Search and prevention of ARP attacks on LAN in Linux

What is ARP?

Address Resolution Protocol is a method for finding the corresponding link layer address (hardware Address) when you know the network layer address (IP) of a host. This Protocol has clear provisions in RFC826.

ARP has been implemented on a variety of networks. It is not just an IP-specific or LAN-specific protocol, it can map different types of network layer protocol addresses to actual physical addresses, but in the current network environment, ARP is more used to resolve the ing between IP addresses and Mac addresses. ARP is also used in the token network, FDDI, IEEE 802.11, and ATM. In the next generation IPV6 Internet, ARP will mainly provide the NDP (Neighbour Discovery Protocol) function.

Several common arp commands under Fedora.

Arp cache of the arp operating system.
Arp-s hostname hw_adr can specify a static ip: mac ing to avoid arp attacks.

Arping is an application used to discover network information. It is equivalent to the ping command, but is used to test communication at a more basic layer. Usage
Arping {ip} can also specify the number of requests sent. For specific use, man arping

Arptables is a ing table used in the Linux kernel to set and manage arp filter rules. It is generally used to prevent ARP spoofing. The user system may define multiple arptable. A table contains rules for some columns and also user rules.
Arptables can be used to prevent Arp requests from obtaining your Mac address. In this way, attackers will think that your server does not exist, so as to avoid arp attacks.

Arpwatch is an open-source software used to monitor arp activities in computer networks. When it runs, it generates a timestamp IP-MAC pair that monitors ARP activities to prevent ARP spoofing, developed by Lawrence Berkeley National Laboratory at Berkeley ).

ARP spoofing, also known as ARP Posioning, is an attack method used to attack wired or wireless networks. ARP spoofing allows attackers to detect data frames in the network, modify data traffic, or stop data traffic. This attack method can only be used in IP-Mac ing networks using ARP.

ARP attacks mainly send disguised ARP information to the LAN, linking the attacker's Mac address with the IP address of another node in the network (such as the default gateway ). In this way, all information sent to this address will be mistakenly delivered to the attacker's Mac address. Attackers can view this information and decide how to handle it. He can send the modified data to the original address, send the modified information to the original address, and import all traffic to another IP address, to initiate a DOS attack.

ARP spoofing tools Arpspoof, Arppoison, Cain and Abel, and Ettercap can all be used to initiate Arp attacks.

The installation of arpoison requires libnet support. With these source files for arpoison download,/usr/lib/libnet must be referenced during compilation under fedora. so. After compilation, you can use arpoison.
Usage: -I <device>-d <dest IP>-s <src IP>-t <target MAC>-r <src MAC> [-a] [-w time between packets] [-n number to send]
Additional information: Modify the Mac address

The operation is to disable the NIC first, ifconfig eth0 down, otherwise the system will be reported to be busy and cannot be changed; then use ifconfig etho hw ether's new mac address; enable the NIC ifconfig eth0 up;

If you want to permanently modify the Mac address, you can also write the above command in/etc/rc. d/rc. local so that the script will be executed after each restart.