Popular Arp principles and protection methods

In either case, the host will save or update the local ARP cache table.

1. When receiving the "ARP broadcast-request" Packet

2. When an "ARP non-broadcast-reply" packet is received

We can see that the ARP Protocol has no authentication mechanism, and any host in the LAN can forge ARP packets at will. The ARP protocol design is inherently flawed.

Assume that there are three hosts (GW refers to the gateway) in the LAN. The host name, IP address, and MAC address are as follows:

Host Name IP address MAC address GW 192.168.0.1 01-01-01-01-01-01 PC02 192.168.0.2 02-02-02-02-02-02 PC03 192.168.0.3 03-03-03-03-03- 03-03

Under normal circumstances, the data flow between the host PC02 and GW and their respective ARP cache tables are shown in:

After the appearance of the host PC03, a network enthusiast, he decided to implement an ARP spoofing attack for some purpose. PC03 first sent an ARP packet to PC02, which is equivalent to telling PC02: "Hey, I'm 192.168.0.1, and my MAC address is 03-03-03-03-03-03-03 ", then he sent an ARP packet to GW, which is equivalent to telling GW: "Hey, I'm 192.168.0.2, and my MAC address is 03-03-03-03-03-03-03 ". As a result, the data flow between the host PC02 and GW, and their respective ARP cache tables become as shown in:

As we can see, after ARP spoofing, all network data between the host PC02 and GW will flow through PC03, that is, PC03 has control over data communication between them. The above is the implementation process of ARP spoofing and the effect after spoofing.

ARP spoofing can be divided into three types based on the need for spoofing objects:

1. Only spoof the affected host. The effects of spoofing are as follows:

2. Only spoofing routers and gateways. The effects of spoofing are as follows:

3. Two-way spoofing, that is, the combination of the preceding two spoofing methods. The effects of spoofing are as follows:

The dangers of ARP spoofing can be divided into several categories:

1. network exception.The specific manifestation is: disconnection, IP conflict, etc.

2. Data theft.Specifically, personal privacy leaks (such as MSN Chat records, emails, etc.), account theft (such as QQ accounts, bank accounts, etc ).

3. Data tampering.The specific manifestation is that the accessed webpage is added with malicious content, commonly known as "Trojan ".

4. Illegal control.Network speed and network access behavior (for example, some webpages cannot be opened or some network applications cannot be used) are illegally controlled by third parties. ARP spoofing can be divided into two categories based on different initiating individuals,

(1). Human attacks. Human attacks are mainly aimed at network exceptions, data theft, and illegal control.

(2). ARP virus. ARP viruses are not a specific virus, but all viruses that contain ARP spoofing. ARP viruses are mainly used to steal data (such as account theft) and tamper with data (such as Trojans ).

For arp virus flooding, you can make the following settings on the switch:
Huawei switches: source mac addresses can be blocked at the access layer or aggregation layer switches.
Int Port
Mac-address backhole **************
Harbor switch: acl can be performed on the aggregation Layer
Service acl enable
Create acl deny_mac mac-ip destination any source ************** any deny ports any Preprocessor 60
* Indicates the mac address.