1. Before talking about the concept of ARP, we must first understand the concept and working principle of ARP and understand the principles to better face and analyze and handle problems. 1.1 ARP concept knowledge ARP, the full name is Address Resolution Protocol. The Chinese name is the Address Resolution Protocol. It works at the data link layer, communicates with the hardware interface at the local layer, and provides services to the upper layer. IP packets are usually sent over Ethernet. Ethernet devices do not recognize 32-bit IP addresses. They transmit Ethernet packets at 48-bit Ethernet addresses. Therefore, the destination IP address must be converted to the destination ethernet address. In Ethernet, to directly communicate with another host, you must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. ARP is used to resolve IP addresses in the network to hardware addresses (MAC addresses) to ensure smooth communication. 1.2 ARP working principle first, each host creates an ARP list in its own ARP buffer to indicate the correspondence between the IP address and the MAC address. When the source host needs to send a packet to the target host, it first checks whether the MAC address corresponding to this IP address exists in its ARP list, if yes, the packet is directly sent to the MAC address. If no, a broadcast packet for the ARP request is sent to the subnet segment to query the MAC address of the target host. This ARP request packet includes the IP address of the source host, the hardware address, and the IP address of the target host. When all hosts in the network receive this ARP request, they will check whether the destination IP address in the packet is consistent with their own IP address. Ignore this packet if they are different. If they are the same, the host first adds the MAC address and IP address of the sender to its ARP list. If the ARP table already contains information about this IP address, then it overwrites the packet and sends an ARP response packet to the source host, telling the other host that it is the MAC address it needs to find. After the source host receives the ARP response packet, add the IP address and MAC address of the target host to your ARP list and use this information to start data transmission. If the source host has not received the ARP response packet, ARP query fails. For example: A address: IP: 192.168.10.1 MAC: AA-AA-AA-AA-AA-AAB address: IP: 192.168.10.2 MAC: BB-BB-BB-BB-BB-BB according to the above principle, we briefly describe this process: to communicate with B, A needs to know the ethernet address of B, so A sends an ARP request broadcast (who is 192.168.10.2, please tell 192.168.10.1). When B receives the broadcast, check yourself and find that it is consistent with yourself, then send an ARP unicast response to A (192.168.10.2 in the BB-BB-BB-BB-BB-BB ). 1.3 Pattern Analysis: in network Analysis, Pattern Analysis is very important. Different protocols and applications have different communication modes. Sometimes, different communication modes may also appear in different enterprise applications for the same protocol. Under normal circumstances, the ARP communication mode should be: Request-> response-> request-> response, that is, a question and answer. 2. Common ARP attacks: ARP scan and ARP spoofing. 2.1 ARP scan (ARP request storm) communication mode (possible ): request-> request-> response-> request... description: a large number of ARP request broadcast packets appear in the network. Almost all hosts in the network segment are scanned. A large number of ARP request broadcasts may occupy network bandwidth resources. ARP scanning is generally a prelude to ARP attacks. Cause (possible): * virus programs, listeners, and scanning programs. * If the network analysis software is correctly deployed, we may only mirror some ports on the switch. Therefore, a large number of ARP requests are sent from other hosts connected to the non-mirror port. * If the deployment is incorrect, these ARP request broadcast packets are from other hosts connected to the vswitch. 2.2 ARP spoofing ARP does not receive ARP responses only when an ARP request is sent. When a computer receives an ARP response packet, it updates the local ARP cache and stores the IP and MAC addresses in the response in the ARP cache. Therefore, if someone sends a self-built ARP response on the network, the network may be faulty. This may not have been taken into consideration by the Protocol designer! 2.2.1 spoofing principle assume that in A network environment, there are three hosts in the network, namely host A, host B, and host C. Host details are described as follows: A address: IP: 192.168.10.1 MAC: AA-AA-AA-AA-AA-AAB address: IP: 192.168.10.2 MAC: BB-BB-BB-BB-BB-BBC address: IP: 192.168.10.3 MAC: the CC-CC-CC-CC-CC-CC normally communicates between A and C, but at this time B sends A self-built ARP response to A, and the data in this response is the sender's IP address is 192.168.10.3 (C's IP address ), the MAC address is a BB-BB-BB-BB-BB-BB (the MAC address of C should have been a CC-CC-CC-CC-CC-CC, Which is forged here ). When A receives B's forged ARP response, it updates the local ARP cache (A is cheated), and B is disguised as C. At the same time, B also sends an ARP response to C, in the response packet sender IP address 4 192.168.10.1 (A's IP address), MAC address is BB-BB-BB-BB-BB-BB (A's MAC address should have been A AA-AA-AA-AA-AA-AA ), when C receives A forged ARP response from B, it also updates the local ARP cache (C is also spoofed), and B is disguised as. In this way, both host A and host C are spoofed by host B, and the data of communication between host A and host C has passed through B. Host B knows exactly what they are talking about :). This is a typical ARP spoofing process. Note: In general, one side of ARP spoofing should be the gateway. 