium having stored thereon program code that, when executed by the processor, causes the processor to;
  
  determine whether a received packet is formatted according to a tunnel protocol understood by the system; and
  
  if the received packet is formatted according to the tunnel protocol, determine, based on ARP reply information included in the received packet and the ARP reply information stored in the database, whether ARP spoofing has occurred.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18, 19)
- - 2. The system of claim 1 wherein the tunnel protocol is ARP Tunnel Protocol (ATP).
  - 3. The system of claim 1 wherein the program code further causes the processor to decrypt the received packet using a predetermined secret key.
  - 4. The system of claim 1 wherein the ARP reply information stored in the database includes a plurality of entries, each entry comprising a source MAC address, a source IP address, and a timestamp indicating when the entry was learned.
  - 5. The system of claim 1 wherein determining whether ARP spoofing has occurred comprises comparing the ARP reply information included in the received packet with at least two entries stored in the database.
  - 6. The system of claim 5 wherein the comparing takes into account a time associated with the received packet and times associated with the at least two entries stored in the database.
  - 7. The system of claim 5 wherein the ARP reply information included in the received packet comprises a MAC address that is identical to MAC addresses included in the at least two entries.
  - 8. The system of claim 1 wherein the program code further causes the processor to store the ARP reply information included in the received packet in the database.
  - 9. The system of claim 1 when the program code further causes the processor to determine when one or more ARP reply entries stored in the database are stale and should be deleted.
  - 10. The system of claim 1 wherein the system is a network device.
  - 11. The system of claim 1 wherein the system is a computer system configured to perform one or more functions in addition to ARP spoof detection.
  - 18. The system of claim 1 wherein the tunnel protocol encapsulates the ARP reply information.
  - 19. The system of claim 1 wherein the processor determines whether the received packet is formatted according to the tunnel protocol by checking an Ethertype field of the received packet.

12. A method comprising:
- determining, by a device, whether a received packet is formatted according to a tunnel protocol understood by the device; and
  
  if the received packet is formatted according to the tunnel protocol, determining, by the device based on ARP reply information included in the received packet and ARP reply information stored in a database accessible to the device, whether ARP spoofing has occurred.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12 wherein the tunnel protocol is ARP Tunnel Protocol (ATP).
  - 14. The method of claim 12 further comprising decrypting the received packet using a predetermined secret key.

15. A device comprising:
- means for determining whether a received packet is formatted according to a tunnel protocol understood by the device; and
  
  means for determining whether ARP spoofing has occurred if the received packet is formatted according to the tunnel protocol, the determination of whether ARP spoofing has occurred being based on ARP reply information included in the received packet and stored ARP reply information.
- View Dependent Claims (16, 17)
- - 16. The device of claim 15 wherein the tunnel protocol is ARP Tunnel Protocol (ATP).
  - 17. The device of claim 15 further comprising means for decrypting the received packet using a predetermined secret key.

20. A non-transitory computer readable medium having stored thereon program code executable by a processor of a computer system, the program code comprising:
- code that causes the processor to determine whether a received packet is formatted according to a tunnel protocol understood by the computer system; and
  
  if the received packet is formatted according to the tunnel protocol, code that causes the processor to determine, based on ARP reply information included in the received packet and ARP reply information stored in a database, whether ARP spoofing has occurred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks LLC (Broadcom, Inc.)
Inventors
Kwan, Philip
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US13/184,748
Publication Number

US 20120011584A1
Time in Patent Office

1,254 Days
Field of Search

726 23- 26, 713/151, 713/154, 709/223, 709/238
US Class Current

726/23
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1466   Active attacks involving in...

System and method for ARP anti-spoofing security

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

145 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for ARP anti-spoofing security

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

145 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links