ARP spoofing and Solutions

True and false ARP defense Difference Method ARP Ultimate Solution

ARP Analysis and Solution.

If your network suddenly drops, or some machines are occasionally dropped, or a machine is dropped. in addition, several types of dropped connections are automatically restored. congratulations, you have won the prize. the prize is ARP spoofing. don't be happy or excited, because this award is huge and many friends are enjoying it. what is ARP? Let's talk about it here.

* For the sake of a friend "don't worry *" add another paragraph, "don't drop the line, everything looks like normal ARP"

* In the past few days, many of my friends have proposed some network solutions and asked if they can solve the ARP problem completely. Some friends have asked for help.

Let's not say it one by one. Catch it together (the solution is at the end)

ARP spoofing principle:

Therefore, machines in the same net communicate through MAC addresses. The method is as follows: the PC communicates with another device. The PC first looks for the IP address of the other device, and then uses the ARP table (the ARP table contains the MAC address corresponding to the IP address and IP address) call up the corresponding MAC address. Communicate with the other party through the MAC address. That is to say, in the Intranet, the addresses that devices look for and communicate with each other are MAC addresses, rather than IP addresses.

However, too many security issues were not taken into account in the original ARP design. There are many hidden dangers for ARP. ARP spoofing is one example.

Any machine in the network can easily send ARP broadcasts to claim its IP address and MAC address. In this way, the machine will create an ARP entry in its ARP table to record its IP address and MAC address. If this broadcast is incorrect, other machines will accept it. For example, 192. 168. 1. The MAC address of the 11 host is 00: 00: 00: 11: 11: 11, and the IP address of the host that he broadcasts on the Intranet is 192. 168. 1. 254 (in fact, it is the IP address of the router), and the MAC address is 00: 00: 00: 11: 11: 11 (his own real Mac). In this way, you will give 192. 168. 1. 254 information and sent to 00: 00: 00: 11: 11. That is, 192. 168. 1. 11... With this method, the hacker only needs to build a software program and then can lie to anyone on the Intranet. software is everywhere on the Internet and can be used by dwon. more casual, more casual...

Based on the principle, ARP technology is further divided into PC spoofing and route spoofing. Their differences are elaborated in the subsequent ARP solutions.

Causes of ARP spoofing:

After the rise of online games, hackers also went crazy. ARP spoofing is a good way to steal accounts. When using an Internet cafe, the attacker first finds the MAC address of the Intranet gateway, then sends the ARP spoofing message to the attacker, and reports that the machine on the Intranet is the gateway. For example, 192. 168. 1. 55 MAC00-14-6c-18-58-5a machine for the hacker account, first, he will first find the Intranet Gateway (intranet gateway is 192. 168. 1. 1 MAC is xx. xx ). Then he sends an ARP broadcast, saying that his IP address is 192. 168. 1. 1 The MAC address is 00-14-6c-18-58-5a. In this way, all machines on the Intranet that receive the message will mistakenly think of it as the Intranet gateway. All the Internet information will be sent to this machine through his MAC address. Because no real gateway is found, these cheated machines will not be able to access the Internet. All the information sent will be received by the hacker. By analyzing the received information, the hacker can find useful information in it, especially the information about the account, in this way, the account of the player in the game is obtained, and a number theft event occurs.

ARP discovery:

The Internet cafe is disconnected. Is it ARP? How to judge. Well, here is the method.

The common problem of ARP is disconnection. On the basis of disconnection, we can identify the following methods: 1. In general, you can reply to the normal internet connection within 1 minute without processing it. Because ARP spoofing is based on the time limit, after the time limit, it will automatically return to normal. In addition, most routers keep broadcasting their correct ARP in a short period of time, so that the deceived machines can return to normal. However, if there is an aggressive ARP spoofing (in fact, it is a very short amount of spoofing ARP, there are hundreds of thousands in a second ), he continuously blocks Intranet machines from accessing the Internet through a large number of ARP spoofing attacks. Even if the router Continuously Broadcasts the correct packets, it will be overwhelmed by a large number of error messages. 2. Open the DOS interface of the cheated machine and enter the ARP-a command to view the ARP table. the MAC address of the gateway can be used to identify whether ARP spoofing occurs. However, due to the time limit, this task must be completed before the machine returns to normal. If there is a spoofing problem, the invalid gateway MAC address is displayed in the ARP table, which is a black/white point to the real gateway Mac.

