【正文】 ly whose MAC address differs from the previously cached one tries to check if the previously learnt MAC is still alive. If the previously learnt MAC is still alive then the update is rejected and the offending MAC address is added to a list of banned addresses. Both the above techniques rely on the fact that the ARP entry in the cache is the legitimate one. This creates a race situation between the attacker and the victim. If the attacker gets his spoofed ARP entry into the host’s cache before the real host can, then the real MAC address is banned. This can only be undone by administrative intervention. Thus we can conclude that wrong learning may cause these tools to fail in detecting ARP spoofing. Passive Detection In Passive Detection we sniff the ARP requests/responses on the work and construct a MAC address to IP address mapping database. If we notice a change in any of these mappings in future ARP traffic then we raise an alarm and conclude that an ARP spoofing attack is underway. The most popular tool in this category is ARPWATCH. The main drawback of the passive method is a time lag between learning the address mappings and subsequent attack detection. In a situation where the ARP spoofing began before the detection tool was started for the first time, the tool will learn the fed replies in it’s IP to MAC address mapping database. Now only after the victim starts municating with some other host the inconsistency will be detected and an alarm rose. The attacker may have made his getaway because of this delay. Also a spoofed entry learned as in the above scenario would have to be manually undone by the work 沈陽航空航天大學畢業(yè)設計（論文）外文翻譯 —— 原文 4 administrator. The only solution to this problem is to manually feed the correct address mappings into the database before starting the tool or create an attack free learning traffic. Both of these are unreasonable due to scalability and mobility issues. An ideal example would be mobile hosts . laptops brought in by customers or visitors to a pany. This slow learning curve makes it impossible to install passive tools on a large work (1000+ hosts) and expect them to identify attacks instantaneously. The passive techniques do not have any intelligence and blindly look for a mismatch in the ARP traffic with their learnt database tables. If an ARP spoofing is detected than there is no way of ascertaining if the newly seen address mapping is because of a spoofing attempt or the previously learnt one was actually a spoofed one. Our technique will determine the real MAC to IP mapping during an actual attack to a fair degree of accuracy. The passive learning technique is also very unreliable. A new address mapping is learnt when ARP traffic is seen from them. Thus a switch ARP Cache table overflow attempt by the generation of random ARP reply packets per second with arbitrary MAC and IP addresses will just result in new stations being discovered instead of being reported as attack traffic. To overe problems in earlier techniques, we present a new ARP spoofing detection technique. Our technique uses an active approach to detect ARP spoofing. We send out ARP request and TCP SYN packets to probe the authenticity of the ARP traffic we see in the work. The approach is faster, intelligent, scalable and more reliable in detecting attacks than the passive methods. It can also additionally detect the real mapping of MAC to IP addresses to a fair degree of accuracy in the event of an actual attack. A description of the technique in detail is reported in following sections. 2 The Proposed Active Detection Technique for ARP spoofing The proposed technique actively interacts with the work to gauge the presence of ARP spoofing attacks. We will henceforth assume the following about the work we desire to protect. Assumptions 1. The attacker’s puter has a normal work stack. This assumption will hold for most of the attacks as “ready to use” ARP spoofing tools have always been the attacker’s most popular choice. If the attacker does use a customized stack then our technique will 沈陽航空航天大學畢業(yè)設計（論文）外文翻譯 —— 原文 5 still detect ARP spoofing but will not be able to predict the correct address mappings anymore. We will discuss performance in the presence of a customized stack in section . 2. The individual hosts we desire to protect on the work may use a personal firewall but at least one TCP port should be allowed through the firewall. This is to allow our probe packets (TCP SYN packets) to go through. This is a reasonable assumption as even if a firewall is installed some LAN based services such as NETBIOS etc are normally allowed through it for LAN munication. 3. We assume that all devices, which we protect, have a TCP/IP work stack up and running. Terminology We now introduce the terminology used in the rest of this paper. 1. Threshold interval: ARP replies to an ARP request must be received within a specified time interval. After this time has elapsed we will consider the ARP request to have “expired”. We will call this interval as the “Threshold Interval”. This will be administratively configurable on any tool using our technique.