Emulation and Detection of ARP Attacks in GNS3

Environment: Modelling and Development of a Defense

Strategy
Tetiana Vakaliuk1,2,3, Yelyzaveta Trokoz1, Oleksandra Pokotylo1, Viacheslav Osadchyi4,2,
and Viktoriia Bolotina1
1 Zhytomyr Polytechnic State University, 103 Chudnivsyka str., Zhytomyr, 10005, Ukraine
2 Institutefor Digitalisation of Education of the NAES of Ukraine, 9 M. Berlynskoho str., Kyiv, 04060, Ukraine
3 Kryvyi Rih State Pedagogical University, 54 Gagarin ave., Kryvyi Rih, 50086, Ukraine
4 Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudriavska str, Kyiv, 04053, Ukraine

Abstract
The article discusses various types of attacks on the ARP protocol and the tools used to
implement and detect them. The principal network vulnerabilities related to the lack of
authentication and encryption were identified through modeling, and methods to prevent
or reduce the risk were proposed. A network design was created in the GNS3
environment, which is as close to the real environment as possible. Specialized tools such
as Nping, Arpspoof, and Ettercap were used to carry out the ARP-Flooding, ARP-Spoofing,
and ARP-Poisoning attacks, and XArp software was used for detection.

Keywords 1
ARP, GNS3, attack emulation, ARP-flooding, ARP-spoofing, ARP-poisoning.

1. Introduction 1.1. Theoretical Background

Due to the widespread spread of cyber threats An analysis of research on this topic has shown
and their constant improvement in the modern that there are many ways to detect and conduct
information environment, the issue of network various specialized attacks on network
security is highly relevant. As technologies are protocols, particularly on ARP, to increase the
constantly evolving, it is essential to ensure resilience of network systems.
appropriate detection and protection against In particular, the article by Swati Jadhav,
various types of attacks. One of the most Arjun Thakur, Shravani Nalbalwar, Shubham
common threats to network security is ARP Shah, and Sankalp Chordia [6] proposes
attacks aimed at unauthorized interception various methods for detecting an ARP
and acquiring confidential information. The poisoning attack at both the user and
risk of their impact in the context of the Internet organizational levels. It is noted that after the
of Things (IoT) expansion is growing due to the attack on the client device, the traffic was
constant increase in the number of connected intercepted and analyzed using a Python
devices in the network [1–3]. Therefore, to algorithm and other software products. The
avoid vulnerabilities in new environments and result of the work highlights the options for
effectively manage network infrastructure, it is protecting a computer in the event of potential
essential to understand the algorithm of attacks attacks.
on this protocol, consider methods of detecting The study by Zhaozhan Chen [7] includes an
them, and develop and implement means of analysis of the principles of operation and
protection against them [4, 5]. attack modes based on the ARP protocol, IP,

CPITS-2024: Cybersecurity Providing in Information and Telecommunication Systems, February 28, 2024, Kyiv, Ukraine
EMAIL: [email protected] (T. Vakaliuk); [email protected] (Y. Trokoz); [email protected] (O. Pokotylo);
H

[email protected] (V. Osadchyi); [email protected] (V. Bolotina)

ORCID: 0000-0001-6825-4697 (T. Vakaliuk); 0000-0002-4961-7816 (Y. Trokoz); 0000-0002-1587-235X (O. Pokotylo); 0000-0001-5659-
4774 (V. Osadchyi 4); 0000-0002-5122-8879(V. Bolotina)
©️ 2024 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).

CEUR Workshop Proceedings (CEUR-WS.org)

CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
376
and MAC addresses. The author examines the shows how to detect ARP-spoofing attacks
format of the ARP packet, the process of data using your code.
exchange during its operation, and the The article by Huixing Xi [12] includes a
structure of attacks such as Counterfeit systematization of the current state of research
gateway, Spoofing gateway, Spoofing user and critical technologies related to the ARP
attack, and Man-in-the-middle. The paper protocol. The author analyses the mechanisms
proposes a method for improving network of ARP vulnerability formation and considers
security by implementing appropriate security possible attack techniques. Based on the
measures based on practical experience. generalization of commonly used protection
In the work of Xiaohan Zhang, Lu Cao, methods, their advantages and disadvantages
Zuojun Meng, and Xiaohui Yao [8], a solution are presented. Experiments and tests are
for the SDN (Software Defined Network) conducted for each advanced security algorithm.
network was proposed that allows the The study of Mehdi Nobakht, Hadi
accurate detection of ARP attacks by checking Mahmoudi, and Omid Rahimzadeh [13]
the veracity of the IP to MAC address mapping proposes a distributed security mechanism for
and the MAC address during the ARP packet detecting and counteracting the ARP cache
processing by the controller. The authors have poisoning attack. It can detect a more advanced
conducted experiments in a simulated SDN type of such an attack, in which the attacker
network, which confirms the possibility of leaves a minimum of traces. The prototype of
detecting attacks without affecting the the proposed mechanism is implemented in
network performance as a whole and reducing Python, and its viability and effectiveness are
the time of ARP interaction between hosts. demonstrated through extensive experiments
In a study by Akinul Islam Jony and Arjun in a local network with 15 hosts. The
Kumar Bose Arnob [9], Long Short-Term evaluation results indicate instant detection
Memory (LSTM) networks are used for with millisecond accuracy and minimal impact
intrusion detection as a new strategy to on network traffic.
enhance IoT security. The proposed LSTM- During the analysis of publications on this
based model demonstrates excellent results in topic, it was found that they pay little attention
detecting both known and novel cyberattack to the process of modeling threats to the ARP
patterns with an accuracy of 98.75% and an F1 protocol, which is essential for understanding
score of 98.59% in extensive experimental both the specific vulnerability and the
evaluations using the large CIC-IoT2023 algorithm of actions and provides an
dataset, which represents a diverse set of IoT opportunity to study the network’s response to
network traffic scenarios. This research specific actions of attackers. In addition to
contributes significantly to IoT security by analyzing the ARP-Flooding, ARP-Spoofing,
addressing the urgent need for adaptive and ARP-Poisoning attacks, this article
intrusion detection systems to protect against discusses their sequential execution in the
evolving cyber threats. modeled network, provides an overview of the
In the article by Cristina L. Abad, Rafael I. reactions of network devices and end nodes,
Bonilla [10] proposed several schemes to and explores the possibility of detecting
mitigate, detect, and prevent attacks on the attacks using the XArp tool. This allows you to
ARP protocol, but each has its drawbacks. This identify network vulnerabilities and choose
article will analyze these schemes, identify effective methods and means to eliminate
their strengths and weaknesses, and offer them.
recommendations for developing an
alternative and (possibly) better solution to 1.2. Methods
the ARP cache poisoning problem.
Anjana Kawshan [11] found that the ARP To achieve this goal, this study used analysis
protocol is vulnerable to an ARP-spoofing and simulation methods. The analysis allowed
attack, as it lacks authentication. As a result, it us to identify vulnerabilities of the ARP
can lead to Man-in-the-Middle attacks, denial protocol, potential attacks on it, and their
of service, and others. The author discusses the possible consequences. The simulation was
algorithm of actions in the case of MITM and used to model attacks using the Nping,

