ARP *** and Dai
I. ARP *** principle:
Address Resolution Protocol (ARP) is a network layer located in the TCP/IP protocol stack. It resolves an IP address into a corresponding MAC address.
ARP *** implements ARP spoofing by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network, * The IP-MAC entries in the ARP cache of the target host can be changed as long as a counterfeit ARP response packet is continuously issued, resulting in network interruption or man-in-the-middle ***.
ARP is mainly used in LAN networks. If a computer in LAN is infected with ARP ***, the system infected with the ARP *** will attempt to intercept the communication information of other computers in the network by means of ARP spoofing, and thus cause communication faults of other computers in the network.
* *** The attacker sends a forged ARP response to computer A, telling computer A that the MAC address corresponding to computer B's IP address 192.168.0.2 is 00-aa-00-62-c6-03, write the corresponding relationship to your ARP cache table. When sending data later, the data that should have been sent to computer B is sent to. Similarly, *** sends a forged ARP response to computer B, telling computer B that the MAC address of computer A's IP address 192.168.0.1 is 00-aa-00-62-c6-03, computer B will also send data to *** users.
So far, *** controls the traffic between computer A and computer B. He can passively monitor the traffic, obtain the password and other confidential information, or forge data, change the communication content between computer A and computer B.
To solve the ARP *** problem, you can configure the 802.1X protocol on the switch in the network.
IEEE 802.1x is a port-based access control protocol that authenticates and authorizes users connected to vswitches. After the 802.1X protocol is configured on the vswitch, *** identity authentication is required when connecting to the vswitch (combined with Mac, port, account, VLAN, and password ), data can be sent to the network only after the authentication is passed. * *** The attacker cannot send forged ARP packets to the network without passing authentication.
Ii. **** Evolution
Initial Stage: ARP Spoofing
This purposeful ARP broadcast packet publishing error is called ARP spoofing. ARP spoofing was initially used by *** and has become the main means for *** to steal network data. * ** By releasing an incorrect ARP broadcast package, you can block normal communication and disguise your computer as another computer. In this way, data originally sent to other computers, it is sent to the ** computer to steal data.
Medium Term: ARP malicious ***
Later, some people used this principle to create some so-called "Management Software", such as network scissors, law enforcement officers, Terminator, and so on, which led to the flood of ARP malicious. People who often use this kind of software aim at malicious destruction, mostly to let others break the line, and get rid of it for a while.
Especially in Internet cafes, malicious ARP attacks may flood due to the purpose of business competition or personal boredom.
As Internet cafe operators find ways to disable these specific software, this trend gradually subsided.
Now: Comprehensive ARP ***
The recent wave of ARP *** has diversified purposes and methods, and has a greater impact and influence than in the previous two stages.
First, the virus is added to the ARP *** column. In the past, the main network type of the virus was wan. The most effective method was DDoS ***. However, with the improvement of defense capabilities, virus makers are looking at local networks and starting to try ARP ***, such as the recently popular Vikin virus, ARP *** is one of the methods it uses.
Compared with viruses, hacking programs are more confusing for Internet cafe operations. The number stealing program is used to steal user account and password data, and ARP spoofing will affect other computers to access the Internet.
Iii. Suffering ***:
ARP spoofing ** is caused by viruses: when using a LAN, the system suddenly drops and returns to normal after a period of time. For example, the client status becomes red frequently, the user is disconnected frequently, the IE browser is prone to errors, and some common software is faulty. If the LAN accesses the Internet through identity authentication, it will suddenly become authenticated, but cannot access the Internet (unable to ping the gateway ), restart the machine or run the command ARP-D in the MS-DOS window to restore the internet.
ARP spoofing *** a successful infection of a computer may result in the failure of the entire LAN to access the Internet, which may even cause paralysis of the entire network. In addition to the intermittent disconnection of other users in the same LAN, The *** attack also steals the user password. Such as stealing QQ passwords, stealing various online game passwords and accounts for money transactions, and stealing online bank accounts for illegal transaction activities, it causes great inconvenience and economic losses to users.
