【正文】 外文翻譯原文及譯文 學 院 計算機學院 專 業(yè) 計算機科學與技術 班 級 84010101 學 號 2022040101023 姓 名 王冉 指導教師 高利軍 負責教師 高利軍 沈陽航空 航天大學 2022年 6月 沈陽航空航天大學畢業(yè)設計（論文）外文翻譯 —— 原文 1 Detecting ARP Spoofing: An Active Technique Vivek Ramachandran and Sukumar Nandi Cisco Systems, Inc., Bangalore India Indian Institute of Technology, Guwahati, Assam, India Abstract. The Address Resolution Protocol (ARP) due to its statelessness and lack of an authentication mechanism for verifying the identity of the sender has a long history of being prone to spoofing attacks. ARP spoofing is sometimes the starting point for more sophisticated LAN attacks like denial of service, man in the middle and session hijacking. The current methods of detection use a passive approach, monitoring the ARP traffic and looking for inconsistencies in the Ether to IP address mapping. The main drawback of the passive approach is the time lag between learning and detecting spoofing. This sometimes leads to the attack being discovered long after it has been orchestrated. In this paper, we present an active technique to detect ARP spoofing. We inject ARP request and TCP SYN packets into the work to probe for inconsistencies. This technique is faster, intelligent, scalable and more reliable in detecting attacks than the passive methods. It can also additionally detect the real mapping of MAC to IP addresses to a fair degree of accuracy in the event of an actual attack. 1. Introduction The ARP protocol is one of the most basic but essential protocols for LAN munication. The ARP protocol is used to resolve the MAC address of a host given its IP address. This is done by sending an ARP request packet (broadcasted) on the work. The concerned host now replies back with its MAC address in an ARP reply packet (unicast). In some situations a host might broadcast its own MAC address in a special Gratuitous ARP packet. All hosts maintain an ARP cache where all address mappings 沈陽航空航天大學畢業(yè)設計（論文）外文翻譯 —— 原文 2 learnt from the work (dynamic entries) or configured by the administrator (static entries) are kept. The dynamic entries age out after a fixed interval of time, which varies across operating systems. After the entry ages out it is deleted from the cache and if the host wants to municate with the same peer, another ARP request is made. The static entries never age out. The ARP protocol is stateless. Hosts will cache all ARP replies sent to them even if they had not sent an explicit ARP request for it. Even if a previous unexpired dynamic ARP entry is there in the ARP cache it will be overwritten by a newer ARP reply packet on most operating systems. All hosts blindly cache the ARP replies they receive, as they have no mechanism to authenticate their peer. This is the root problem, which leads to ARP spoofing. ARP spoofing is the process of fing ARP packets to be able to impersonate another host on the work. In the most general form of ARP spoofing the attacker sends spoofed ARP responses to the victim periodically. The period between the spoofed responses is much lesser than the ARP cache entry timeout period for the operating system running on the victim host. This will ensure that the victim host would never make an ARP request for the host whose address the attacker is impersonating. Following subsection briefly discuss the current detection and mitigation techniques. Current Mitigation and Detection Techniques Existing ARP spoofing detection techniques are discussed next sequentially. Secure ARP Protocol (SARP) This has been proposed as a replacement for the ARP protocol in SARP: a Secure Address Resolution Protocol. The SARP protocol is definitely a permanent solution to ARP spoofing but the biggest drawback is that we will have to make changes to the work stack of all the hosts. This is not very scalable as going for a stack upgrade across all available operating systems is something both vendors and customers will not be happy about. As SARP uses Digital Signature Algorithm (DSA) we have the additional overhead of cryptographic calculations though the authors of the paper have claimed that this overhead is not significant. Static MAC Entries 沈陽航空航天大學畢業(yè)設計（論文）外文翻譯 —— 原文 3 Adding static MAC addresses on every host for all other hosts will not allow spoofing but is not a scalable solution at all and managing all these entries is a full time job by itself. This can fail miserably if mobile hosts such as laptops are periodically introduced into the work. Also some operating systems are known to overwrite static ARP entries if they receive Gratuitous ARP packets (GARP). Kernel Based Patches Kernel based patches such as Anticap and Antidote have made an attempt to protect from ARP spoofing at a individual host level. Anticap does not allow updating of the host ARP cache by an ARP reply that carries a different MAC address then the one already in the cache. This unfortunately makes it drop legal gratuitous ARP replies as well, which is a violation to the ARP protocol specification. Antidote on receiving an ARP rep