ARP solution:

Now we can see that the ARP solution is a little inefficient and unstable. I am familiar with Xin Xiang routing. Let's take him as an example.

1. Route ARP broadcast.

Some domestic hardware routes have this function, which was first found in the Xinxiang route. I feel good. There are some methods, but it seems that I haven't found it in the soft route. The soft route guys are working hard. the principle is that the router Continuously Broadcasts the correct router arp. for example, if the IP address of the vro is 192.168.1.1 Mac: 11: 12: 13: 14: 15: 16, then the correct ARP will be broadcast continuously every second. no matter whether your intranet machine prefers to receive packets or not, the ARP table is changed once the ARP table is received once every second. endless, endless, endless, and no loss ..... if ARP spoofing occurs, the attacker sends a spoofing message, and the PC receives the correct message as soon as it receives the spoofing message. so the problem is solved. but there is a hidden risk, that is, the broadcast storm. should the uninterrupted broadcast be an Intranet network ??? (I consulted an engineer at home Xin X from a factory in China with questions. The engineer enthusiastically relieved my doubts. Thank you first ). the frequency of sending APR broadcasts per second is minimal in the Intranet, because broadcast occurs on any machine. The amount of information sent by one ARP Server is equal to that of several machines at most, it does not affect the Intranet. however, this method has its own problem. When the attacker increases the frequency of spoofing ARP more than the route (it is very easy to implement in the spoofing software), it will still cause the spoofing effect. the solution should also be simple, that is, increasing the broadcast frequency of the vro, but Xin X's engineers deny this method. For the reason, please refer to Article 2nd.

2. Over-route ARP broadcast.

Recently, we found that some routing manufacturers can completely prevent ARP problems. I learned how to deal with it with reverence and had to be disappointed. It was very disappointing and sad. the so-called full protection is actually the previous ARP broadcast, but simply increasing the frequency to 100 per second. 200 ..... times. this method is better than ARP once per second. but it is not worth the candle, or even a bit ..... don't talk about it. let's take a brief analysis. The second is 100 for example. That is to say, the vro sends 100 ARP broadcasts, 200 computers, and each machine processes 100 times per second. if there are 10 switches, 10 switches will be processed for 100 times. each time the switch forwards the information to each other, the amount of ARP information processed per second is calculated based on the power of 10 N x 100. if you understand the broadcast mode, you will know that the exchange of information between the two companies will continue to pass information, you send it to everyone, I receive it, and will send it to everyone. you have received the message and want to send it to you. in this way, each PC will eventually receive tens of thousands of messages per second (should this amount be small or not big ?). This is done 100 times per second. I don't know what it will look like inside the network ?? Is it okay for the PC to maintain the ARP table and do nothing else? Is it worth 7*24 hours of network tossing for an ARP attack? How much should the network performance be reduced. when a person is full or has a small internal network attack, it may be a little difficult to prevent the Internet cafe from being paralyzed. It is easy to write dead words. of course, you cannot feel it at ordinary times. but I want to ask the engineer who came up with this method to solve the problem?

3. recommended method. Static binding.

The most effective solution to ARP is to eliminate its spoofing path.

Spoofing uses dynamic and real-time ARP rules to spoof Intranet machines. Therefore, setting ARP to static can fundamentally solve the spoofing of Intranet PCs.

The method is as follows: Find the MAC address of the LAN port of the router and set the MAC address to each PC through static means. Through commands, ARP-s can be implemented. First, create a batch file. The content contains only one line of command, "MAC address of ARP-s intranet gateway Gateway", for example, "ARP-s 192.168.1.1 00-13-32-33-12-11 ". put the batch processing file into the startup, so that the file will be executed every time you start up. Even if ARP spoofing occurs, the PC will not ignore the spoofed ARP because we set the static mode.

If the settings are successful, you can run ARP-A on the PC to see the related prompt:

Internet address physical address type (note here)

192.168.1.1 00-0f-7a-05-0d-a4 static (static)

Generally, it is not bound. In dynamic scenarios:

Internet address physical address type

192.168.1.1 00-0f-7a-05-0d-a4 dynamic (dynamic)

ARP spoofing.

