To understand the principles of ARP spoofing attacks, you must first understand what the ARP protocol is.
ARP is the abbreviation of Address Resolution Protocol. It is a link layer protocol that works in OSI.
The second layer of the model is connected between the current layer and the hardware interface, and provides services to the upper layer (Network Layer. We know that
The swap device cannot recognize 32-bit IP addresses, which are transmitted at 48-bit Ethernet addresses (MAC addresses ).
Ethernet packet. That is to say, IP data packets are transmitted in the LAN not by IP addresses but by MAC addresses.
Therefore, there must be a correspondence between the IP address and the MAC address, and ARP is used to determine the corresponding relationship.
Protocol. When ARP is working, the host is requested to send an Ethernet broadcast packet containing the desired IP address. However
Then the owner of the target IP address will respond to the request host with a packet containing IP and MAC address pairs. In this way, the request host can obtain
The MAC address corresponding to the IP address, and the request host will cache the address pair in its ARP table to save
Necessary ARP communication. The ARP cache table adopts the aging mechanism. If a row in the table is not used for a period of time (Windows
The system time is 2 minutes, and the Cisco router time is 5 minutes), it will be deleted, which can greatly reduce ARP slowdown
The length of the saved table to speed up the query. The following example shows the ARP working mechanism clearly.
ARP principle
As shown in, assume that we have two CIDR blocks, three hosts, two gateways, and are:
Host Name IP address MAC address
Gateway 1 192.168.1.1 01-01-01-01-01-01
Host a 192.168.1.2 02-02-02-02-02-02
Host B 192.168.1.3 03-03-03-03-03-03
Gateway 2 10.1.1.1 04-04-04-04-04-04
Host C 10.1.1.2 05-05-05-05-05-05-05
If host a needs to communicate with host B, it first checks whether host B is in the same network segment through the network mask. If
It will check whether there is a MAC address corresponding to 192.168.1.3 in its ARP cache. If it does not, it will
The broadcast address of the network sends an ARP request packet, which roughly indicates what the MAC address of 192.168.1.3 is. Please tell 192.168.1.2, and
The broadcast address broadcasts this request packet to all hosts in the LAN, but only 192.168.1.3 will respond to this
Request Packet. It will respond to 192.168.1.2 an ARP reply packet, which roughly means that the MAC address of 192.168.1.3 is
03-03-03-03-03-03-03. In this way, host a obtains the MAC address of host B, and it stores the corresponding relationship from
Your ARP cache table. After that, the communication between host a and host B relies on the MAC address in the cache table of both hosts
The corresponding relationship will be deleted from the table two minutes after the message is stopped.
Let's take a look at a non-LAN communication process. If host a needs to communicate with host C, it first sends a packet through the comparison mask.
The IP address of host C is not in the same CIDR block, so it needs to be forwarded through the gateway. In this way, it will check
Whether there is a MAC address corresponding to Gateway 1 (192.168.1.1) in the ARP cache table. If not, it is obtained through ARP requests. If
If yes, it will directly communicate with the gateway, and then gateway 1 sends the data packet to Gateway 2 through the route. After gateway 2 receives the data packet, it will find that
It is sent to host C (10.1.1.2) and it will check its ARP cache (yes, the gateway also has its own ARP cache ),
Check whether the MAC address corresponding to 10.1.1.2 exists. If not, use the ARP Protocol. If yes, use the MAC address
Forward data to host C.
2. ARP spoofing Principle
After learning about the ARP protocol, let's take a look at what is ARP spoofing and what is its purpose? We can see from the above example
Packet transmission in the Ethernet LAN depends on the MAC address. The relationship between the IP address and Mac depends on the ARP table.
Including gateways) all have an ARP cache table. Under normal circumstances, this cache table can effectively ensure one-to-one data transmission,
That is to say, the communication between host a and host C is only through gateway 1 and gateway 1. For example, host B cannot intercept
Communication Information. However, there is an imperfect implementation mechanism in the ARP cache table. When the host receives an ARP response
After the packet, it does not verify whether it has sent this ARP request, but directly maps the MAC address in the response packet to the IP address
Replace the corresponding information in the original ARP cache table. As shown in:
ARP spoofing Principle
This makes it possible for host B to intercept data communication between host a and host C. First, host B sends an ARP response to host.
The package says that the MAC address of 192.168.1.1 is 03-03-03-03-03-03. After receiving the package, host a does not verify the package's authenticity.
Replace the MAC address of 192.168.1.1 In the ARP list with 03-03-03-03-03-03-03.
1. Send an ARP response packet saying that the MAC address of 192.168.1.2 is 03-03-03-03-03-03. Similarly, Gateway 1 has not verified this
Replace the MAC address of 192.168.1.2 In the ARP table with 03-03-03-03-03-03-03. When host a wants
When the host C communicates, it directly sends the data packet that should be sent to Gateway 1 (192.168.1.1) to
The MAC address, that is, sent to host B. After receiving the packet, host B changes the packet and forwards it to the real gateway 1.
After the packets returned by machine c reach gateway 1, Gateway 1 also uses the MAC in its ARP table and sends them to the IP address 192.168.1.2.