377
Arpspoof, and Ettercap tools in the GNS3 The peculiarities of the algorithm and the
environment. This made it possible to above shortcomings have led to the threat of
practically study a network similar to a real the following attacks:
one and identify its vulnerabilities to choose an 1. ARP-Flooding is an attack carried out by
effective method of protection in the future. creating a broadcast storm, i.e., sending
The object of research is the ARP protocol and many ARP requests to the network to
its vulnerabilities, and the subject is methods overflow ARP caches. As a result,
and tools for modeling attacks on the ARP network performance decreases, devices
protocol in the GNS3 environment and their fail, incorrect ARP tables are built, which
detection using XArp. leads to conflicts and incorrect routing,
The purpose of the article is to study and there is a possibility of traffic
various vulnerabilities of the ARP protocol and interception.
to simulate ARp-flooding, ARP-Spoofing, and 2. ARP-Spoofing is an attack that involves
ARp-poisoning attacks on the nodes of a sending fake ARP responses to the
network created in the GNS3 environment network. An attacker impersonates a
using specialized tools Nping, Arpspoof, and legitimate device and indicates its own
Ettercap and detect them using XArp. MAC address in response to requests to
redirect network traffic through itself. As
2. Results a result, unauthorized interception of
confidential information occurs with its
subsequent viewing and modification.
ARP (Address et al.) establishes a
3. ARP-Poisoning is an attack that is a type
correspondence between the logical IP address
of ARP-Spoofing aimed at a specific
and the physical MAC address of a device on a
device or a group of them. The logic of its
local network. It allows for more efficient
operation is the same, i.e., the attacker
routing and traffic forwarding, ensuring
sends fake ARP responses to poison the
correct communication and addressing on the
ARP caches of nodes, resulting in
network. When one device needs to
incorrect correspondences between IP
communicate with another and uses its IP
and MAC addresses and the possibility of
address, ARP makes it possible to determine
redirecting traffic to illegitimate users
the corresponding MAC address. If the latter is
[14].
already known, the device can send data
These attacks are rarely used in the form
immediately, and if it is unknown, an ARP
described above, usually combining their
request is sent to obtain this information.
capabilities and using different implementations.
ARP is an integral part of the network
These potential threats are critical for
infrastructure, so the growth of threats in the
corporate networks, where reliable and
field of network security requires a detailed
uninterrupted operation is vital. Understanding
study of attacks on this protocol and the
all the stages of such attacks becomes essential
development of effective methods for
for assessing the possible impact on the
detecting and protecting against them. The
network and further determining the necessary
study of attacks on the ARP protocol is
measures to protect the network infrastructure.
essential in ensuring the privacy of network
Various programs and utilities are used to
communications and improving the overall
implement attacks on the ARP protocol,
security of computer systems.
including Ettercap, Cain&Abel, BetterCAP,
The principal vulnerabilities of ARP include
Scapy, Gobbler, Nping, Arpspoof, Arroison,
the following: lack of authentication and
ARPBuilder, and others. Each has its
encryption of information, which makes it
functionality and features, and the choice of a
vulnerable to interception and cache poisoning
particular tool depends on the user’s needs and
attacks; the ability to send fake ARP messages,
the goal to be achieved by the attack [15].
as there are no authentication checks for
In this study, the Nping tool was chosen for
requests, responses, and ARP tables
the ARP-Flooding attack, Arpspoof for ARP-
themselves; ease of cache poisoning, which
Spoofing, and Ettercap for ARP-Poisoning, as
leads to a violation of the correctness of
their functionality is sufficient to achieve the
network interaction.
goal.

378
Detecting the fact of an attack is a necessary on the network, detect them with XArp, and
element for ensuring information security, so it develop an effective defense strategy.
is essential to monitor the network to identify To illustrate, it is enough to create a
characteristic signs constantly. In the case of the compact network that includes a Cisco router,
ARP protocol, it is crucial to monitor whether based on which you can configure a DHCP
the device’s response time to various network server for dynamic configuration of endpoint
operations increases, whether the ARP activity IP addressing parameters, a switch, and four
on the interfaces is too high, whether entries workstations. Three of them will be legitimate
with the same addresses appear in the ARP Windows workstations (Win10-Admin, Win7-
tables, etc. Specialized software applications User1, WinXP-User2), and the fourth will be
can be used for this purpose. malicious (KaliLinux-Hacker), from which
Table 1 compares ArpWatch, XArp, attacks will be carried out using the above
WinARPWatch, ArpStar, ARPScan, NetCut tools (Fig. 1).
Defender, and Colasoft Capsa by their primary
functions and support for different operating
systems.
Considering the above comparison, the
choice was made to use the XArp software tool
to detect ARP attacks planned to be carried out.
The GNS3 (Graphical Network Simulator-3)
tool was chosen as the modeling environment,
as it allows emulating networks and testing
them interactively and using authentic
operating system images. An essential factor
for using GNS3 is the ability to perform attacks
in an isolated environment without affecting Figure 1: Design of the built network
the performance of a real network.
The successful configuration of the DHCP
Table 1 server is confirmed by the end nodes receiving
Main characteristics of tools for detecting attacks IP addressing parameters (Fig. 2). There is
on the ARP protocol communication between legitimate devices,
Support
Support and the ARP tables of network devices and
for
Program Main functions
for
Unix/
workstations before the attacks are shown in
Windows Fig. 3.
Linux
OSt
OS The Win10-Admin workstation has the
− Tracking ARP tables XArp application installed to detect attacks on
ArpWatch - +
− Notification of changes
− ARP attack detection the ARP protocol. The KaliLinux-Hacker user
XArp + -
− Notification of attacks received the address 192.168.1.4/24.
WinARP − Monitoring of ARP tables Let us start the ARP-Flooding attack using
+ -
Watch − Anomaly detection
− Protection against ARP the Nping utility. To do this, execute the
ArpStar attacks - + corresponding command on the attacker’s
− Anomaly detection workstation, which generates many ARP
− Network scan to detect
ARPScan
abnormal ARP requests
+ + messages and sends them to the same network
NetCut
− Protection against as the sending device (Fig. 4a). During the
ARP-spoofing + - attack, the XArp application installed on the
Defender
− Access control
Win10-Admin workstation signals the
presence of an attack in real-time (Fig. 4b).
To emulate attacks on the ARP protocol, we During the attack, the switch displays
will develop a realistic network topology in the relevant system messages, and the connection
GNS3 environment. We will add network between endpoints is either absent or unstable
devices and configure them to reproduce the with long delays (Fig. 5).
attack scenarios—we will use Nping, Arpspoof, The next attack that will be modeled is ARP-
and Ettercap to launch the ARP-Flooding, ARP- Spoofing using the Arpspoof utility. We use the
Spoofing, and ARP-Poisoning attacks. The next corresponding command, in the parameters of
step is to observe the impact of these attacks