After static binding, why is it still offline? Or ARP? Unfortunately, ARP (ARP spoofing Routing ).

In some cases, the problem is not solved. Imagine what if the current solution is to impersonate an intranet PC instead of a gateway? The answer is "dropped", "Impersonate", and "dropped. because the router cannot find you after receiving the spoofing ARP, all the information forwarded to you is sent to the machine of the attacker... we can bind a gateway to a PC. is it possible to bind a PC to a route? The answer is no. Is it exhausting that the MAC addresses of each PC on the Intranet are bound to the route, and hundreds of MAC addresses are dizzy when they look at it, if you need to adjust the vro for any changes, hundreds of records will be too tired. to solve this problem, we have tested multiple devices, including three versions of soft routes, Xin X, Xia X, and ai x. (If you want to test them, it's easy to tell the local manufacturer agent that you want to try it out ). the final result is unsatisfactory. There is only one solution in the Three Soft routes, and each binding method is used. one of the three hard routes can be completely prevented, and the other two need to be bound (remind everyone that both products have limits on the number of bindings, which cannot be solved if the number is exceeded, pay attention to inquiries during procurement ). I did some research on a product that can be prevented but had no results. I once again called Xin X's engineers and asked for solutions. the engineer gave the answer. Xin X's route is a * system using the vxworkⅱ of WinDriver. the efficiency and security are much better than those of free Linux systems. The two-generation system itself can maintain a database without extracting data from the hardware database, data Table content is collected when the PC accesses the Internet. ARP spoofing is ignored, and ARP spoofing is blocked. and the Intranet can be changed and adjusted at will... hold on .. it's a bit like a factory draft ......

ARP issues are basically mentioned here, and we will add an ARP spoofing problem later. It is for switches, and many switches with management have an ARP table to be maintained, in addition, this table is used to improve data exchange efficiency. if ARP spoofing occurs, the switch cannot send data to the target IP address, so static ARP binding is required in the switch.

Why is there a normal ARP?

Have you ever encountered the problem of losing game numbers, QQ numbers, and wallet in Internet cafes?

In particular, a large number of accounts are lost, most of which are caused by ARP. The principle is: the hacker first cheated the PC and then the router.

In this case, the PC sends the information to the router, and then the router forwards the information to the router. when the receiver receives the information from the router, it sends it to the corresponding PC. in this way, you can steal your game account and your QQ number without affecting the normal internet access of the Intranet PC. he will try another way to steal your wallet (the next article focuses on preventing the theft of your wallet .)

Solution:

1. Xin X can solve the problem of ARP spoofing router without upgrading, because it can prevent it by itself. The reason is that VxWorks II is used. For details, we will not discuss it in detail. In addition, I would like to reiterate some misunderstandings that are easy to get... the router sends ARP packets to solve ARP spoofing, which is very clumsy. The ARP packet is sent several hundred times a second ..........

2. Virus killing or reinstalling the system does not make much sense, because can you ensure that it is not infected? Can you ensure that someone is active on the network?

3. For various types of servers, it is indeed a headache, because both liuxn and windows have to face various Intranet machine changes, exchanges, and other things. However, there is good news that Xin Xiang has a software similar to network management, which seems to be able to solve similar problems. It is estimated that the software will not be bad with Xinxiang's technology.

4. A friend suggested changing the IP address and MAC address of the Intranet PC to conflict with the route so that the route is down. This problem is beyond the scope of ARP. However, the method you mentioned is indeed very destructive, and my previous soft routing is really afraid of this thing. But it's okay to use Xinxiang's route.

5. The new machine will be slow and cannot access the Internet normally. But the machine that was originally on will be normal.

A: Ask the experts to help you find out if you have been planted with bots. If you cannot find a new system

If you have any questions, I will try my best to discuss them in depth...

Append the Xin Xiang ARP tool and introduce the usage and skills.

After two days of testing and use, we found that Xin Xiang's tool is still very adaptable to the trend. It is a good tool that everyone needs. It is a good comrade. Yes .... Now, let's discuss how to use it.

The recommended tools include:

1. Xin Xiang ARP tool. Including comprehensive ARP defense functions. (This includes winpcap_3_0. Please install this software first)

: Http://www.nuqx.com/downce...

