15th Annual Computer Security Applications Conference
December 6-10, 1999
Phoenix, Arizona

A middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning

Mahesh V. Tripunitara, tripunit@cs.purdue.edu
Partha Dutta, ppd@ipo.att.com

We discuss the Address Resolution Protocol (ARP) and the problem of ARP cache poisoning. ARP cache poisoning is the malicious act, of a host in a LAN, of introducing a spurious IP address to Medium Access Control (MAC) address mapping in another host's ARP cache. We discuss design constraints for a solution: the solutions needs to be implemented in middleware, without access or change to any operating system source code, be backward-compatible to the existing protocol, and be asynchronous.

We present our solution and implementation aspects of it in a Streams based networking subsystem. Our solution comprises two parts: a "bump in the stack" Streams module, and a separate Stream with a driver and a user-level application. We also present the algorithm that is executed in the module and the application to prevent ARP cache poisoning where possible and detect and raise alarms otherwise.

We then discuss some limitations with our approach and present some preliminary performance numbers for our implementation.