System and method for ARP anti-spoofing security
First Claim
Patent Images
1. A system comprising:
- a database configured to store Address Resolution Protocol (ARP) reply information;
an interface configured to receive packets;
a processor; and
a non-transitory computer readable medium having stored thereon program code that, when executed by the processor, causes the processor to;
determine whether a received packet is formatted according to a tunnel protocol understood by the system; and
if the received packet is formatted according to the tunnel protocol, determine, based on ARP reply information included in the received packet and the ARP reply information stored in the database, whether ARP spoofing has occurred.
6 Assignments
0 Petitions
Accused Products
Abstract
A system and method that provides for copying ARP replies, and generating data packets which include the ARP reply, and other information such as an identification of the port on the ARP reply was received. These data packets are then transmitted to an ARP collector which stores the ARP reply and port information. The ARP collector then uses this stored information, and analyzes future data packets relative to the stored information to detect occurrences of ARP spoofing. The ARP collector further provides for generating alerts and taking security actions when ARP reply spoofing is detected.
145 Citations
20 Claims
-
1. A system comprising:
-
a database configured to store Address Resolution Protocol (ARP) reply information; an interface configured to receive packets; a processor; and a non-transitory computer readable medium having stored thereon program code that, when executed by the processor, causes the processor to; determine whether a received packet is formatted according to a tunnel protocol understood by the system; and if the received packet is formatted according to the tunnel protocol, determine, based on ARP reply information included in the received packet and the ARP reply information stored in the database, whether ARP spoofing has occurred. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 18, 19)
-
-
12. A method comprising:
-
determining, by a device, whether a received packet is formatted according to a tunnel protocol understood by the device; and if the received packet is formatted according to the tunnel protocol, determining, by the device based on ARP reply information included in the received packet and ARP reply information stored in a database accessible to the device, whether ARP spoofing has occurred. - View Dependent Claims (13, 14)
-
-
15. A device comprising:
-
means for determining whether a received packet is formatted according to a tunnel protocol understood by the device; and means for determining whether ARP spoofing has occurred if the received packet is formatted according to the tunnel protocol, the determination of whether ARP spoofing has occurred being based on ARP reply information included in the received packet and stored ARP reply information. - View Dependent Claims (16, 17)
-
-
20. A non-transitory computer readable medium having stored thereon program code executable by a processor of a computer system, the program code comprising:
-
code that causes the processor to determine whether a received packet is formatted according to a tunnel protocol understood by the computer system; and if the received packet is formatted according to the tunnel protocol, code that causes the processor to determine, based on ARP reply information included in the received packet and ARP reply information stored in a database, whether ARP spoofing has occurred.
-
Specification