ARP principles and protection

Basic principles and protection of ARP

I. Basic principles of ARP:
Address Resolution Protocol (ARP) is a TCP/IP protocol for obtaining physical addresses based on IP addresses. When the host sends information, it broadcasts ARP requests containing the target IP address to all hosts on the network and receives the returned messages to determine the physical address of the target; after receiving the returned message, the IP address and physical address are stored in the local ARP cache and kept for a certain period of time. The next request directly queries the ARP cache to save resources. The Address Resolution Protocol is based on the mutual trust of each host in the network. hosts on the network can independently send ARP response messages, when receiving the response packet, other hosts will not check the authenticity of the packet and log it into the local ARP cache. Thus, the *** can send a pseudo ARP response packet to a host, sending messages cannot reach the expected host or reach the wrong host, which constitutes an ARP spoofing. ARP commands can be used to query the correspondence between IP addresses and MAC addresses in the local ARP cache, and to add or delete static mappings. Related Protocols include RARP and proxy arp. NDP is used to replace the Address Resolution Protocol in IPv6.

Ii. ARP functions:
The Address Resolution Protocol is described by the Internet Engineering Task Group (IETF) in RFC 826. The Address Resolution Protocol is an indispensable protocol in IPv4, while IPv4 is a widely used Internet Protocol version (IPv6 is still in the early stage of deployment ).
The OSI model divides network work into seven layers. IP addresses are on the third layer of the OSI model, while MAC addresses are on the second layer. When sending IP data packets over Ethernet, You need to encapsulate the header of Layer 3 (32-bit IP address) and Layer 2 (48-bit MAC address), but since only the target IP address is known at the time of sending, if you do not know the MAC address, you must use the Address Resolution Protocol. By using the Address Resolution Protocol, the target hardware address (MAC address) information can be parsed Based on the IP address information in the IP packet header of the network layer to ensure smooth communication.
Iii. Working Process
The IP address of host a is 192.168.1.1, And the MAC address is 0a-11-22-33-44-01;
The IP address of host B is 192.168.1.2 and the MAC address is 0a-11-22-33-44-02;
When host a needs to communicate with host B, the Address Resolution Protocol can resolve the IP address (192.168.1.2) of host B to the MAC address of host B. The workflow is as follows:

Step 2: Based on the route table content on host a, the IP address determines that the forwarding IP address used to access host B is 192.168.1.2. Host a then checks that host B matches the MAC address in its local ARP cache.

Step 2: If host a does not find a ing in the ARP cache, it will ask the hardware address of 192.168.1.2 to broadcast the ARP request frame to all hosts on the local network. The IP address and MAC address of source host a are included in ARP requests. Each host on the local network receives an ARP request and checks whether it matches its IP address. If the host finds that the requested IP address does not match its own IP address, it discards the ARP request.

Step 1: Host B determines that the IP address in the ARP request matches its own IP address. Then, host a's IP address and MAC address ing are added to the local ARP cache.

Step 2: Host B sends ARP reply messages containing its MAC address directly back to host.

Step 2: When host a receives an ARP reply message from host B, it will update the ARP cache by ing the IP address and MAC address of host B. The local cache has a lifetime. After the lifetime ends, the above process will be repeated again. Once the MAC address of host B is determined, host a can send IP communication to host B.

Iv. ARP spoofing:

The Address Resolution Protocol is based on the mutual trust of Various hosts in the network. Its birth makes the network more efficient, but it also has its own shortcomings:
ARP Address Translation tables rely on the computer's high-speed buffer memory for dynamic updates, while high-speed buffer memory updates are limited by the update cycle, only the ing table items of the recently used addresses are saved, which gives *** users the opportunity to modify the address translation table before the cache memory updates the table items, implementation ***. ARP requests are sent in the form of broadcasts. hosts on the network can independently send ARP response messages, in addition, when other hosts receive the response message, they will not check the authenticity of the message and record it in the local MAC address conversion table, in this way, the *** can send a pseudo ARP response packet to the target host to tamper with the local MAC address table. ARP spoofing can cause the target computer to fail to communicate with the gateway, but also lead to the redirection of communication. All data will be transmitted through the *** machine, which poses a great security risk.

5. Basic defense measures
1. do not establish the network security trust relationship on the basis of IP or Mac (RARP also has the problem of spoofing). The ideal relationship should be on the basis of IP + Mac.
2. Set the static Mac --> ip address table. Do not refresh the set conversion table on the host.
3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table.
4. Use the ARP Server. The server looks for its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure that the ARP Server is not hacked.
5. Use the "proxy" proxy IP address for transmission.
6. Use hardware to shield hosts. Set the route to ensure that the IP address can reach a valid path (static configuration of the route ARP entry). Note that ARP spoofing cannot be blocked by the switch hub and bridge.
7. The Administrator periodically obtains an RARP request from the response IP packet and checks the authenticity of the ARP response.
8. The Administrator regularly polls and checks the ARP cache on the host.
9. Use the firewall to continuously monitor the network. Note that when SNMP is used, ARP spoofing may cause the loss of trap packets.
10. If an ARP virus is infected, you can clear the ARP cache, specify the ARP correspondence, add route information, and Use anti-virus software.

ARP principles and protection