379
which we specify the IP addresses of one of the example, a router) (Fig. 6a). The attack is
legal workstations (for example, Win10- successfully detected using the installed XArp
Admin) and one of the network devices (for application (Fig. 6b).

(a) (b) (c)

Figure 2: Dynamic address acquisition by workstations

(a) (b)

(c) (d) (e)

Figure 3: ARP tables of devices before the attack

(a)

(a)

(b) (b)
Figure 4: ARP-Flooding (a) attack execution Figure 5: Network device response to an ARP-
(b) attack detection Flooding attack

380
 (a)

(a)

(b)
Figure 6: ARP-Spoofing (a) carrying out an
attack (b) detecting an attack (b)
Figure 8: The process of (a) scanning and (b)
Let us display the router’s ARP table (Fig. 7). As the result of scanning hosts in Ettercap
you can see, the MAC address of the interface
of the legitimate Win10-Admin workstation From this list, you need to select the hosts that
and the KaliLinux-Hacker workstation are the will be attacked. Since the application for
same (different IP addresses have the same detecting ARP attacks is installed on Win10-
MAC address). The ARP-Spoofing attack was Admin, select the IP address corresponding to
successful. The MAC address of the network this workstation and add it using Add to Target 1.
interface of the legitimate workstation has As the second target address, select, for example,
been spoofed to the MAC address of the the IP address of the switch interface and add it
attacker’s network interface, which means that using Add to Target 2 (Fig. 9).
the attacker will be able to intercept the
network traffic of the legitimate workstation.

Figure 7: ARP table of the router after an ARP-

Spoofing attack
Let us simulate an ARP-Poisoning attack using
the Ettercap utility. To do this, select Hosts in
the menu after launching it, then Scan for
Hosts. As a result, the hosts are scanned Figure 9: Selecting target IP addresses for the
(Fig. 8a). To view them again, select Hosts in attack
the menu and click Host list (Fig. 8b). In the MITM attacks menu, select ARP
poisoning, then Sniff remote connections and
click OK. The attack process in the Ettercap
utility is shown in Fig. 10.

381
 After emulating attacks on the ARP protocol, it
was determined that they can cause a decrease
in network performance, disrupt the
correctness of ARP tables of devices, open up
the possibility of intercepting network traffic,
and lead to devise failures and other negative
consequences.
Having identified the weaknesses of the
(a) network, it is worth developing a strategy to
protect it from this type of attack, which will
include the following steps:
1. Use static ARP records to reduce the risk
of unauthorized table changes.
2. Install ARP traffic monitoring and
filtering systems to detect suspicious
activity promptly.
3. Use traffic encryption at the link layer to
complicate the analysis of ARP packets.
4. Configuring security mechanisms to
(b) protect against attacks (Dynamic ARP
Figure 10: Performing an ARP-Poisoning attack Inspection, DHCP Snooping, IP Source
The attack is successfully detected by the XArp Guard).
application (Fig. 11.a). Display the ARP table of 5. Use VLANs to limit the propagation of
the switch (Fig. 11.b). ARP traffic.
We can see that the MAC address of the 6. Use personal firewalls on endpoints to
interface of the legitimate Win10-Admin block unauthorized ARP packets and
workstation and the KaliLinux-Hacker changes to ARP tables.
workstation are the same. The ARP-poisoning Implementing this strategy will reduce the
attack was successful, and the MAC address risk of successful ARP attacks and increase the
was spoofed. The attacker was able to security of the network infrastructure.
intercept the traffic of a legitimate
workstation. 3. Conclusion
As a result of step-by-step modeling of attacks
on the ARP protocol using the Nping, Arpspoof,
and Ettercap utilities, it was found that the
built network has specific weaknesses related
to insufficient control and security of the
internal network infrastructure. The resulting
possibility of unauthorized access can cause
device malfunctions, MAC address spoofing,
and network traffic interception. Following the
proposed security strategy, it is essential to
(a) consider these risks when designing and
configuring the network to prevent
unauthorized access. Further research may
include analyzing the vulnerabilities of other
protocols and developing effective security
methods with practical demonstrations of
(b) their operation.
Figure 11: (a) ARP-Poisoning detection (b)
ARP table of the switch

