ARP Storm Detection and Prevention Measures

The Address Resolution Protocol (ARP) is used by computers to map network addresses (IP) to physical addresses (MAC). The protocol has proved to work well under regular circumstances, but it was not designed to cope with malicious hosts. By performing ARP storming attacks, an intruder can create Denial of Service (DoS) in another host and prevent it’s functioning or just cause network slowdowns. Several methods to mitigate, detect and prevent these attacks do exist at the router level and through certain customized software tools. In this paper we propose an algorithm to detect the ARP storm at the local sub network level within the ARP boundary in real-time and in offline mode. In real-time, the software detects dynamically, the IPs from which the ARP storm emanates. The inexpensive and portable software developed can be implemented in SOHOs in each machine in the local network. The attempt was successful and also effective in terms of cost, portability and ease of use. The offline packet analysis software, detects all the possible malicious IPs that are responsible for the ARP storm from among the packets captured in real-time using Wireshark. The proposed method also suggests the means of preventing the ARP storm.