Analysis and defense of Enterprise ARP spoofing: Analysis and Countermeasures for spoofing of different network segments

The combination of ARP spoofing and ICMP redirection can basically achieve the goal of cross-network segment spoofing. This article introduces ARP spoofing Analysis and Countermeasures for different network segments.

ARP spoofing Analysis for different network segments

Assume that A and C are in the same network segment while host B is in another network segment. The IP addresses and hardware addresses of the three machines are as follows:

A: IP address 192.168.0.1 hardware address AA: AA;

B: IP address 192.168.1.2 hardware address BB: BB;

C: IP address 192.168.0.3 hardware address CC: CC.

In the current situation, how does host B in the CIDR block of 192.168.1 impersonate host C and cheat host? Obviously, even if spoofing succeeds, the telnet session cannot be established between host B and host A, because the router will not forward the packet from host A to host B, the router will find the address at 192.168.0. within this CIDR block.

Now another spoofing method-ICMP redirection is involved. The combination of ARP spoofing and ICMP redirection can basically achieve the goal of cross-network segment spoofing.

ICMP redirection is one of ICMP control packets. Under certain circumstances, when a router detects that a machine uses a non-optimized route, it will send an ICMP redirection packet to the host and request the host to change the route. The router also forwards the initial datagram to its destination.

We can use ICMP redirection packets for spoofing purposes. The following describes how to perform an Attack Based on ARP spoofing and ICMP redirection:

In order to make the illegal IP packet sent by the user survive for a long time on the network, the TTL of the IP packet is modified to prepare for possible problems in the following process. Change TTL to 255. (TTL defines the time for an IP packet to survive on the network if it cannot reach the host on the network. In this example, it is helpful to make enough broadcasts ).

Download a tool (for example, hping2) that can make various packages freely ).

Then, as with the above, find the host C vulnerability to crash host C according to this vulnerability.

After the network host cannot find the original 192.0.0.3, the corresponding ARP table will be updated. So he sent an ARP response packet whose original IP address is 192.168.0.3 and its hardware address is BB: BB.

Now every host knows that a new MAC address corresponds to 192.0.0.3, and an ARP spoofing is completed. However, each host will only find this address in the LAN and will not throw the IP packet sent to 192.0.0.3 to the route. So he has to construct an ICMP redirection broadcast.

Customize an ICMP redirection package to tell the host on the Network: "the shortest route to 192.0.0.3 is not a LAN, but a route. Please redirect the host to your route path, all IP packets destined for 192.0.0.3 are dropped to the route."

Host A receives this reasonable ICMP redirection, so it modifies its route path and throws the communication on 192.0.0.3 to the vro.

The attacker can finally receive an IP packet from the host in the route. He can telnet to the host's port 23.

In fact, the above idea is just an ideal situation. The ICMP redirection packet that the host permits to receive actually has many restrictions, which make ICMP redirection very difficult.

In TCP/IP implementation, the host has the following restrictions on receiving ICMP redirection packets: the new route must be direct, and the redirect packet must come from the current route to the target; the redirection package cannot notify the host to use its own route. The changed route must be an indirect route.

Because of these restrictions, ICMP spoofing is actually difficult to implement. However, we can also take the initiative to find some other methods based on the above thinking. More importantly, we know the dangers of these spoofing methods, and we can adopt appropriate defense methods.

Defense principles of ARP Spoofing

We provide the following preliminary defense methods:

Do not establish your network security trust relationship on the basis of IP addresses or hardware MAC addresses (RARP also has the problem of spoofing). The ideal relationship should be on the basis of IP + MAC.

Set a static MAC → IP address table. Do not refresh the specified conversion table on the host.

Unless necessary, stop using ARP and save ARP as a permanent entry in the corresponding table. Using ifconfig-arp in Linux can stop the NIC Driver from using ARP.

Send outgoing communication using the Proxy gateway.

Modify the system to reject ICMP redirection packets. In Linux, You can reject ICMP redirection packets on the firewall or modify the kernel option to re-compile the kernel to reject ICMP redirection packets. In Win 2000, You can reject ICMP packets through firewall and IP policies.