ARP Protocol Learning

1. ARP Protocol Overview

IP packets are usually sent over Ethernet. Ethernet devices do not recognize 32-bit IP addresses: they transmit Ethernet packets at 48-bit Ethernet addresses. Therefore, the IP drive must convert the destination IP address to the destination IP address of the Ethernet network. There is a static or algorithm ing between the two addresses. You often need to view a table. Address Resolution Protocol (ARP) is the protocol used to determine these images.

When ARP is working, an Ethernet broadcast packet containing the desired IP address is sent. The destination host, or another system that represents the host, responds with a packet containing an IP address and an ethernet address pair. The sender caches the IP address to save unnecessary ARP communication.

If an untrusted node has the write access permission to the local network, there is also a risk. In this way, a machine can publish fake ARP packets and turn all the communication to itself. Then it can act as some machines, or simply modify the data stream by the way. ARP often works automatically. In a particularly secure network, ARP ing can use firmware and has automatic suppression protocols to prevent interference.

Figure 1 ARP packet format on Ethernet

Figure 1 shows an example of an ARP packet used for IP-to-ethernet address translation. Each row in the graph is represented by 32 bits, that is, four eight bits. In the future graph, we will also follow this method.

The hardware type field specifies the type of the hardware interface that the sender wants to know. The value of Ethernet is 1. The protocol type field specifies the high-level protocol type provided by the sender. The IP address is 0806 (hexadecimal ). The hardware address length and protocol length indicate the length of the hardware address and the high-level protocol address, so that ARP packets can be used in any hardware and any protocol network. The operation field is used to indicate the purpose of the packet. The ARP request is 1, the ARP response is 2, The RARP request is 3, and the RARP response is 4.

When an ARP request is sent, the sender fills in the sender's header and sender's IP address, and also fills in the target IP address. When the target machine receives the ARP broadcast packet, it will fill in its 48-bit host address in the Response Message.

2 ARP example

Let's take a look at the ARP commands in Linux. (If the content in the ARP table is blank, we need to first connect a host. For example, ping the target host to generate an ARP entry):

D2server:/home/Kerberos # arpaddress hwtype hwaddress flags mask iface211.161.17.254 ether 00: 04: 9A: AD: 1c: 0a C eth0address: Host IP address hwtype: host hardware type hwaddress: host hardware address flags mask: Record flag. "C" indicates entries in the ARP cache, and "M" indicates static ARP entries.

Run the "ARP -- a" command to display the table corresponding to the host address and IP address, that is, the ARP cache information stored in the machine. This cache stores the ing records between the nearest Internet address and the hardware address. The survival time of each item in the cache is generally 20 minutes, And the start time starts from the time when it is created.

D2server:/home/Kerberos # ARP-A (211.161.17.254) at 00: 04: 9A: AD: 1c: 0a [ether] On eth0, you can see that there is an ARP cache entry corresponding to 211.161.17.254 in the cache. D2server:/home/Kerberos # telnet 211.161.17.21trying 211.161.17.21... connected to 211.161.17.21.escape character is '^]'. ^]. telnet> quitconnetion sed.

When executing the above Telnet command, use tcpdump for listening:

d2server:/home/kerberos# tcpdump -e dst host 211.161.17.21tcpdump: listening on eth0

We will hear a lot of packets. We take two packets related to our ARP Protocol:

1  0.0 00:D0:F8:0A:FB:83 FF:FF:FF:FF:FF:FF  arp  60who has 211.161.17.21 tell d2server2  0.002344(0.0021)00:E0:3C:43:0D:24 00:D0:F8:0A:FB:83  arp  60arp reply 211.161.17.21 is at 00:E0:3C:43:0D:24

In row 1st, the source host (d2server) hardware address is 00: D0: F8: 0a: FB: 83. The hardware address of the target host is FF: FF, which is an Ethernet broadcast address. Each Ethernet interface on the cable receives the data frame and processes it.

The output field followed by row 1st is ARP, indicating that the value of the frame type field is 0x0806. This indicates that the data frame is an ARP request or answer.

In each line, the value 60 after the word refers to the length of the Ethernet data frame. Because the length of the ARP request or response data frame is 42 bytes (28 bytes of ARP data, 14 bytes of Ethernet frame header, fill characters must be added to each frame to reach the minimum length of Ethernet: 60 bytes.

The next output field ARP who-has in row 1st indicates that the destination I p address is the address of 211.161.17.21 in the data frame of the ARP request, and the sender I P address is the address of d2server. Tcpdump prints the default I P address corresponding to the host name.

As shown in row 2nd, although ARP requests are broadcast, the destination address of the ARP response is 211.161.17.21 (00: E0: 3C: 43: 0d: 24 ). ARP responses are directly sent to the Request Host, But broadcast. Tcpdump prints the ARP reply and the Host IP address and hardware address of the responder.

