The present invention relates generally to methods of providing network security. More particularly, the invention provides methods and systems for protecting a network from spoofing and denial of service attacks. But it would be recognized that the invention has a much broader range of applicability.
An Address Resolution Protocol (ARP) packet is a layer 2 packet used in IP communications networks to map a network layer protocol address to a data link layer hardware address. For example, ARP is used to map a device's IP address (Layer 3) to the device's MAC address (Layer 2). An ARP packet is not an IP packet, but its payload contains IP information, namely, the sender's IP address and the target IP address.
In an Ethernet network, a source host communicates with a destination host using the Ethernet address (MAC address) of the destination host. Given a destination IP address, a host may use ARP to determine the corresponding destination MAC address. As an example, when a first host or station (station A) wants to communicate with a second host or station (station B), station A will send an ARP broadcast packet that includes, among other fields, the destination (station B's) IP address. Each host in the local network receives this packet. Preferably, the host or station with the specified destination IP address (in this example, station B) responds with a unicast ARP reply packet back to station A that contains station B's MAC address. Once station B's ARP reply is received, station A is able to send packets directly to station B using the MAC address sent by station B in the ARP reply.
In a spoofing attack, a third station or host, for example, station C, responds to the ARP broadcast packet, or sends a “gratuitous ARP reply,” spoofing station B's MAC address. In this scenario, station C responds with an ARP reply packet that contains station B's IP address, but station C's MAC address. Accordingly, station A sends network traffic intended for station B to station C. As a result of station C spoofing station B's MAC address, station C is able to steal network traffic intended for station B. In an alternative scenario, several reply packets are received, from both stations B and C. For example, station B may also send a ARP reply packet, either before or after station C. Station C may subsequently send an additional ARP reply packet, overriding the information sent by station B. One of ordinary skill in the art will appreciate that a number of spoofing scenarios are possible. In the alternative scenario, as well as other scenario's, station B is denied some or all of its traffic.
Thus, there is a need in the art for methods and systems to ensure a reliable correspondence between a host's Layer 2 MAC address and the host's Layer 3 IP address.