The address data is sent to host B on the MAC address 03-03-03-03-03-03. Host B forwards the package to the master after receiving the package.
Machine A completes a complete data communication, which successfully implements an ARP spoofing attack.
Therefore, ARP spoofing aims to monitor and tamper with data in a fully switched environment. Here we can know
The key to achieving an effective ARP spoofing is two-way spoofing, that is, the attacker must simultaneously cheat the gateway and host.
First, it should be noted that the ARP spoofing virus mentioned here does not refer to a specific virus, but to all ARP spoofing functions.
A general term for viruses. ARP spoofing is still a very difficult and effective attack method so far.
It will be exploited by viruses and Trojans for a long time. This also makes it more difficult for us to control such viruses.
Hazards of ARP virus:
Affects the normal operation of the LAN-once an ARP attack exists in the LAN, it will cheat all hosts and gateways in the LAN
Hosts With inbound traffic that must be controlled by ARP attackers. Other users used to directly access the Internet through the gateway and are now charged
Host forwarding goes online. Due to the impact of host performance and program performance, this type of forwarding will not be very smooth, so it will cause the use
Users access the Internet slowly. Due to the aging mechanism of ARP tables, the host can obtain the correct gateway Mac direct
In the process of switching between the two cases, the host displays the status of intermittent interruption.
Sensitive user information is leaked. Most of the time, this information is what hackers are interested in (such as game accounts and passwords, and QQ accounts ).
And password, online banking account and password)
ARP Virus Transmission Mode
As mentioned above, ARP spoofing is an attack method. All Viruses can adopt this method. Therefore, ARP viruses are transmitted.
This includes most of the existing methods of virus transmission. From the previous situations we have learned, the main methods are as follows:
Download and spread through web pages (most ARP Trojans are currently transmitted)
Internet shared transmission (weak password sharing, etc)
Mobile storage media transmission (such as USB flash drives and mobile hard drives)
File Infection
ARP virus detection and removal
For known ARP viruses, you can use anti-virus software or exclusive killing tools to scan and kill, but some anti-virus software cannot.
It is recommended that you re-Secure the system and promptly upgrade the patch!
4. ARP Spoofing Detection and Control Measures
Currently, there are two effective methods to detect ARP Spoofing Attacks:
Package analysis and the other method is to directly query the ARP table on a layer-3 switch. The two methods have their own advantages and disadvantages. The specific analysis is as follows:
1. packet capture Analysis
Method: use packet capture software (such as windump and Sniffer Pro) to capture ARP reply packets in the LAN.
For example, use windump-I 2-N ARP and host 192.168.0.1 (192.168.0.1 is your gateway address) to capture
The package contains only reply characters. The format is as follows:
18:25:15. 706335 ARP reply 192.168.0.1 is-at 00: 07: EC: E1: C8: C3
If the last Mac is not the real MAC of your gateway, it indicates that ARP spoofing exists, and this Mac is the actual Mac.
ARP spoofing the MAC of the host.
Advantage: simple and easy to use. No special permission settings are required. All users can do this and the false positive rate is small!
Disadvantage: The Listener package is valid only within the LAN (inside the broadcast domain.
2. query the ARP cache table on a layer-3 Switch
Method: log on to the uplink layer-3 switch of the LAN and view the ARP cache table of the switch (switch commands of different brands are different)
If the ARP table contains a Mac with multiple ports (note that one Mac has multiple ports instead of one port ),
If multiple MAC addresses exist, ARP spoofing attacks exist, and the MAC address is the MAC address of the host.
Advantage: You can perform remote operations without having to go to the LAN. You can use scripts to perform automatic analysis.
Disadvantage: special permissions are required, so normal users cannot perform operations.
ARP spoofing Control Method
1. Host static binding gateway Mac
Method -- use the ARP command to statically bind a gateway Mac. The format is as follows:
ARP-s gateway IP Gateway Mac
If you think that manual input is complicated each time, you can write a simple batch processing file so that it runs automatically at startup,
The batch file is as follows:
-----------------------------------
@ Echo off
Echo "ARP set"
ARP-d
ARP-s gateway IP Gateway Mac
Exit
------------------------------------
Advantages: simple and easy to operate
Disadvantage: Only one-way binding is supported. You need to bind a MAC address to the gateway.
2. the gateway uses the IP + Mac binding mode.
Method: Enable the static ARP binding function on the vswitch to statically bind the user's IP address to the MAC address to prevent ARP spoofing.
Advantage-obvious effect
Disadvantage: complicated operations and heavy workload. It cannot be guaranteed that the host is not spoofed and must be used together with the gateway Mac bound to the host.
3. Use ARP Server
Method: Set up an ARP Server in the LAN to replace the host's ARP packet.
Advantage-obvious effect
Disadvantage: the configuration is complex and you need to change the client settings. High costs, requiring a large number of servers.
4. Use anti-ARP Software
Method: download and use anti-ARP software, such as arpfix or antiarp.
Advantages-ease of use
Disadvantage: The Gateway cannot be spoofed because it must be installed on all clients.
