Advanced Defense spoofing attacks from ARP virus

To understand ARP spoofing attacks, we first need to understand the ARP protocol and its working principle, in order to better protect against and eliminate the harm caused by ARP attacks. This article brings the advanced ARP attack prevention method.

Basic ARP Introduction

ARP "Address resolution Protocol" (Addresses resolution Protocol), LAN, the actual transmission of the network is "frame" inside the frame is a target host MAC address. "Address Resolution" is the process by which a host converts a target IP address to a target MAC address before sending a frame. The basic function of ARP protocol is to inquire the MAC address of target device through the IP address of target device, so as to ensure the smooth communication.

How the ARP protocol works: Every computer that has TCP/IP protocol installed has an ARP cache table, and the IP address is one by one corresponding to the MAC address, as shown in the table.

We use Host A (192.168.1.5) to send data to Host B (192.168.1.1) for example. When sending data, host a looks for a destination IP address in its own ARP cache table. If found, also know the target MAC address, directly to the target MAC address written in the frame to send on it; if the corresponding IP address is not found in the ARP cache table, host A sends a broadcast on the network with the destination MAC address "FF." Ff. Ff. Ff. Ff. FF, which means that all hosts within the same network segment are asked: "What is the MAC address of the 192.168.1.1?" "Other hosts on the network do not respond to ARP inquiries, and only Host B receives this frame to respond to host a:" 192.168.1.1 's MAC address is 00-aa-00-62-c6-09. "In this way, host a knows the MAC address of Host B, and it can send information to Host B." It also updates its own ARP cache table.

Basic ARP Virus control method

By the principle of ARP work, I know that if the system ARP cache table is modified constantly notify the router a series of wrong intranet IP or simply forge a fake gateway to deceive, the network will certainly appear a large area of the problem, such as the case is a typical ARP attack, to suffer from ARP attack judgment, The method is easy, you find the problem of the computer point to start running into the system DOS operation. Ping the router's LAN IP packet loss condition. Enter Ping 192.168.1.1 (gateway IP address), as shown below:

Picture One

Intranet ping router LAN IP dropped a few packets, and then connected, which is likely to be an ARP attack. For further confirmation, we can judge by looking up the ARP table. Enter the ARP-A command to display the following figure:

Picture Two

You can see that 192.168.1.1 Address and 192.168.252 Address of the IP MAC address is 00-0f-3d-83-74-28, obviously, this is caused by ARP spoofing.