Based on the ARP protocol, *** continuously sends fraudulent ARP packets to the recipient's computer. The packet contains the MAC address that is repeated with the current device, when the recipient responds to the message, the network cannot communicate normally due to a simple duplicate address error. Generally, the computer that receives ARP *** has two symptoms:
1. the dialog box "The 0-255 segment hardware address of the Local Machine conflicts with the 0-255 segment address in the network" is displayed.
2. The computer cannot access the Internet normally and the network is interrupted.
Because this *** uses arp request packets for "spoofing", the firewall will mistakenly think it is a normal request packet and will not intercept it. Therefore, it is difficult for common firewalls to resist such attacks ***.
Iv. Dai technology:
ARP protection is implemented in all Cisco switched networks by binding the IP address and MAC address of each device. However, it is difficult to solve this problem by using the Cisco dynamic ARP inspection mechanism.
Cisco dynamic ARP inspection (DAI) provides IP address and MAC Address binding on the switch, and dynamically establishes the binding relationship.
Dai is based on the DHCP snooping binding table. For servers that do not use DHCP, you can use static ARP access-list.
Dai is configured for VLANs. You can enable or disable Dai for interfaces in the same VLAN. Dai can control the number of arp request packets on a port.
These technologies can prevent man-in-the-middle attacks "***.
V. Dai deployment:
Switch (config) # ip dhcp snooping VLAN 7
Switch (config) # ip dhcp snooping information Option/Default
Switch (config) # ip dhcp snooping
Switch (config) # ip arp inspection VLAN 7
/Defines which VLANs are used for ARP packet Detection
Switch (config) # ip arp inspection validate Src-Mac DST-MAC IP
/Check the source, destination, Mac, and IP addresses
Switch (config-If) # ip dhcp snooping limit rate 10
Switch (config-If) # ip arp inspection limit rate 15/Defines the number of ARP packets per second on the interface.
Switch (config-If) # ip arp inspection Trust/* trusted interfaces do not check ARP packets, which are checked by default.
6. effects after DAI implementation:
If no static binding is performed on the interface for configuring Dai technology, the user end cannot access the network by specifying a static address.
Because Dai checks the relationship between IP addresses and MAC addresses in the DHCP snooping binding table, the man-in-the-middle *** cannot be implemented and the *** tool is invalid.
The following table shows the switch warning for implementing man-in-the-middle:
3w0d: % SW_DAI-4-DHCP_SNOOPING_DENY: 1 invalid Arps (req) on fa5/16,
VLAN 1. ([000b. db1d. 6ccd/192.168.1.200/2.16.0000.0000/192.168.1.2
Due to the speed limit on arp request packets, the client cannot scan or detect IP addresses or viruses. If these behaviors occur,
The switch immediately sends an alarm or directly disconnects the scanning machine. See the following table:
3w0d: % SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on fa5/30.**Alarm
3w0d: % PM-4-ERR_DISABLE: ARP-inspection error detected on fa5/30, putting fa5/30 in err-Disable state**Disconnect Port
I49-4500-1 #... Sh int F.5/30
Fastethernet5/30 is down, line protocol is down (ERR-disabled)
Hardware is Fast Ethernet port, address is 0002. b90e. 3f 4d (BIA 0002. b90e. 3f 4d)
MTU 1500 bytes, BW 100000 kbit, dly 100 USEC,
Reliability 255/255, txload 1/255, rxload 1/255
I49-4500-1 #......
After a user obtains an IP address, the user cannot modify the IP address or MAC address. If the user simultaneously modifies the IP address and MAC address, the user must be a valid IP address and MAC address in the network, you can use the IP source guard technology described below to prevent such changes. The following table lists the alarms for manually specified IP addresses:
3w0d: % SW_DAI-4-DHCP_SNOOPING_DENY: 1 invalid Arps (req) on fa5/30,
VLAN 1. ([000d. 6078.2d95/192.168.1.100/2.16.0000.0000/192.168.1.100/01:52:28 UTC Fri Dec 29 2000]).
ARP *** and Dai