Conclusion: ARP spoofing uses the defects of the ARP Protocol. So far, we still have no effective ARP spoofing.
To control this attack. At present, the difficulties are mainly concentrated on the Gateway Switch, and we have not found a very effective
To prevent the ARP list on the gateway from being spoofed and modified. Therefore, the most effective method is to quickly block the source of such attacks.
This requires the ability to quickly detect the attack and locate the attack host for processing.
5. Common tools to prevent ARP Spoofing
Arpfirewall -- arpfix
This is a small firewall software developed by ccert to solve ARP viruses. When it is installed on a normal host, it can
Effectively prevents ARP spoofing and detects MAC addresses of infected hosts. If it is installed on infected hosts
Blocks ARP spoofing attacks initiated by infected hosts. It must be noted that this is only a firewall software, and it is not for future reference.
The ability to kill ARP viruses. If you need to kill ARP viruses, you still need professional anti-virus software.
Windump software-windump
Tcpdump is easy to use in windows! Winpcap is required.
Sniffer Pro software-sniffer
The most powerful packet capture Analysis Software in Windows is low.
Trend ARP exclusive tool-tsc_arp
The latest arpkilling tool for trend charts. After decompression, run tsc.exe directly.
Antiarp software-antiarp
Popular software on the Internet to prevent ARP spoofing attacks. For software and detailed information, see:
Http://www.antiarp.com/
6. The latest situation of ARP spoofing Virus
In the past, most ARP viruses used ARP spoofing to steal users' sensitive information. However, we have recently detected
ARP spoofing has a new application in the virus, that is, as a means to spread the webpage trojan virus, when a host feels
After a virus with this ARP spoofing function is infected, ARP spoofing is triggered in the LAN, which listens to the data of all hosts in the LAN.
Package. Once the web page is accessed by other hosts, the corresponding data packets will be modified on
Add a webpage link containing a Trojan. As a result, other hosts in the LAN will be directed
A website with a Trojan virus. When you access any website, your anti-virus software reports that this webpage is toxic, it is very likely that your local area
This attack exists in the network.
7. Other problems
ARP entries in the registry:
1. the lifetime (effective time) of ARP cache table items)
By default, in the Windows Server 2003 Family and Windows XP, table items in the ARP cache are only stored for 2 minutes.
If an ARP cache table item is used within 2 minutes, its validity period is extended by 2 minutes until the maximum lifecycle is 10 minutes.
After a maximum period of more than 10 minutes, the ARP cache table items will be removed and exchanged through another ARP request-ARP response
To obtain a new ing.
The storage time of ARP cache table items can be changed by changing the registry of arpcachelife and arpcacheminreferencedlife.
Value to reset.
Arpcachelife
Location: HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters
Data Type: REG_DWORD
Valid range: 0-0xffffffff
Default Value: 120
Present by default: No
Arpcachelife sets the time that unused ARP cache table items can be kept. If the registry does not contain the arpcachelife entry,
The default value of arpcachelife is 120 seconds (2 minutes ).
Arpcacheminreferencedlife
Location: HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters
Data Type: REG_DWORD
Valid range: 0-0xffffffff
Default Value: 600
Present by default: No
Arpcacheminreferencedlife is used to set the time when table items that are reused can be stored in the ARP cache.
Arpcacheminreferencedlife defaults to 600 seconds (10 minutes ).
In the Registry, the arpcacheminreferencedlife and arpcachelife values are used as follows:
If arpcachelife is greater than or equal to arpcacheminreferencedlife, the used and unused ARP
The cache table items are stored at arpcachelife.
If arpcachelife is smaller than arpcacheminreferencedlife
Arpcachelife expired after the second. The lifetime of the used table item is arpcacheminreferencedlife.
2. Free ARP and repeated IP address detection
ARP can be used to detect duplicate IP addresses. This is done by sending an ARP request called free arp. Free of charge
ARP is an ARP request sent to your IP address. In free ARP, SpA (sender Protocol address) and TPA (target Protocol)
Address) is set to the same IP address.
If the node sends an ARP request to its IP address, it should not receive any ARP response frame, so that the node can
It is determined that no other node uses the same IP address as it. If the node sends an ARP request to its IP address
Then, the node can determine that another node uses the same IP address. In the registry
The settings control the number of free ARP messages.
Arpretrycount
Location: HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters
Data Type: REG_DWORD
Valid range: 0-3
Default Value: 3
Present by default: No
Arpretrycount sets the number of times a free ARP packet is sent when an IP address is initialized. If arpretrycount is sent
No ARP response is received after free ARP packets are received. The IP address is assumed to be unique in this network segment.
Tip: Free ARP attempts to detect duplicate IP addresses in the same network segment. Because the router does not forward ARP frames, ARP is free of charge.
It cannot detect IP address conflicts between different network segments. I personally feel that this kind of free ARP can be used in development detection ARP
What is the virus mechanism?
8. Discussion
Currently, there is no effective method for this attack.
You are welcome to share your experience with us! We will create an email list later to discuss related issues!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
