LAN security: solutions to ARP attacks

[Fault Cause]

Someone in the LAN uses ARP spoofing Trojans (for example, some legendary plug-ins are also maliciously loaded by the legendary software ).

[Fault principle]

To understand the fault principle, Let's first look at the ARP protocol.

In a LAN, ARP is used to convert an IP address to a layer 2 physical address (MAC address. ARP is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network.

ARP is the abbreviation of Address Resolution Protocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In Ethernet, to directly communicate with another host, you must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.

Each computer with TCP/IP protocol installed has an ARP cache table. The IP addresses in the table correspond to MAC addresses one by one, as shown in the following table.

 

Let's take host A (192.168.16.1) as an example to send data to host B (192.168.16.2. When sending data, host A searches for the target IP address in its ARP cache table. If you find the target MAC address, you can directly write the target MAC address into the frame and send it. If the corresponding IP address is not found in the ARP cache table, host A sends A broadcast on the network. The target MAC address is "FF. FF. FF. FF. FF. FF ", which means to send such a question to all hosts in the same network segment:" What is the MAC address of 192.168.16.2?" Other hosts on the network do not respond to ARP requests. Host B responds to host A only when it receives the frame: "the MAC address of 192.168.16.2 is bb-bb ". In this way, host A knows the MAC address of host B and can send information to host B. At the same time, it also updates its ARP cache table. The next time it sends a message to host B, it can directly find it from the ARP cache table. The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up query.

As can be seen from the above, the foundation of ARP is to trust all people in the LAN, so it is easy to implement ARP spoofing on Ethernet. The target A is spoofed, and A's Ping host C is sent to the DD-DD-DD-DD-DD-DD address. If the MAC address of C is spoofed into A DD-DD-DD-DD-DD-DD, the packets sent by A to C become sent to D. Isn't it because D can receive the packet sent by A? The sniffing succeeds.

A is not aware of this change at all, but the following things make A suspect. Because A and C cannot be connected. D. The data packet sent from A to C is not transferred to C.

Perform "man in the middle" and perform ARP redirection. Enable the IP forwarding function of D. Forward the data packets sent by A to C, just like A router. However, if D sends ICMP redirection, the entire plan is interrupted.

D. directly modify and forward the entire package, capture all the packets sent by A to C, and then forward them to C, the packets received by C are completely considered sent from. However, the packets sent by C are directly transmitted to A, if the ARP spoofing to C is performed again. Now D has completely become the intermediate bridge between A and C, and you can understand the communication between A and C.

[Fault symptom]

When a host in the LAN runs the ARP spoofing Trojan program, it deceives all hosts and routers in the LAN so that all Internet traffic must pass through the virus host. Other users directly access the Internet through the vro and now access the Internet through the virus host. When switching, the user will be disconnected once.

After you switch to the virus host to access the Internet, if you have logged on to the legendary server, the virus host will often forge broken line images, so you have to log on to the legendary server again, in this way, the virus host can steal the number.

When a trojan program with ARP spoofing occurs, a large number of packets are sent, resulting in LAN communication congestion and restrictions on its processing capabilities. Users will feel that the Internet access speed is getting slower and slower. When the ARP spoofing Trojan program stops running, the user will resume accessing the Internet from the vro. During the switchover, the user will be disconnected again.

[HiPER users quickly discover ARP spoofing Trojans]

The following information is displayed in the "system history" of the vro (this prompt is only available in vro Software Versions later than 440 ):

MAC Chged 10.128.103.124
MAC Old 00: 01: 6c: 36: d1: 7f
MAC New 00: 05: 5d: 60: c7: 18

This message indicates that the user's MAC address has changed. When the ARP spoofing Trojan starts running, the MAC addresses of all hosts in the LAN are updated to the MAC addresses of the virus hosts (that is, the MAC New addresses of all information are consistent with the MAC addresses of the virus hosts ), in the "user statistics" of the vro, the MAC address information of all users is the same.
If a large number of Old MAC addresses are consistent in the "system history" of the router, it indicates that ARP spoofing has occurred in the LAN (when the ARP spoofing Trojan program stops running, the host restores its real MAC address on the vro ).

[Search for virus hosts in the LAN]

We already know the MAC address of the host that uses ARP spoofing Trojans, so we can use the NBTSCAN (: http://www.utt.com.cn/upload/nbtscan.rar) tool to quickly find it.

NBTSCAN can obtain the real IP address and MAC address of the PC. If there is a "legend Trojan", you can find the IP address and MAC address of the PC where the trojan is installed.
Command: "nbtscan-r 192.168.16.0/24" (search for the entire 192.168.16.0/24 CIDR block, that is
192.168.16.1-192.168.16.254); or "nbtscan 192.168.16.25-137", search for the 192.168.16.25-137 CIDR block, that is, 192.168.16.25-192.168.16.20. The first column of the output result is the IP address, and the last column is the MAC address.

Example of NBTSCAN:

Suppose you want to find a virus host with the MAC address "000d870d585f.

1. Decompress nbtscan.exe and cygwin1.dll In the compressed package to c.
2) Start-run-open in Windows, Enter cmd (enter "command" in windows98), and enter C: btscan-r 192.168.16.1/24 (enter according to the actual network segment), and press Enter.

 

 

3) by querying the corresponding table of the IP--MAC, find that the IP address of the virus host of "000d870d585f" is "192.168.16.223 ".

[Solution]
1. Do not establish your network security trust relationship on the basis of IP or MAC (rarp also has the problem of spoofing). The ideal relationship should be on the basis of IP + MAC.
2. Set a static MAC --> IP address table. Do not refresh the conversion table you set on the host.
3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table.
4. Use the ARP Server. The server looks for its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure that the ARP Server is not hacked.
5. Use the proxy IP address for transmission.
6. Use hardware to shield hosts. Set your route so that the IP address can reach a valid path. (Configure route ARP entries statically). Note that using the exchange hub and bridge cannot prevent ARP spoofing.
7. The Administrator periodically obtains an rarp request from the response IP packet and checks the authenticity of the ARP response.
8. The Administrator regularly polls and checks the ARP cache on the host.
9. Use the firewall to continuously monitor the network. Note that when SNMP is used, ARP spoofing may cause the loss of trap packets.

[Solutions for HiPER users]

We recommend that you use bidirectional binding to prevent ARP spoofing.

1. the IP address and MAC address of the vro bound to the PC:

1) First, obtain the MAC address of the vro Intranet (for example, the MAC address of the HiPER gateway address 192.168.16.254 is 0022aa0022aa ).
2) Compile a batch file rarp. bat with the following content:
@ Echo off
Arp-d
Arp-s 192.168.16.254 00-22-aa-00-22-aa
Change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address.
Drag the batch processing software to "windows -- start -- program -- start.
3) if it is an Internet cafe, you can use the paid software server program (pubwin or Vientiane can both) to send the batch processing file rarp. bat to the startup directory of all clients. The default startup directory of Windows2000 is "C: Documents and SettingsAll Users" start "menu program ".
2. Bind the IP address and MAC address of the user host to the vro (vro Software Versions later than 440 are supported ):
On the HiPER Management page-Advanced Configuration-user management, bind each host on the LAN.