2. The packet capture tool. Ethereal-setup-0.10.8.

Http://www.ethereal.com/di... al-setup-0.10.8.exe

Certificate -------------------------------------------------------------------------------------------------------------------------------------------------------------------

Xin Xiang ARP tool. (Xin Quan Xiang arptool .exe)

There are five main functions (all functions of the software that need to save files are saved in the directory where the software is located)

1. IP/MAC list

A. Select the network card. You do not need to set a single Nic. If multiple NICs need to be set to connect to the Intranet.

B. IP/MAC scan. The IP address and MAC address of all machines on the current network are scanned. Scan when the Intranet runs normally, because this table serves as a reference for later arp.

All subsequent functions require the support of this table. If you are prompted that the IP address or MAC address cannot be obtained, the table contains no corresponding data.

2. ARP Spoofing Detection

This function constantly checks whether the Intranet has a PC impersonating an IP address in the table. you can set the main IP addresses to the detection table, such as routers, movie servers, and the IP addresses of machines that require Intranet access.

(Supplement) how to understand the ARP spoofing record table:

"Time": the time when the problem is detected;

"Sender": the IP address or Mac that sends the spoofing message;

"Repeat": the number of times fraud messages are sent;

"ARP Info": refers to the specific content of sending spoofing information, as shown in the following example:

Time sender repeat ARP info

22:22:22 192.168.1.22 1433 192.168.1.1 is at 00: 0e: 03: 22: 02: E8

This message indicates that at 22:22:22, the spoofing message sent by 192.168.1.22 has been sent for 1433 times. The content of the spoofing message sent by him is: the MAC address of 192.168.1.1 is 00: 0e: 03: 22: 02: E8.

Enable the detection function. If the table IP address is spoofed, a prompt is displayed. You can follow the prompts to find the root cause of ARP spoofing on the Intranet. Note: any machine can impersonate another machine to send IP addresses and MAC addresses. Therefore, even if an IP address or MAC address is prompted to send spoofing messages, it may not be 100% accurate. Do not use brute force to solve some problems.

3. Proactive maintenance (quick solution)

This function can directly solve the problem of ARP spoofing disconnection, but it is not an ideal solution. Its principle is to constantly broadcast the correct MAC address of the specified IP address in the network. Some hardware routers use the ARP protection function, which is only used to automatically broadcast the correct ip mac of the gateway without interruption. In most cases, the ARP protection function is good. just ...... as mentioned above, I will not repeat it here.

Set the IP address to be protected in the "Create maintenance object" table. The packet sending frequency is the number of correct packets sent per second to all machines in the network. We strongly recommend that you set as few broadcast IP addresses as possible and as few broadcast frequencies as possible. Generally, it can be set once. If there is no bound IP address, ARP spoofing occurs, you can set it to 50-times. If there is still a disconnection, you can set it to a higher level, that is, ARP spoofing can be quickly solved. But to solve the ARP problem, refer to the above binding method.

4. Xinxiang router log

Collect the system logs and other functions of the Xinxiang router.

5. Packet Capture

Internet cafes seldom access packet-level settings or problems. This feature of Xin Xiang may bring everyone to a new technology level. However, packet analysis is much more complicated than general problems, but it can improve network control.

You can analyze various Intranet problems through captured packets. I will not explain it here. Basically all TCP/IP problems can be analyzed.

The blank items in the packet capture function control the packet capture rules. The Ethereal software is used for analysis. You can drag the package file to Ethereal to open it. Ethereal can capture or view packets. If you have the opportunity, you can study it.

######################################## ####################

Can the ARP problem be completely solved?

First, consider three aspects: 1. vro.. 2. The switch in the center of pc.3.

1. the router should choose to prevent ARP spoofing on the router, if you choose your own situation. the specific brand is not recommended, and I will come up with a way to prevent the difference between true and false arp. so that you can purchase with peace of mind.

2. All PCs need to be bound to vrouters and more important servers. (generally, server binding is not very important)

3. in the middle of the switch to disable Mac management function, or do the switch under the PC and other connection switch port MAC-IP binding. or choose a vswitch without Mac management. this function is actually not very useful for Internet cafes, because the main business is still access to the Internet, the Intranet's electricity traffic can be ignored in front of powerful switches.