382
References 1–9. doi: 10.1109/AIIPCC53292.2021.
9474466.
[1] V. Sokolov, et al., Method for Increasing [9] A. Jony, A. Arnob, A Long Short-Term
the Various Sources Data Consistency for Memory Based Approach for Detecting
IoT Sensors, in: IEEE 9th International Cyber Attacks in IoT Using CIC-IoT2023
Conference on Problems of Infocom- dataset, J. Edge Comput. (2024). doi:
munications, Science and Technology 10.55056/jec.648.
(PICST) (2023) 522–526. doi: [10] C. Abad, R. Bonilla, An Analysis on the
10.1109/PICST57299.2022.10238518. Schemes for Detecting and Preventing
[2] I. Kuzminykh, et al., Investigation of the ARP Cache Poisoning Attacks, 27th
IoT Device Lifetime with Secure Data International Conference on Distributed
Transmission, Internet of Things, Smart Computing Systems Workshops
Spaces, and Next Generation Networks (ICDCSW'07) (2007) 60–60. doi:
and Systems, vol. 11660 (2019) 16–27. 10.1109/ICDCSW.2007.19.
doi: 10.1007/978-3-030-30859-9_2. [11] A. Kawshan, Create ARP Spoofing Attack
[3] Z. Hu, et al., Bandwidth Research of Using Scapy (2022). doi:
Wireless IoT Switches, in: IEEE 15th 10.13140/RG.2.2.19490.09923.
International Conference on Advanced [12] H. Xi, Research and Application of ARP
Trends in Radioelectronics, Telecommu- Protocol Vulnerability Attack and
nications and Computer Engineering Defense Technology Based on Trusted
(2020). doi: 10.1109/tcset49122.2020. Network, AIP Conference Proceedings,
2354922. 1820(1) (2017), 090019. doi:
[4] O. Shevchenko, et al., Methods of the 10.1063/1.4977403.
Objects Identification and Recognition [13] M. Nobakht, H. Mahmoudi,
Research in the Networks with the IoT O. Rahimzadeh, A Distributed Security
Concept Support, in: Cybersecurity Approach against ARP Cache Poisoning
Providing in Information and Attack, ACM Transactions on Internet
Telecommunication Systems, vol. 2923 Technology (TOIT) 22(1) (2022) 1–21.
(2021) 277–282. doi: 10.1145/3494108.3522765.
[5] B. Zhurakovskyi, et al., Secured Remote [14] I. Anfalovas, What Is Address Resolution
Update Protocol in IoT Data Exchange Protocol? A Beginner’s Guide to ARP
System, in: Workshop on Cybersecurity (2024). URL: https://www.ipxo.com/
Providing in Information and blog/address-resolution-protocol/
Telecommunication Systems, vol. 3421 [15] T. Vakaliuk, et al., (2023). Modeling
(2023) 67–76. Attacks on the DHCP Protocol in the
[6] S. Jadhav, et al., Detection and Mitigation GNS3 Environment and Determining
of ARP Spoofing Attack, International Methods of Security Against Them, in:
Conference on Innovative Computing Cybersecurity Providing in Information
and Communications, LNNS (2023) 395– and Telecommunication Systems II
405. doi: 10.1007/978-981-99-3010- Vol. 3350 (2023) 209–216.
4_33.
[7] Z. Chen, Research on ARP Attack
Principle and Defense Measures in LAN,
International Conference on Computer
Network Security and Software
Engineering (CNSSE 2023) 12714
(2023) doi: 10.1117/12.2683288.
[8] X. Zhang, et al., A Solution for ARP
Attacks in Software Defined Network,
The Second International Conference on
Artificial Intelligence, Information
Processing and Cloud Computing (2021)

383