ARP anti-spoofing Policy

Article submitted: backspray (nimaozhi_at_163.com)

Recently, ARP-related malware has become rampant, and many victims have been involved. Major anti-virus manufacturers in China have also launched the arpfirewall. However, most firewalls have their own tables. The reason is as follows. This article is not a popular science, but mainly about ideas. Let the world be quiet. In addition, I learned to get familiar with the ARP protocol and write the test code for ARP spoofing and anti-spoofing at the end of the day. It would be a little more than a week before and after. I am sorry for the limited experience and omissions.
ARP protocol and ARP spoofing are not introduced here. There are many articles on the Internet.
To facilitate understanding, the following terms are constructed:
Assume that there is a gateway in the LAN, the host that initiates spoofing (hereinafter referred to as spoofing host), and the host that is cheated
Two-way spoofing: The Gateway considers the host to be deceived and the host to be deceived as the gateway;
One-way spoofing Gateway: only the gateway considers the host to be cheated;
One-way spoofing target host: only the deceived host deems it a gateway;
In addition to sniffer, ARP is now a popular method to use ARP for HTTP Trojan mounting. Therefore, the following impacts are measured from this perspective.
Due to different environments, the next step is continued. An IDC is spoofed by ARP. Generally, the IDC is dominated by servers, and the data sent externally is dominated by HTTP response packets, in this case, one-way spoofing of the target host is very harmful. In a LAN environment such as an ordinary company, home, or Internet cafe, the data sent to external parties is mainly HTTP requests, and the data received is mostly HTTP response packets, in this case, the one-way spoofing gateway is very harmful.
There is also a relationship with the gateway. There are two simple gateways:
1. Support binding IP addresses and MAC addresses;
2. Binding IP addresses and MAC addresses is not supported.
The gateway that supports binding IP addresses and MAC addresses is easy to handle, so we will not discuss this situation here. We will mainly discuss the situation that does not support binding IP addresses and MAC addresses:
The following example shows the existence of ARP two-way spoofing. After arp fw is installed, FW will handle the situation.
The first case-in LAN environments such as ordinary companies, families, and Internet cafes, the gateway does not support binding IP addresses and MAC addresses:
First, let's talk about the spoofing strategy. Here, we have to mention arpspoof (hereinafter referred to as). Recently, this tool has become popular and has been well written, open-source, and well-analyzed. The source code of Version 3.1 I have obtained. If you do not modify the as code, you only need to change the configuration file slightly when the configuration file is under two-way spoofing in the current situation, you can use ARP to mount Trojans. However, if the cheated host is bound to a MAC address of the correct gateway, it will not work. However, if someone modifies the as code so that it supports gzip decoding, and sends the packet that should have been sent to the affected host, restructured and decoded, and then sends it to the affected host. Then you can cheat again.
Then, let's take a look at arp fw in China. Weak. When FW goes in, the correct gateway Mac cannot be detected. You need to manually enter this field. The correct gateway Mac can be automatically detected. The general steps are as follows:
1. Obtain the MAC address of the current Gateway (for example, using the sendarp function );
2. Use the IP address of the gateway to send a broadcast packet to obtain the MAC address of the gateway;
3. Compare packet capture. If the MAC of the gateway obtained in step 1 is the same as that obtained in step 2, the gateway Mac is not forged. If two ARP reply packets are obtained in step 2, the two packets are compared with the Mac in step 1. The same description is forged. If only one ARP reply is obtained in step 2, the Mac obtained in step 2 prevails.
After detecting the correct gateway Mac, you can statically bind the gateway IP address and MAC address to prevent others from forging the gateway.
Basically, this idea is flawed. Yes, it can defend against the current. Because as sends ARP spoofing packets at an interval of 3 s, if you do not change the source code. At this time interval, these three steps are capable of obtaining the correct gateway, but if the interval is set to be short, there is no interval to issue ARP spoofing packets. Now all ARP firewalls in the Chinese market are down. I tested two models. Here I will explain the test results:
1. Jinshan arp fw fell down. (As can implement two-way spoofing if there is no interval ).
2. 360 arp fw, fell down, and fell in love. When it goes down, if you click to get the correct gateway again, it will wait a few seconds and report an ARP attack. When I read the malicious Mac in the attack report, the malicious Mac is sent by the correct gateway. (Two-way spoofing can be performed without any interval ).
I did not test Rui. Because I didn't get its registration code. To a potential buddy. As a result, he was despised by the buddy. His original saying was "I don't need garbage rising." (the chat record was directly Ctrl + V, and I didn't even change the wrong word ). Now, if we comment on which software kill has the most processes in the world, we should be able to rank first. Pai_^
Although it was not tested, the result should not be able to run. Because the ARP protocol is there.
First, let's explain why the correct gateway Mac can be detected at an interval of 3 seconds. During the second step, an ARP reply must be sent to the gateway before the broadcast packet is sent to notify the gateway of its correct Mac, then the gateway can send its MAC to the deceived host. This process must be completed within 3 seconds. Therefore, if the as spoof does not have an interval. Then the gateway receives your IP address and MAC address. The host that initiates the spoofing will immediately go to the gateway and change it back. In this way, although the deceived host sends a broadcast packet, the gateway sends its MAC address to the spoofed host instead of to the deceived host based on the MAC address. In this way, the deceived host still cannot obtain the MAC address of the correct gateway. In addition, even if the deceived host gets the correct gateway Mac, it can only ensure that it is not deceived to send packets externally, but the packets received will still be cheated. Of course, FW can play with the as saw, both of which are scrambling to go to the edge of the gateway to brush their mac. However, packet loss is easy.
In fact, there is still a relative solution to this situation. Is to completely change the face. Change the IP address and MAC address at the same time, no matter what the FW uses to add the NDIS virtual Nic, or replace the current IP address and MAC address directly through code. Only the correct gateway Mac can be obtained. Otherwise, the correct gateway Mac cannot be obtained. Nothing else (as for what to manually fill in the gateway Mac and so on. I will not discuss it first. There are not as many users as you think about what a gateway is ).
This is a relative solution, provided that there are surplus IP Resources in the LAN. In addition, it has some drawbacks. If some machines are shut down, and the victim replaces the IP address of the machine, conflicts will occur in the future. Of course there are solutions. There are many, so we will not discuss it here.
Therefore, you must first determine which IP addresses are not used. You can broadcast the MAC address of each IP address in the ARP request lan. If someone replies, this IP address is used and no one responds, is the surplus IP address.
Just change your IP address and MAC address.
After the change, refresh the gateway quickly. After obtaining the MAC address of the correct gateway, you can ask whether the user has changed it back and changed it back, because packet loss cannot be avoided. The network speed is also easily affected.
The second case is about ARP spoofing in the data center. For more information, see the above. Note that the Internet IP address and Intranet IP address are mapped in the IDC. Changing the IP address and MAC address will lead to network disconnection, Which is risky. In addition, after obtaining the MAC address of the correct gateway, the IP address and MAC address must be changed back. In other words, packet loss is inevitable in the case of data centers.
If you have any opinion on this article, welcome to e me, backspray008@gmail.com

From: http://www.xfocus.net/articles/200711/960.html

Wiki address: http://wiki.mygogou.com/doc-view-734.html