ARP cache infection Attack resolution

Lying to people, known as "social engineering", also includes strategies (specifically implemented by the convicted hacker, Kevin Mitnick), such as an employee disguised as a company that can exchange company secrets with a real employee. To cheat the computer involves many different technologies, one commonly used is--arp cache poisoning (ARP cache poisoning)--this is the core of this article. ARP poisoning allows hackers inside the LAN to cause huge network damage within their network. Since it is usually "incurable", every network administrator should understand how this attack is conducted.

Review ARP

In "Computer network basics: What is Nic, Mac, and ARP?" In this article, we explain how the Address Resolution protocol (ARP, addressing resolution Protocol) associates the MAC address of a network device with its IP address, so that devices within the same LAN can know each other's existence. ARP is basically a kind of network naming.

ARP, a very simple protocol, contains only 4 types of messages:

1. ARP Request. Computer A asks the entire local area network, "who has this IP address?" ("Whose IP address is this?", English is the ASCII code message in the original message, translator note)

2. ARP Response. Computer B tells the computer A, "I have that IP". My MAC address are [whatever it is]. " (My IP address is that.) My MAC address is [XX:XX:XX:XX:XX:XX])

4. Reverse ARP Request. Same as the ARP request concept, but computer a asks, "who has this MAC address?" (whose MAC address is this?)

4. Reverse ARP response. Computer B tells the computer A, "I have that MAC". My IP address is [whatever it is] "(The One my MAC addresses are.) My IP address is xxx. xxx. xxx. XXX)

All network devices have an ARP table, which is a small segment of memory that stores the IP address and MAC address pairs that are currently matched by the device. The ARP mapping table ensures that the device does not repeatedly send ARP requests to devices that it has already communicated to.

Here is an example of a regular ARP communication. Jessica, a receptionist, tells Word (referring to the Microsoft Document Editor we use) to print the latest corporate communications. This is her first print job today. Her computer (IP address is 192.168.0.16) wants to send this print task to the Office of the HP LaserJet printer (IP address is 192.168.0.45). So Jessica's computer would broadcast an ARP request like the entire local area network, "who has's IP address, 192.168.0.45?" (whose IP address is 192.168.0.45?), as shown in Figure 1.

All devices in the LAN will ignore this ARP request, except HP LaserJet printer. The printer found that its IP address was the IP address in the request, so it sent an ARP response: "Hey, my IP address is 192.168.0.45." Here's my MAC address:

00:90:7f:12:de:7f ", as shown in Figure 2.

Now Jessica's computer knows the MAC address of this printer. It now sends the print task to the correct device (printer, translator) and associates the printer's MAC address 00:90:7f:12:de:7f with its IP address 192.168.0.45 in its ARP map.