Troubleshooting Linux ARP attacks

I. The background of knowledge
1. What is ARP
ARP, the Address Resolution Protocol, realizes its physical address through an IP address. In a TCP/IP network environment, each host is assigned a 32-bit IP address, which is a logical address that identifies the host in the internetwork. In order for the message to be transmitted on the physical network, the physical address of the destination host must be known. There is an address translation problem that transforms the IP address into a physical address. Taking the Ethernet environment as an example, in order to correctly transmit the message to the destination host, the 32-bit IP address of the destination host must be converted to the 48-bit Ethernet address. This requires a set of services at the Interconnect layer to translate the IP address into the corresponding physical address, which is the ARP protocol.
2. How ARP Works
In each computer that has the TCP/IP protocol installed, there is an ARP cache table, and the IP address of the table corresponds to the MAC address of one by one.

650) this.width=650; "alt=" Linux arp attack processing-float and float-fluttering blog "src=" http://img.blog.163.com/photo/OvHK0MsQCnThsubhW-cDfQ==/ 5355624381874060266.jpg "style=" Line-height:28px;border:0px;height:auto; "/>

Take host A (192.168.1.5) to Host B (192.168.1.1) to send data as an example. When data is sent, host a looks for the destination IP address in its own ARP cache table. If found, also know the target MAC address, directly to the target MAC address into the frame to send it, if the target IP address is not found in the ARP cache table, host A will send a broadcast on the network, a host MAC address is "host a MAC address", This means asking all hosts in the same network segment: "I'm 192.168.1.5, my hardware address is" host A's MAC address ". What is the MAC address of the IP address 192.168.1.1? "Other hosts on the network do not respond to ARP queries, and only Host B responds to host a when it receives the frame:" 192.168.1.1 's MAC address is 00-aa-00-62-c6-09 ". In this way, host a knows the MAC address of Host B and it can send messages to Host B. At the same time A and B also updated their own ARP cache table (because a at the time of the query to the IP and MAC address to tell B), the next time a to Host B or B to a send information, directly from the respective ARP cache table to find it. The ARP cache table uses an aging mechanism (that is, the time-to-live TTL is set), for a period of time (typically 15-20 minutes) if a row in the table is not used, it will be deleted, which can greatly reduce the length of the ARP cache table and speed up the query.

3. What is ARP attack
Arp attack is to realize ARP spoofing by fake IP address and MAC address, can generate a large amount of ARP traffic in the network to block the network, the attacker can change the IP-MAC entry in the target host ARP cache as long as the persistent ARP response packet is issued, causing network interruption or man-in-the-middle attack.
ARP attack is mainly in the LAN network, if there is a person infected with ARP Trojan in the LAN, the system that infects the ARP Trojan will attempt to intercept the communication information of other computers in the network by means of "ARP spoofing", and thus cause the communication failure of other computers in the network.
How the Rarp works:
1. The sending host sends a local RARP broadcast, in this broadcast packet, declares its own MAC address and requests any RARP server that receives this request to assign an IP address;
2. After the RARP server on the local network segment receives this request, it checks its Rarp list to find the IP address corresponding to the MAC address;
3. If present, the RARP server sends a response packet to the source host and provides the IP address to the other host for use;
4. If it does not exist, the RARP server does not respond to this;
5. The source host receives the response information from the RARP server, uses the resulting IP address for communication, and if it has not received the response from the RARP server, it indicates that the initialization failed.
6. If an ARP virus is attacked in the 第1-3, the server's reflection will be occupied and the source host is not getting the response from the RARP server, and the server is not responding, but the IP of the source host returned by the server is occupied.

Second, how to judge is by ARP attack?
Knowing what is going on with ARP attacks, it's easy to tell if you're being attacked by ARP. ARP is a Mac that has a machine disguised as a gateway, so browsing the ARP cache of a compromised machine can certainly find that one or more machines have the same MAC address as the gateway. If this is really the case, then it is possible to judge an ARP attack. Specific:
[Email protected]:~$ arp-a
? (10.91.11.58) located in00:14:2a:44:55:72[Ether] in eth0
? (10.91.11.73) located in 00:1e:ec:77:95:9d [ether] in eth0
? (10.91.255.254) located in00:14:2a:44:55:72[Ether] in eth0
Or
[Email protected]:~$ cat/proc/net/arp
IP address HW type Flags HW address Mask Device
10.91.11.58 0x1 0x200:14:2a:44:55:72* eth0
10.91.11.73 0x1 0x2 00:1e:ec:77:95:9d * eth0
10.91.255.254 0x1 0x200:14:2a:44:55:72* eth0
）
Look, 10.91.11.58 has the same MAC address as the gateway (the actual 10.91.11.58 is the broadcast that looks for the 10.91.255.254 MAC address, and it deceives the broadcast, saying 10.91.255.254 MAC address is00:14:2a:44:55:72, so the package should have been sent to 10.91.255.254 58, the normal network communication is affected) ~ 58 may be in the ARP attack virus ~
Let's look at the real MAC address of the gateway:
[Email protected]:~$arping 10.91.255.254
Warning:interface is ignored:operation not permitted
ARPING 10.91.255.254 from 10.91.11.150 eth0
Unicast reply from 10.91.255.254 [00:D0:03:C5:9B:FC] 3.525ms
Unicast reply from 10.91.255.254 [00:D0:03:C5:9B:FC] 0.878ms
Unicast reply from 10.91.255.254 [00:14:2a:44:55:72] 59.480ms
Unicast reply from 10.91.255.254 [00:14:2a:44:55:72] 59.660ms
Unicast reply from 10.91.255.254 [00:14:2a:44:55:72] 51.857ms
Unicast reply from 10.91.255.254 [00:14:2a:44:55:72] 56.920ms
Unicast reply from 10.91.255.254 [00:14:2a:44:55:72] 54.042ms
Unicast reply from 10.91.255.254 [00:14:2a:44:55:72] 55.230ms
^csent Probes (1 broadcast (s))
Received 8 Response (s)
Look, we are in response to the gateway in the correct response (the first line), there are other hosts ARP spoofing response (the third line is followed by ~)

Three: Resolution: ARP Binding
1. First, clear the ARP cache.
#arp-D Gateway IP

2. Locate the gateway Real MAC address.
#arping Gateway IP

3. Bind MAC Address
#arp-S Gateway IP gateway Real mac

If this is a temporary ARP spoofing attack, if this problem often happens in the network, continue with the following:
4, the following command to establish the/ect/ip-mac file
echo ' Gateway IP address Gateway MAC address ' >/ect/ip-mac
See if the file is written correctly by using the following command
More/ect/ip-mac

5, arp-f/ect/ip-mac load static binding ARP record.

6. If you want to automatically bind the boot

Echo ' arp-f/ect/ip-mac ' >>/etc/rc.d/rc.local

This article is from the "ZPP" blog, make sure to keep this source http://1439337369.blog.51cto.com/10270624/1931429

Troubleshooting Linux ARP attacks