2.2.2 there are two scenarios of ARP spoofing: one is to cheat the host as a "man-in-the-middle", and the data of the spoofed Host passes through it once, in this way, the spoofed host can steal the communication data between the spoofed host, and the other is to directly disconnect the network of the spoofed host. First: data theft (SNIFFING) Communication Mode: response-> response-> request-> response... description: This is a typical ARP spoofing. The spoofing host sends a large number of forged ARP response packets to the spoofed host for spoofing. When the communication is successful, as an intermediary. At this time, the two sides of the spoofed host can still communicate normally, but the host is "eavesdropped" during the communication process. Cause (possible): * trojan virus * sniffing * Human spoofing Second: leading to network disconnection: answer-> answer-> request... Description: In ARP spoofing, the attacker only deceives one party. For example, B deceives A, but B does not cheat C, in this way, A is essentially communicating with B, so A cannot communicate with C. Another possibility is that the hacker spoofs A non-existent address to cheat. It is difficult to troubleshoot spoofing addresses. It is best to use the TAP device (haha, this stuff seems a little expensive) to capture one-way data streams for analysis! Cause (possible): * trojan virus * man-made destruction * control functions of some network management software 3. common protection methods are found on the Internet. Currently, the most common problems with ARP attack protection are binding IP addresses and MAC addresses and using ARP protection software, as well as routers with ARP protection functions. Let's take a look at these three methods. 3.1 static binding the most common method is static binding of IP and MAC. in the network, the host and gateway are both bound to IP and MAC. Spoofing uses dynamic and real-time ARP rules to spoof Intranet machines. Therefore, we can set ARP to static to solve spoofing on Intranet PCs, at the same time, static binding of IP and MAC is also required for the gateway, so that two-way binding is safer. Method: perform static binding on the IP address and MAC address of each host. Through the command, arp-s can implement "arp-s ip mac address ". Example: "arp-s 192.168.10.1 AA-AA-AA-AA-AA-AA ". If the settings are successful, you can run arp-a on the PC to see the related prompt:
| Internet Address Physical Address Type192.168.10.1 AA-AA-AA-AA-AA-AA static (static) |
Generally, it is not bound. In dynamic scenarios:
| Internet Address Physical Address Type192.168.10.1 AA-AA-AA-AA-AA-AA dynamic (dynamic) |
Note: There are many hosts on the network, including 500 hosts and 1000 hosts ..., if we perform static binding for each server, the workload will be very heavy ...., this static binding requires you to re-bind the computer after each restart. You can also create a batch file, but it is still quite troublesome! 3.2 ARP protection software is currently widely used for defense against ARP attacks. The commonly used ARP tools are mainly forward ARP tools and Antiarp. In addition to detecting ARP attacks, the protection mechanism is to broadcast correct ARP information to the network at a certain frequency. Let's simply talk about these two gadgets. 3.2.1 Xin Xiang ARP tool used this tool. It has five features :? A. Select the NIC for the IP/MAC list. You do not need to set a single Nic. If multiple NICs need to be set to connect to the Intranet. IP/MAC scan. The IP address and MAC address of all machines on the current network are scanned. Scan when the Intranet runs normally, because this table serves as a reference for later ARP. All subsequent functions require the support of this table. If you are prompted that the IP address or MAC address cannot be obtained, it means that the table contains no corresponding data .? B. ARP Spoofing Detection this function constantly checks whether the Intranet has a PC impersonating an IP address in the table. You can set the main IP address to the detection table, such as the IP address of a vro or movie server that requires access from an intranet machine. (Supplement) how to understand the "ARP spoofing record" table: "Time": the Time when a problem is found; "sender": IP address or MAC that sends the spoofing information; "Repeat ": the number of times fraud messages are sent. "ARP info" refers to the specific content of the spoofing messages. for example, in the following example: time sender Repeat ARP info 22:22:22 192.168.1.22 1433 192.168.1.1 is at 00: 0e: 03: 22: 02: e8, the spoofing message sent by 192.168.1.22 has been sent for 1433 times. The content of the spoofing message sent is: the MAC address of 192.168.1.1 is 00: 0e: 03: 22: 02: e8. Enable the detection function. If the table IP address is spoofed, a prompt is displayed. You can follow the prompts to find the root cause of ARP spoofing on the Intranet. Note: any machine can impersonate another machine to send IP addresses and MAC addresses. Therefore, even if an IP address or MAC address is prompted to send spoofing messages, it may not be 100% accurate. Please do not use brute force to solve some problems .? C. Active maintenance of this function can directly solve the problem of ARP spoofing disconnection, but it is not an ideal solution. Its principle is to constantly broadcast the correct MAC address of the IP address in the network. In the "Create maintenance object" table, set the IP address to be protected. The packet sending frequency is the number of correct packets sent per second to all machines in the network. We strongly recommend that you set as few broadcast IP addresses as possible and as few broadcast frequencies as possible. Generally, it can be set once. If there is no bound IP address, ARP spoofing occurs, you can set it to 50-times. If there is still a disconnection, you can set it to a higher level, that is, ARP spoofing can be quickly solved. But to solve the ARP problem, please refer to the above binding method .? D. Xin Xiang vro log collection of Xin Xiang vro system logs and other functions .? E. packet capture is similar to network analysis software. The storage format is. cap. 3.2.1 The Antiarp software interface is relatively simple. The following describes how to use the software. A. Enter the gateway IP address and click [get gateway address]. The MAC address of the gateway is displayed. Click [automatic protection] to protect the communication between the current Nic and the gateway from being monitored by a third party. NOTE: If an ARP spoofing prompt appears, the attacker sends an ARP spoofing packet to obtain the NIC packet. If you want to track the attack source, remember the attacker's MAC address, the MAC address scanner can be used to find the MAC address corresponding to the IP address. B. IP address conflicts if frequent IP address conflicts occur, which means that the attacker sends ARP spoofing packets frequently before warning of IP address conflicts. Anti arpsnifer can be used to prevent such attacks. C. You need to know the conflicting MAC address. Windows will record these errors. The specific method is as follows: right-click [my computer] -- [manage] -- click [Event Viewer] -- click [system] -- View Source: [TcpIP] -- double-click the event to see that the displayed address is in conflict, the MAC address is recorded. Copy the MAC address and enter it in the local MAC address input box of Anti ARP Sniffer (convert -), after entering the information, click [protection address conflict]. To make the MAC address take effect, disable the local Nic and enable the NIC. In the CMD command line, enter Ipconfig/all, check whether the current MAC address matches the MAC address in the local MAC address input box. If the change fails, contact me. If it succeeds, the address conflict will no longer be displayed. Note: If you want to restore the default MAC address, click [Restore Default]. To make the MAC address take effect, disable the local Nic and then enable the NIC. 3.3 vrouters with ARP protection have seldom heard of this type of router before. For the ARP protection function mentioned in this type of router, its principle is to regularly send correct ARP information. However, this type of router function cannot be solved for attacks in the real sense. The most common feature of ARP is that it is disconnected. Generally, it does not need to be processed and can be restored to the Internet within a certain period of time, because ARP spoofing has an aging time, after the aging time, the system automatically returns to normal. Currently, most routers continuously broadcast correct ARP information within a short period of time, so that the deceived host can return to normal. However, if there is an aggressive ARP spoofing (in fact, it is a very short amount of spoofing ARP, there are hundreds of thousands in a second ), it continuously initiates ARP spoofing packets to prevent Intranet machines from accessing the Internet. Even if the router Continuously Broadcasts the correct packets, it will be overwhelmed by a large number of errors. You may have questions: Can we send more and more accurate ARP information than the attacker? If the attacker sends 1000 ARP spoofing packets per second, we will send 1500 correct ARP packets per second! In the face of the above questions, let's take a closer look. If the network topology is large, many network devices and hosts are connected to the network, and a large number of devices process the broadcast information, the network is not easy to use. Besides, it will affect our work and study. ARP broadcast can waste and occupy network resources. If a problem occurs in the network, packet capture analysis will also cause many ARP broadcast packets, which will also affect the analysis.
