ARP Spoofing attack detailed

Information Office of the Times, if the network suddenly broken network you will not appear helpless? The prevalence of ARP virus has made us have to face this sudden threat. So how the ARP virus is how to attack and how to prevent it?

What is ARP?

ARP, the Address Resolution Protocol (resolution Protocol), is a protocol that determines its physical address when only the IP address of the host is known. Because of the wide application of IPV4 and Ethernet, it is mainly used to translate IP addresses into Ethernet MAC addresses, but it can also be used in ATM and FDDIIP networks. There are two ways to map from an IP address to a physical address: tabular and non-tabular. ARP specifically resolves the network layer (the IP layer, which is the third layer of OSI) to the MAC address of the data connection layer (MAC layer, which is the second layer of OSI).

For example:

The IP of Computer A is 192.168.1.1,mac address is 00-11-22-33-44-01;

The IP of Computer B is 192.168.1.2,mac address is 00-11-22-33-44-02;

How ARP Works:

In the TCP/IP protocol, a gives B IP packet, in the header need to fill in the IP of B as the destination address, but this IP packet transmission on the Ethernet, also need to carry out an Ethernet package, in this Ethernet package, the destination address is B's MAC address. How does computer A know the MAC address of B? The key to solving the problem is the ARP protocol.

In the case where a does not know the MAC address of B, a to broadcast an ARP request package, the request package is filled with B's IP (192.168.1.2), all the computers in the Ethernet will receive this request, and normally only B will give the ARP reply package, the package will be populated with B's MAC address, and reply to a.

A When the ARP answer is received, the MAC address of B is placed in the native cache, which is easy to use next time. The native Mac cache has a lifetime, and once the lifetime is over, the addressing process is repeated again.

The ARP protocol does not only receive ARP replies when it sends an ARP request. When the computer receives an ARP reply packet, the local ARP cache is updated to store the IP and MAC addresses in the answer in the ARP cache. So, when a machine B in the LAN sends a fake ARP reply to a, and if the answer is B fake C forgery, that IP address is C IP, and MAC address is forged, then when a received a B fake ARP reply, will update the local ARP cache, So in a it appears that the IP address of C has not changed, and its MAC address is not the original one. Because the network flow of LAN is not based on IP address, but according to the MAC address for transmission. So, the fake MAC address is changed to a Non-existent MAC address on a, which will cause the network to be blocked, causing a to not ping C! This is a simple ARP spoofing.

Similar to network management software such as law enforcement officer, its control target machine Internet access restrictions are also adopted the principle of ARP, to send a false gateway IP address corresponding to the Mac, so that it can not find the gateway Real MAC address, so that the Internet will be prohibited.

ARP Protection:

ARP spoofing can cause the target computer to communicate with the gateway failure, and more terrible will lead to traffic redirection, all data will be through the attacker's machine, so there are great security risks. The Ip-mac two-way binding between the base and PC to PC resolves ARP spoofing, but for devices that do not support ip-mac two-way binding, it is necessary to prevent ARP spoofing with an exchange that can bind port-mac. In addition, the arp-s bindings for Windows 2KSP4 XPSP1 are invalid and need to be upgraded to 2KSP5 or XPSP2. ARP firewall and other tools is the use of IP-MAC binding technology, data packet interception analysis to ensure the normal network communication.

However, the mutation of the virus is changing, ARP is also so, similar to the resolution of ARP deception mainly as follows:

Do not set the network Security trust relationship on the basis of IP or Mac based.

Set the static Mac-->ip corresponding table, do not let the host refresh your set of conversion table.

Unless necessary, stop ARP usage and save ARP as a permanent entry in the corresponding table.

Use the ARP server. Make sure the ARP server is not hacked.

Use proxy IP transport.

Use the hardware Shield host.

Periodically obtain a RARP request in the IP packet of the response to check the authenticity of the ARP response.

Poll periodically to check the ARP cache on the host.

Use a firewall to monitor the network continuously.