Analysis of ARP protocol and ARP attack

I. ARP packet structure

(1) Hardware type: Indicates the type of hardware interface that the sender wants to know, and the value of Ethernet is 1;
(2) protocol type: Indicates the type of high-level protocol provided by the sender, and its value is 0x0800, which means the IP address.
(3) Hardware address length and protocol length: Indicates the hardware address and the length of the High-level protocol address, so that the ARP message can be used in any hardware and any protocol network, for the IP address on Ethernet ARP Request or response, their values are 6 and 4 respectively.
(4) OP: The Operation field is used to indicate the type of the message, and the ARP request for the 1,ARP response for the 2,RARP request is a 3,rarp response of 4;

ARP protocol parsing process :

1. Each host will have an ARP buffer that records the corresponding relationship between the IP address and the MAC address, called the ARP cache table.
2. When the source host sends a packet to the destination host, it first checks its own ARP cache table for the MAC address of the IP address, and if so, sends the packet directly to the MAC address;
If not, make an ARP request to the local network segment as a broadcast, querying the MAC address of the host for this destination. This ARP Request packet includes the IP address of the source host, the hardware address, and the IP address of the destination host.
3. After all hosts in the network receive this ARP request, the destination IP in the packet is checked for the same as its IP address.
Ignore this packet if it is not the same;
If the same, the host first adds the MAC address and IP address of the sending side to its own ARP cache table.
If the IP information already exists in the ARP cache table, overwrite the update, and then send an ARP response packet to the source host, telling the other person that it is the MAC address it needs to find;
4. After the source host receives this ARP response packet, it adds the IP address and MAC address of the destination host to its own ARP list, and uses this information to transmit the data.
If the source host has not received an ARP response packet, it indicates that the ARP query failed.

Two. Talking about ARP spoofing attack

Gratuitous ARP (free ARP) message
The free ARP message is a special ARP message that carries both the IP address of the sender and the destination IP address, which is the native IP address.
The message source MAC address is the native Mac, the destination MAC address is the broadcast address. When the IP address is switched on or changed, free ARP is sent.

Free ARP has the following 2 functions:
(1) Determine if the IP address of the other device conflicts with the native IP address.
When the other device receives the free ARP message, if the IP address in the message is found to be the same as its own IP address, the device sending the free ARP message returns an ARP reply informing the device of the IP address conflict.
(2) The device changes the hardware address and notifies other devices to update the ARP table entry by sending a free ARP message.

If we forge and send a malicious gratuitous ARP message, notify other hosts to update the ARP cache record, and also send a forged ARP response packet, so that the target machine update record with the IP corresponding to the MAC address of our designated MAC address, to achieve the purpose of deception.

ARP attack mode

The following analysis of the content of the message when ARP spoofing

Normal Ip-mac correspondence relationship

Our experimental goal of ARP spoofing : 192.168.1.151 xxxx:50:96

Native Ip-mac: 192.168.1.150 xxxx:00:f4

We do ARP bidirectional spoofing and then look at the ARP packet condition

Spoofing process: Sending malicious gratuitous ARP messages, notifying other hosts to update ARP cache records, and sending forged ARP response messages

Here's a look at the content of the response message for spoofing (first and second messages)

(1) Spoofing message to the target host 192.168.1.151 (the first message in the diagram)

The response message is sent to the target host 192.168.1.151 that we want to deceive, informing it that the MAC address of the Gateway is XXXX:00:F4 (actually this Mac is the attacker's Mac)

(2) Spoofing message to the gateway (the second message in the diagram)

The response message is sent to the gateway 192.168.1.1 that we want to spoof, informing it that the host 192.168.1.151 MAC address is xxxx:00:f4 (actually this Mac is the attacker's Mac)

Implement ARP Protection and detection

I. Protection

(1) Bind Mac

(2) using the ARP firewall

ARP Firewall principle
The software periodically sends gratuitous ARP to the gateway to advertise its correct ARP information
High transmission frequency and heavy network bandwidth usage
The sending frequency is too low to achieve the precautionary purpose

Two. ARP Attack detection ideas

(1) Detecting whether there are a large number of gratuitous ARP messages and ARP response messages in the network

(2) Check whether the Ip-mac correspondence in the ARP message received by itself changes with the local records

Write a small tool in Python to detect ARP spoofing attacks, interested can refer to, welcome to communicate

Http://www.cnblogs.com/ssooking/p/6116253.html

Analysis of ARP protocol and ARP attack