Network Security: Analysis of ARP cache infection attacks (lower)

Network Security: Analysis of ARP cache infection attacks (lower)

Man-in-the-middle attack

Hackers use ARP cache poisoning to intercept network information between two devices in your LAN. For example, we assume that hackers want to intercept communication information between your computer, 192.168.0.12, and your network router (that is, the gateway, the Translator's note) and 192.168.0.1. The hacker first sends a malicious ARP "response" (because there was no request before) to your router and binds the MAC address of his computer to 192.168.0.12 (3 ).

Now your router thinks that the hacker's computer is yours.

Then, the hacker sends a malicious ARP response to your computer and binds the MAC address to 192.168.0.1. (4 ).

Now your machine thinks that the hacker's computer is your router.

Finally, hackers enable a system called IP forwarding. This feature allows hackers to forward all network information from your computer to the vro (5 ).

Now, as long as you try to access the Internet, your computer will send network information to the hacker's machine and then the hacker will forward it to the router. Because the hacker still forwards your information to the network router, you will not notice that he has intercepted all your network information, you may have also eavesdropped on your plaintext password or hijacked your once-secure network session.

MAC flood

MAC flood is an ARP cache poisoning technology designed for network switches. These switches often enter the "Hub" mode when traffic is overloaded. In "Hub" mode, a switch is too busy to perform Port Security Detection. Instead, it only broadcasts all network data to each computer in the network. Using a large number of counterfeit ARP response packets to flood the ARP ing table of a switch, hackers can overload Switches of most manufacturers. Then, when the switch enters the "Hub" mode, you can send malicious packets to sniff your LAN.

Scared? Okay, calm down now!

This is terrible. ARP cache poisoning can use some insignificant means to cause great harm to the network. However, when you enter the high-security status, you notice an important mitigation factor: Only attackers in the LAN can exploit ARP defects (because ARP is only available on the LAN (subnet) ). If a hacker finds an interface in your network and inserts it to connect to your LAN, or controls a machine in the LAN to conduct ARP cache poisoning attacks. ARP defects cannot be remotely exploited.

That is to say, the hacker will be known that he is connected to the network. Excellent network administrators should be aware of the ARP cache technology.

ARP cache poisoning is due to a protocol defect, but this protocol is necessary for the operation of TCP/IP networks and you cannot modify it. However, you can use the following technologies to prevent ARP attacks.

Small Network Oriented

 

If you are managing a small network, you may try using static IP addresses and static ARP ing tables. Use the command line to input the file, for example, "ipconfig/all" in Windows and "ifconfig" in NIX ", you can view the IP addresses and MAC addresses of all devices on your network. Then, run the "arp-s" command to add static ARP ing for devices you know. "Static" means it will not change; this can prevent hackers from spoofing ARP into your network device. You can even create a login script to automatically add these static ARP packets to your computer when they are started.

 

However, static ARP is difficult to maintain and is not possible in large networks. That's because every time you add a device to your network, you need to manually write an ARP script or input the ARP ing table for each device. However, if you manage a device with less than two dozen devices, this technology may be suitable for you.

For large networks

If you are managing a large network, study the "Port Security" function of your network switch. There is a "Port Security" function that allows you to force your switch to pass through only one MAC address (corresponding to the IP address) on each port. This function prevents hackers from changing the MAC address of their machines or attempting to map multiple MAC addresses to their machines. This technique is often used to defend against ARP-based man-in-the-middle attacks.

All Networks

Your best defense method is to master the ARP poisoning mechanism and monitor it. I strongly recommend installing an ARP monitoring tool, such as ARPwatch, to remind you of abnormal ARP communication. Such vigilance is also the most powerful weapon against all types of attacks-as Robert Louis Steven son wrote, "the most cruel lie is often said quietly ".