ARP attacks and Prevention

I. ARP Working Mechanism

ARP is a basic protocol for data link layers such as Ethernet. It maps IP addresses to hardware addresses.

The process is as follows:

1) when the host or network device needs to resolve the MAC address corresponding to an IP address, arp request packets are broadcast.

2) The host or network device will respond after receiving the ARP request. At the same time, an ARP table item is created based on the correspondence between the request sender's IP address and the MAC address.

3) after receiving a response, the host or network device that initiates the request also records the ing between the IP address and the MAC address of the sender in the Response Message to generate an ARP table.

II. Introduction to ARP attack types

ARP attacks include counterfeit gateway attacks, counterfeit user attacks, and flood attacks.

2.1 counterfeit gateway attacks

The attacker's counterfeit gateway sends a forged gateway ARP packet to the attacked host, claiming that it is a gateway in the network). As a result, the ARP table of the attacked host records the incorrect gateway ing relationship, therefore, the data sent from the attacked host is sent to the attacker, not the gateway. In this way, attackers can intercept all data packets sent by the attacked host.

2.2 counterfeit user attacks

2.2.1 spoofing Gateway

The attacker spoofs an ARP packet sent by the attacker to the Gateway. As a result, the ARP table of the gateway records the IP ing between the host and the attacker. Therefore, normal data packets cannot be correctly received by attackers.

2.2.2 deceiving users

Host A, host B, host C, and host A attacker in the same conflicting domain) Counterfeit host B sends forged ARP packets to host C, as a result, the ARP table of host C records the incorrect host B address ing relationship, so that normal data packets cannot be correctly received by host B.

2.3 ARP flood attacks

By forging a large number of ARP packets with source IP address changes, attackers can cause ARP table overflow on the attacked device. Valid ARP packets cannot generate valid ARP table entries, leading to normal communication interruption.

Iii. ARP attack prevention

3.1 access device attack prevention

As described in the preceding section, the possible types of ARP attacks to access devices can be divided into counterfeit gateways, counterfeit users, and flood attacks. ARP Detection, ARP filtering protection, and ARP gateway protection can be used for counterfeit gateways. ARP Detection and ARP filtering protection can be used for counterfeit user attacks. For ARP flood attacks, the ARP packet speed limiting function can be used. The following describes these functions one by one.

3.1.1 ARP Detection and ARP filter Protection

The two functions work in a similar way. They are used to check the validity and validity of the received ARP packets. If the message is valid or valid, the message is forwarded. Otherwise, the packet is discarded directly. The difference between the two is that the ARP Detection function checks all ports in the VLAN, while ARP filter protection only applies to a single specified port.

3.1.2 ARP Gateway Protection

This function can be configured on ports that are not connected to the gateway to prevent counterfeit gateway attacks. The principle is the same as described in 3.1.1-check the validity and validity of packets received by the port according to the configured rules.

3.1.3 ARP packet Speed Limit Function

The ARP packet speed limit function is used to speed up the ARP packets sent to the CPU, which can prevent the impact of a large number of ARP packets on the CPU. Therefore, ARP packets can be prevented from flooding attacks.

3.2 gateway device attack prevention

On the one hand, the attack on the gateway device establishes the correct ARP table items in a legal way, prevents attackers from modifying the authorized ARP function, ARP automatic scanning and solidification function, and configures static ARP table items. On the other hand, confirm the ARP table items before dynamic learning to ensure that the learned ARP actively confirms the relationship and checks the MAC consistency of ARP packets ). For ARP flood attack gateways, you can use the ARP attack detection function fixed to the source MAC address to limit the maximum number of dynamic ARP table entries learned by the interface.

This article is from the "One, one world" blog. For more information, contact the author!