Learning LAN and ARP Spoofing Attack in a Game

A study by Verizon’s Data Breach Investigations Report states that local area network (LAN) access is the top vector for insider threats and misuses. LAN protocols have many vulnerabilities and most of them are very easy to exploit. In Ethernet, the common vulnerabilities come from Address Resolution Protocol (ARP) and the weakness of switches that computers are connected to. It is critical for students to learn these vulnerabilities and know the common countermeasures, which include static ARP cache entries, improved ARP module in operating systems, encryption, access control, intrusion detection, and data backup. To be able to understand how these attacks and counter measures work students should have a firm understanding of how Ethernet and ARP work.We have previously developed several tools for teaching different aspects of the topic. The first tool we developed was a simulation tool for visualizing how attacks on LAN work. Users can select several Man-In-The-Middle attacks including ARP spoofing, Switch Port Stealing, and Switch Port Flooding attacks and see how these attacks work with animation. Visualization and simulation can help students learn security concepts by letting them see the dynamics of changes in data structures that exist inside computers and networks. However, it lacks realness and therefore is less convincing, resulting in a lack of enthusiasm from students. Later, we developed a hands-on lab that carries out real-world ARP spoofing attacks with virtual machines. Students will manually create real Ethernet frames that poison the ARP caches of the victim and the router. Then, students use Wireshark to see all the Internet traffic of the victim captured. Students can feel the excitement of successful real-world attacks. Due to the lack of visualization components, students may not clearly understand the internal dynamics of such attacks. To enhance learning further, we developed a tool that combines real-world attacks with visualization that intuitively shows the effects of the real ARP spoofing attack in real-time. It runs on virtual machines installed with Kali Linux. This tool animates attack packets, normal packets, and the status of ARP cache in real-time. If students have successfully carried out the ARP spoofing attack, they can see the normal packets being routed to the attacker machine and the victim’s ARP cache being poisoned. All findings on these tools have all been published in reviewed conference proceedings.Although the tools mentioned above have shown to be effective in teaching ARP spoofing according to the assessments carried out in the classrooms, they have a few problems. The first one is the difficulty in dissemination for wider adoption. Because the tools contain virtual machines that are several gigabytes in size, it will take some time to download and large hard drive space is needed. It is also technically challenging to successfully install and configure virtual machines. In addition, they only work on computers that can install VirtualBox or VMware. The second problem is that they are quite difficult to finish for students with little background knowledge in LAN. The tools lack guided learning components that can lead students to the solution gradually. The last problem is the lack of fun in these tools which may not engage students especially for younger ones in high schools.Games have been successfully used in many areas of education to engage students in learning. Research has shown multiple benefits of cyber security games. Games can provide educational and immersive experiences, which will inspire students to explore more in the security field and help students test their knowledge in authentic settings. Google’s Interland and PBS’s Cybersecurity lab are examples of such games that teach comprehensive cyber security concepts to younger audiences. However, to our knowledge, there is no game developed to teach LAN and ARP spoofing concepts.In this paper, we present an educational game we created to address the issues presented above. The game is developed with the Unity game engine and deployed on the world wide web. Therefore, the game is accessible anywhere on the Internet with a web browser. The game has several levels of difficulty that guide learning from the basics of LAN to the countermeasures. This game’s primary learning objectives are 1) Learn how switches and hubs work, and how ARP protocol works; 2) Learn how ARP spoofing works; 3) Learn the counter measures against LAN attacks.We used the Unity game engine and C# programming language to develop the game. The Unity game engine is the leading global game development software. Unity makes it easy to deploy games to different platforms such as desktop, mobile, the Web, etc. The prototype would be hosted on the Web and students would be allowed to play online using the web link and provide feedback.The game is presented in the form of a 3-level building. Each level has multiple rooms where each room holds the content to learn on a different concept. The Home screen of levels 1, 2, and 3 where each level comprises of one Learning objective: level 1 covers the LAN, IP, ARP; level 2 covers ARP spoofing and cache poisoning; Level 3 covers the Counter Measures. The player must go through each concept and answer the quiz questions before the player can move to the next room. At the end of each level, the player will get additional challenges to complete to move to the next level. At the beginning of each level, the student will be given a set of instructions to play the Game, how to navigate and what objective they will be learning in the level.The game events which describe the player’s interaction with the game will be logged and submitted for further analysis through the GameSparks. Once the player completes all the levels, the player will enter the post-assessment stage, where they will complete a post-test and survey. The post-assessment results will be automatically collected and submitted for quantitative analysis. The game will be made available on the project website. Assessment will be carried out when the new semester begins.