1. What is ARP?
The ARP (ADDRESSRESOLUTIONPROTOCOL) Address Resolution Protocol is used to convert a computer's network IP address to a physical MAC address. The basic function of ARP protocol is to inquire the MAC address of target device through the IP address of target device, so as to ensure the smooth communication. In each of the computers installed with TCP/IP protocol has an ARP cache table, the list of IP address and MAC address is one by one corresponding, if the system ARP cache table was modified constantly notify the router a series of wrong intranet IP or simply forge a false gateway to deceive, The network is sure to have a large area of the drop problem. ARP attacks appear frequently in today's network, and effective protection against ARP forms of network attacks has become a necessary condition to ensure smooth network.
2. The principle of ARP.
I found a very vivid description on the Internet:
Typically, the host searches the conversion table for the MAC address of the IP packet before sending an IP packet. If it is not found, the host sends an ARP broadcast packet that looks like this:
"I am host xxx.xxx.xxx.xxx, Mac is xxxxxxxxxxx, IP for xxx.xxx.xxx.xx1 host please tell your Mac to come"
IP-XXX.XXX.XXX.XX1 hosts respond to this broadcast, answering ARP broadcasts as:
"I'm xxx.xxx.xxx.xx1, my Mac is xxxxxxxxxx2."
The host then flushes its own ARP cache, and then emits the IP packet.
Understanding these common sense, now can talk about how to implement ARP spoofing in the network, you can look at such an example:
An intruder wants to enter a host illegally, he knows that the firewall of this host only to 192.0.0.3 (assumed) This IP open 23 (telnet), and he must use Telnet to access this host, so he wants to do this:
1, he first study 192.0.0.3 this host, found that the 95 machine using a OOB can let him die.
2, so, he sent a flood package to the 192.0.0.3 139, so the machine should be wrapped and died.
3, at this time, the host sent to the 192.0.0.3 IP packet will not be able to answer the machine, the system began to update its own ARP corresponding table. Rub the 192.0.0.3 item.
4, during this time, the intruder changed their IP to 192.0.0.3
5, he sent a ping (ICMP 0) to the host, requiring the host to update the host's ARP conversion table.
6, the host found the IP, and then in the ARP table to add a new ip-->mac corresponding relationship.
7, firewall failure, the intrusion of IP into a legitimate MAC address, you can telnet.
Some people may say, this is actually the use of IP. Is the use of IP, but not IP spoofing, the principle of IP spoofing than this to be more complex, the mechanism of implementation is completely different. 3. Actual Combat ARP
Let me show you how the ARP intrusion is implemented. To uncover this mystery to everyone. Of course, just a stroke, this article just let everyone identify and guard against. Never teach you to use and invade.
Figure one, the firewall intercepts the real ARP message (ip:192.168.1.23) that I sent out:
Figure two, camouflage IP and Mac. Let's remember the comparison with the following: