Analysis of ARP attack methods

ARP attacks are attacks initiated by attackers using the operating mechanism of the address parsing protocol. This includes launching IP address conflict attacks and packet bombing attacks on hosts to cut off Network Connections of any host on the LAN. [5] ARP spoofing attacks mainly target data theft, and ARP flood attacks aimed at sabotage. The authors of this article are further divided into the following types of ARP attacks:
 
 
2.3.1IP address conflict
 
This creates the illusion that another host on the LAN shares an IP address with the affected host. Because of the violation of the uniqueness requirements, the victim host will automatically pop up a warning dialog box to the user. A large number of attack packets can consume a large amount of system resources on the affected host. In windows, as long as an ARP packet is received, no matter the ARP packet operator does not meet the requirements, as long as the source IP address recorded by the ARP packet is the same as the local host but the MAC address is different, in windows, an IP address conflict warning dialog box is displayed. According to the Attack Characteristics of IP address conflict, this type of ARP attack mainly includes the following types:
 
 
(1) unicast IP address conflict: the physical address recorded at the link layer is the physical address of the attacked host, in this way, the ARP packet can only be received by the attacked host, but not by other hosts in the LAN.
 
 
(2) broadcast IP address conflict: the physical address recorded at the link layer is the broadcast address, so that all hosts in the LAN will receive the ARP packet, although the destination IP address recorded by the ARP packet is not the IP address of the attacked host, because the ARP packet is a broadcast packet, in this way, the attacked host will receive a warning dialog box Indicating IP address conflict.
 
 
2.3.2 ARP flood attacks
 
Attack host continues to counterfeit MAC-IP ing to the affected host, all hosts and gateways in the LAN broadcast, seize network bandwidth and interfere with normal communication. The main attack features of this attack method include: (1) by continuously sending spoofed ARP broadcast datagram, the switch can work together to process broadcast datagram to exhaust network bandwidth. (2) The host or gateway in the LAN cannot find the correct communication object, thus blocking normal communication. (3) The host uses false address information to occupy the host's ARP high-speed cache space. As a result, the host cannot create cache table items and cannot communicate properly. This attack feature is named as an ARP overflow attack. ARP flood attacks are not aimed at stealing user data. They are aimed at damaging the network and are not selfish.
 
 
2.3.2.1 ARP overflow attacks
 
ARP overflow attacks have the following features:
 
 
(1) The IP address sent by the forged MAC-IP ing is a non-existent virtual IP address of the non-public network, but the MAC address is fixed, since the operating system receives an ARP packet that does not exist in the ARP high-speed cache table as a source IP address, an entry corresponding to the MAC-IP is created in the cache table.
 
 
(2) the IP address sent by the forged MAC-IP ing is a non-existent virtual IP address of the non-public network and the MAC address is also a virtual change. Sending this type of attack data packet will cause the switch's CAM table overflow. Because the switch builds a CAM table by learning the source MAC address of the data frames on each port and records the MAC address of the host connected to each port, therefore, you can determine the port to which the data frame is sent based on the CAM table. If the attack source continuously sends a large number of ARP packets with the wrong MAC address to the switch, the relationship between the port and the MAC will be damaged and the CAM table will overflow. Under such circumstances, a vswitch without preventive measures will process packets in broadcast mode, forming a flood to forward communication information to all interfaces. [6] In the end, the switch becomes a HUB, and the switched network becomes a broadcast network, resulting in a sharp decrease in network bandwidth.
 
 
2.3.3 ARP spoofing attacks
 
ARP spoofing Principle
 
If host A needs to communicate with host B, in order to find the MAC address corresponding to the IP address of the target host, host A uses the ARP Protocol to find the MAC address of host B. First, source host A sends an ARP request packet to each host on the Ethernet in the form of broadcast. This process is called ARP broadcast. In all computers that receive ARP broadcasts, only host B with the IP address of the target host receives the broadcast packet and sends A response containing its MAC address to source host, this completes a normal address resolution process. To minimize the number of ARP broadcast requests in the network, each host has an ARP cache, which stores the ing records between all IP addresses and MAC addresses since the host is started. The host updates the ARP cache at a certain time or whenever it receives an ARP response with a new address ing record to ensure that it has the latest address resolution cache. [7]
 
The cache update of ARP Protocol does not require verification. Therefore, you can use a valid IP address to sniff data on the same network. This is exactly the method used by ARP spoofing viruses. Assume that three hosts are A, B, and C, and host C is infected with the ARP Address Spoofing virus. Normally, communication between host A and host B is invisible to host C. However, host C uses ARP spoofing technology to enable sniffing in the switching network. The main steps are as follows: (1) host C sends an illegal ARP response to host A and changes the MAC address of host B in host A's ARP cache to the MAC address of host C; (2) host C sends an invalid ARP response to host B and changes the MAC address of A in host B's ARP cache to the MAC address of C. (3) enable IP Forward on host C. Therefore, the channel between host A and host B is changed from host A to host B to host A to host C and then to host B. Host C serves as an "intermediary ", forward all data packets generated by communication between host A and host B. In this way, host C hijacked all the data for communication between host A and host B, which is the process of ARP Address Spoofing. When host C impersonates a gateway, when a computer in the LAN connects to the Internet, that is, when logging on to the Internet, it must be forwarded through the gateway in the LAN, all data sent and received must first pass through the gateway and then be sent to the Internet by the gateway. This means that computer C can intercept and tamper with data from all the LAN to the Internet and from the Internet to the LAN.
 
 
ARP spoofing type
 
(1) Denial-of-Service (DoS) attacks are attacks that prevent the target host from responding to external requests and thereby failing to provide external services. If attackers change all MAC addresses in the ARP cache of the target host to non-existent ones, all Ethernet data frames sent from the target host will be lost, as a result, the upper-layer applications are too busy to handle such exceptions and cannot respond to external requests, resulting in a denial of service (DoS) on the target host.
 
 
(2) Man-in-the-middle attack: An man-in-the-middle attack inserts a host into the communication path between the two target hosts, making the host like a relay on the communication path of the two target hosts, in this way, attackers can monitor the communication between two target hosts. For example, for the three machines A, S, and D in the LAN, A must listen on the communication between S and D. The attack process is as follows: A infected the ARP cache of the target host S and D, so that S uses the IP address of D and the MAC address of A when sending data to D, when D sends data to S, it uses the IP address of S and the MAC address of A. Therefore, all the data between S and D will pass through A and then forwarded to them by.
 
 
If an attacker performs a man-in-the-middle attack on a target host and the router in the local area network, the attacker can intercept all the communication between the Internet and the target host. [8]
 
(3) multi-host spoofing: Tampering with ARP records of a host X in the attacked Host group. The attacked Host group contains multiple hosts in the network rather than one host. Host X is a gateway or any non-Gateway running host in the network. The tampered MAC address can be a running host MAC address in the network or a randomly forged MAC address that does not exist. [11]
 
At T time, host A's ARP record about Host X is tampered;
 
 
At T + N, host B's ARP record about Host X is tampered;
 
 
.........
 
At T + M time, host Z's ARP record about Host X is tampered;
 
 
For example, if the attacker wants to counterfeit the gateway, it will send ARP packets to the Host group in the LAN, impersonating the real gateway with its own MAC address, the MAC address of the ARP buffer of the deceived Host group is incorrectly updated to the MAC address of the attack source. As a result, the deceived Host group sends communication information to the fake gateway, instead of finding a real gateway and sending communication information through a vro or exchange channel. In this case, the attack host can set itself as a router responsible for packet forwarding, so as to achieve the purpose of counterfeit gateway. This is a common form of spoofing, which can control access to the network by all hosts under the same gateway. Game passwords are often stolen in Internet cafes because of ARP attacks on counterfeit gateways.
 
 
(4) Full subnet round robin spoofing: Tampering with ARP records of multiple hosts in the network in attacked Host X. The attacked host is a gateway or any non-gateway host in the network, the tampered MAC address can be a running host MAC address in the network or a randomly forged MAC address that does not exist. [11]
 
At T time, Host X's ARP record about host A is tampered;
 
 
At T + N time, Host X's ARP record about host B is tampered;
 
 
.........
 
At T + M time, Host X's ARP record about host Z is tampered;
 
 
(5) network listening: the attack host uses the above multi-host spoofing to counterfeit the gateway, and uses the full subnet round robin spoofing to tamper with the ARP cache records of all hosts in the LAN on the real gateway, in this way, all hosts in the LAN can be monitored for communication with the external network. Monitors network communication in a switched network environment.
 
 
2.3.4 ARP scan attacks
 
Send ARP requests to all hosts in the LAN to obtain the ip and mac address ing pairs of the running hosts. ARP scanning is often used to prepare for ARP attacks. The attack source obtains the ip address and mac address of the target host through ARP scanning. In this way, you can listen to the network and steal user data to prepare for attacks.
 
 
2.3.5 Virtual Host Attack
 
You can create an Eni in the network and Virtualize it into a host in the network with a virtual physical address and IP address. It mainly captures all the packets passing through the ARP request at the link layer for analysis. If an ARP request is sent to a VM, the ARP response corresponding to the virtual physical address is sent, the VM itself also sends ARP requests. Virtual Host attacks occupy IP Address Resources in the LAN, causing IP address conflicts between normal hosts, and hosts in the LAN cannot obtain the IP address normally.
 
 
2.4 ARP attacks
 
ARP attacks have a great impact. Once an ARP attack exists in the LAN, it will spoof all hosts and gateways in the LAN, so that all Internet traffic must pass through the hosts controlled by ARP attackers. Other users directly access the Internet through the gateway, but now they are forwarded to the Internet through the controlled host. Due to the impact of controlled host performance and program performance, this type of forwarding will not be very smooth, which will lead to slow or even frequent disconnection of the user's Internet access speed. In addition, ARP spoofing constantly sends ARP response packets, which may cause network congestion. In addition, exceptions may occur in connection between network nodes. ARP spoofing attacks may also have other manifestations, such as large-scale Account Loss and data loss in the network. For IP address conflict attacks, the host will continuously display the IP address conflict warning information.