All the above three points achieve ARP and there will be no evil .....

######################################## ####################

True and false ARP defense identification.

A lot of friends talk about ARP prevention. What are the 100 times and 200 times? That's annoying.

This is a simple and effective detection method.

1. Test PC spoofing prevention.

, Disable the vroarp, set pC1 to the same IP address as the vro, and enable the Xinxiang ARP tool. record the ip mac address of pC1 and set pC1 to "active maintenance ,............ in this way, the simulated ARP attack environment is assumed. enable the vro and set the Intranet as normal. then start active maintenance in "active maintenance". At this time, the router will always broadcast the wrong router Mac... first set it to 100 times, and only to 500 times to see if it can be prevented .... now let's look at the capabilities of your vro.

2. Prevent route spoofing.

Find 3 computers and set the wrong IP address first. then open the ARP tool record, add the three IP addresses to the active maintenance, and then change the IP addresses of the three computers to the correct ones ......... then, start the active maintenance .... check whether three computers can access the Internet .... black and white.

######################################## ####################

Automatically bind the local machine and the gateway's batch processing text

1. Batch bind IP addresses and network card addresses

@ Echo off

If % ~ N0 = ARP exit

If % ~ N0 = ARP exit

If % ~ N0 = ARP exit

ECHO is obtaining local information .....

: IP

For/F "Skip = 13 tokens = 15 usebackq" % I in ('ipconfig/all') do set IP = % I & goto Mac

: Mac

Echo IP: % IP %

For/F "Skip = 13 tokens = 12 usebackq" % I in ('ipconfig/all') do set MAC = % I & goto custom IP

: Elastic IP

Echo Mac: % Mac %

ARP-S % IP % Mac %

ECHO is obtaining gateway information .....

For/F "Skip = 17 tokens = 13 usebackq" % I in ('ipconfig/all') do set multicast IP = % I & goto encrypt Mac

: Running Mac

Echo IP: % gateip %

For/F "Skip = 3 tokens = 2 usebackq" % I in ('Arp-A % Taobao IP % ') do set hosts MAC = % I & goto start

: Start

Echo Mac: % running Mac %

ARP-d

ARP-S % gateip % gatemac %

Echo operation completed !!!

Exit

######################################## ###########################

2. Obtain the IP address and MAC address of the Local Machine & gateway through batch processing and then bind them.

@ Echo off

:::::::::: Read the MAC address of the Local Machine

If exist ipconfig.txt del ipconfig.txt

Ipconfig/All> ipconfig.txt

If exist phyaddr.txt del phyaddr.txt

Find "physical address" ipconfig.txt> phyaddr.txt

For/F "Skip = 2 tokens = 12" % m in (phyaddr.txt) do set MAC = % m

:::::::::: Read the IP address of the Local Machine

If exist ipaddr.txt del ipaddr.txt

Find "ip address" ipconfig.txt> ipaddr.txt

For/F "Skip = 2 tokens = 15" % I in (ipaddr.txt) do set IP = % I

:::::::::: Bind the local IP address and MAC address

ARP-S % IP % Mac %

:::::::::: Read the gateway address

If exist already ip.txt del already ip.txt

Find "Default Gateway" ipconfig.txt> gateip.txt

For/F "Skip = 2 tokens = 13" % G in (ip.txt) do set destination IP = % G

:::::::::: Read the MAC address of the gateway.

If exist gatemac.txt del gatemac.txt

ARP-A % slave IP %> gatemac.txt

For/F "Skip = 3 tokens = 2" % H in (gatemac.txt) do set hosts MAC = % H

::::::::: Bind the gateway MAC address and IP address

ARP-S % gateip % gatemac %

Exit

######################################## ####################

3. Obtain the IP address and MAC address of the local machine through batch processing and then bind them.

@ Echo off

For/F "tokens = 1 * delims =:" % I in ('ipconfig/All ^ | find/I "physical

Address "') do set MAC = % J

For/F "tokens = 1 * delims =:" % I in ('ipconfig/All ^ | find/I "ip

Address "') do set IP = % J

ARP-S % IP :~ 1% % Mac :~ 1%