ARP Protocol defects and prevention of ARP Spoofing

ARP attacks are so rampant that arp attacks were often used to intercept nearly 20 thousand arp attacks a day.

 

I. Working Principle of ARP

In TCP/IP, each network node is identified by an IP address, and the IP address is a logical address. In Ethernet, data packets are addressed by a 48-bit MAC address (physical address. Therefore, the correspondence (ing) between the IP address and the MAC address must be established. ARP is designed for this purpose.

The TCP/IP protocol stack maintains an ARP cache table. When constructing network packets, you first need to find the MAC address corresponding to the target IP address from the ARP table. If no IP address is found, send an ARP request broadcast packet and request the host with the IP address to report its MAC address. After receiving the ARP reply from the target IP address owner, update the ARP cache. ARP cache has an aging mechanism.

Ii. ARP Defects

ARP is based on all the nodes in the trusted lan. It is efficient but insecure. It is a stateless protocol. It does not check whether a request packet has been sent or whether (or not) it is a legal response, as long as you receive the ARP reply package or arp broadcast package (including ARP request and ARP reply) of the target MAC, it will accept and cache it. This provides the possibility of ARP spoofing. malicious nodes can publish fake ARP packets to affect the communication between nodes in the network, or even act as a "man-in-the-middle ".

Iii. Common ARP spoofing forms

1. Counterfeit ARP reply package (unicast)

XXX, I have IP YYY and my MAC is ZZZ!

2. Counterfeit ARP reply package (broadcast)

Hello everyone! I have IP YYY and my MAC is ZZZ!

Spread fake IP/MAC addresses to everyone

3. Counterfeit ARP request (broadcast)

I have IP XXX and my MAC is YYY.

Who has ip zzz? Tell me please!

The MAC address of ip zzz is displayed on the surface. It is actually a fake IP address and MAC ing (XXX, YYY)

4. Counterfeit ARP request (unicast)

MAC address with known IP address ZZZ

Hello ip zzz! I have IP XXX and my MAC is YYY.

5. Fake middlemen

Enable packet forwarding on a spoofing host (MMM for MAC)

Send a counterfeit ARP Reply to the host AAA:

AAA, I have IP BBB and my MAC is MMM,

Send a counterfeit ARP Reply to the host BBB:

BBB, I have IP AAA and my MAC is MMM

Due to the aging mechanism of ARP Cache, periodic continuous spoofing is also required.

Iv. Prevention of ARP Spoofing

1. carriers can use Super VLAN or PVLAN Technology

The so-called Super VLAN is also called VLAN aggregation. This technology creates multiple Sub VLANs in the same Sub-network and specifies the entire IP subnet as a VLAN aggregation (Super VLAN ), all Sub VLANs use the default gateway IP address of the Super VLAN. Different Sub VLANs still have their own broadcast domains. All hosts in the subnet can only communicate with their own default gateways. If each port of the switch or ip dslam device is converted into a Sub VLAN, all ports are isolated, which avoids ARP spoofing.

PVLAN is a Private VLAN. PVLAN uses two-layer VLAN isolation technology. Only the upper VLAN is globally visible, and the lower VLAN is isolated from each other. If each port of the switch or ip dslam device is converted into a (Lower Layer) VLAN, all ports are isolated.

Both PVLAN and SuperVLAN can achieve port isolation, but the implementation methods and starting points are different. PVLAN is designed to save VLAN, while SuperVlan is designed to save IP addresses.

2. You can bind an IP address to a MAC address in a LAN.

Bind IP + MAC on the PC and IP + MAC + port on the network device. However, unfortunately, Windows 98/me and Windows 2000/xp sp1 without arp patches (most of them have already been used) the static arp entries set by the system using ARP-s will be changed by ARP spoofing.

If only IP + MAC is bound to the network device, it is actually not safe, assume that a machine on the same Layer 2 sends a forged arp reply (the source ip address and the source mac address both fill in the target machine) to the gateway, it still causes the gateway to send traffic to the (physical) Port connected by the receiver, resulting in network failure.

For LAN using a large number of fool switches, users can adopt firewall and other methods that support arp filtering. We recommend that you use the Look 'n' Stop firewall to customize arp rules.

The last step is to use ARPGuard (to get to the topic), but it only protects communication between the host and the gateway.

V. Principles of ARPGuard

ARPGuard protects communication between hosts and gateways from ARP spoofing.

1. Obtain the MAC address of the gateway when the gateway is running for the first time (or when the gateway IP address is changed), and save Nic information, gateway IP address, and gateway MAC information to the configuration file, in other cases, use the configuration file directly.

2. Remove the original default route (for the current Nic)

3. Generate a random IP address and add it as the default gateway.

4. Bind the default gateway IP address to the MAC address of the Gateway (use DeleteIpNetEntry and CreateIpNetEntry to modify the ARP Cache table items)

5. Periodically checks whether the MAC value of the original default gateway (not the random IP address) in the ARP Cache is changed. If it is changed, an alarm is triggered.

6. Some attack programs only send spoofing packets to gateway devices (such as routers or layer-3 switches. Because the gateway MAC address in the local ARP Cache is not changed at this time, only active protection is required. By default, 10 ARP reply packets are sent per second to maintain the ARP Cache of the gateway device (optional)

7. Restore the default gateway and route when the program ends.

It is worth noting that the packet sending interval is limited to no less than 100 ms in the program, mainly because the excessive packets may cause a burden on network devices. If your attack is too violent, you can remove this restriction and set a smaller value to ensure that your communication works properly.