In each row, the number following the row number indicates the time when tcpdump receives the group (in seconds ). In addition to 1st rows, each row contains a time difference (in seconds) from the previous row in parentheses ).

Now let's look at the ARP cache on the machine:

d2server:/home/kerberos# arp -a(211.161.17.254) at  00:04:9A:AD:1C:0A [ether] on eth0(211.161.17.21) at  00:E0:3C:43:0D:24 [ether] on eth0

A ing related to 211.161.17.21 has been added to the ARP cache.

Let's look at other ARP-related commands:

d2server:/home/kerberos# arp -s 211.161.17.21 00:00:00:00:00:00d2server:/home/kerberos# arpAddress          HWtype  HWaddress        Flags Mask       Iface211.161.17.254     ether   00:04:9A:AD:1C:0A     C            eth0211.161.17.21      ether   00:00:00:00:00:00      CM           eth0d2server:/home/kerberos# arp -a(211.161.17.254) at 00:04:9A:AD:1C:0A [ether] on eth0(211.161.17.21) at 00:00:00:00:00:00 [ether] PERM on eth0

We can see that the hardware address of 211.161.17.21 is 00: 00: 00: 00: 00: 00: 00: 00, And the mapped flag field is cm, that is to say, the ARP option we set manually is the static ARP option, which remains unchanged without timeout, unlike the entries in the cache that need to be updated after a certain interval.

If you want to set a time-out period for manual ARP options, you can add the temp option.

d2server:/home/kerberos# arp -s 211.161.17.21 00:00:00:00:00:00 tempd2server:/home/kerberos# arp -a(211.161.17.254) at 00:04:9A:AD:1C:0A [ether] on eth0(211.161.17.21) at 00:00:00:00:00:00 [ether] on eth0d2server:/home/kerberos# arpAddress        HWtype  HWaddress         Flags Mask      Iface211.161.17.254   ether   00:04:9A:AD:1C:0A     C            eth0211.161.17.21    ether   00:00:00:00:00:00       C            eth0

We can see that the static ARP flag "M" of the flag field has been removed. We manually add a dynamic entry.

Note the differences between static ARP entries and dynamic entries.

In different systems, manual ARP static entries are different. In Linux and win2000, static entries are not changed because of forged ARP response packets, but dynamic entries are changed. In Win98, the manually set static entries will change because they receive forged ARP response packets.

To delete an ARP entry (including static entries), run the following command:

d2server:/home/kerberos# arp -d 211.161.17.21d2server:/home/kerberos# arp -a(211.161.17.254) at 00:04:9A:AD:1C:0A [ether] on eth0(211.161.17.21) at <incomplete> on eth0

We can see that the ARP entries of 211.161.17.21 are incomplete.

There are also some other commands, you can refer to the man document in Linux:

d2server:/home/kerberos# man arp

 

3 ARP Spoofing

Let's first review the principles of the ARP protocol mentioned above. In a TCP/IP network environment, the route table defines how an IP packet goes. However, when an IP packet reaches the network, which machine responds to this IP packet is identified by the hardware MAC address contained in this IP packet. That is to say, only machines with the same hardware MAC address as the hardware MAC address in the IP packet will respond to this IP packet, because in the network, each host will send an IP packet, therefore, there is an ARP --> hardware MAC conversion table in the memory of each host. It is usually a dynamic conversion table (this ARP table can be manually added with static entries ). That is to say, the corresponding table will be refreshed by the host after a certain interval. This interval is the timeout time of ARP cache.

Generally, before the host sends an IP packet, it needs to find the hardware MAC address corresponding to the IP packet in the conversion table. If the IP packet is not found, the host sends an ARP broadcast packet, the host refreshes its ARP cache. Then the IP package is sent out.

After learning this knowledge, we can now talk about how to implement ARP spoofing In the Ethernet. Let's look at this example.

3.1 ARP spoofing for the same network segment

Figure 2 ARP spoofing for the same network segment

As shown in figure 2, three hosts

A: IP address 192.168.0.1 hardware address AA: AA
B: IP address 192.168.0.2 hardware address BB: bb
C: IP address 192.168.0.3 hardware address CC: CC

An intruder located in host B wants to illegal access to host a, but the host is installed with a firewall. By collecting information, he knew that the firewall of host a only had a trust relationship with host C (open port 23 (Telnet )). But he must use Telnet to access host a. What should he do at this time?

In this case, the attacker must make host a believe that host B is host C. If the trust relationship between host a and host C is built on the IP address. If the IP address of host B is changed to the same as that of host C, it cannot work, at least it cannot work reliably. If you tell the driver of the Ethernet card that your IP address is 192.168.0.3, This is a pure competition and cannot be achieved. We can first study the machine C. If we can temporarily drop this machine, the competition can be removed. This is still possible. When machine c fails, change the IP address of machine B to 192.168.0.3. In this way, you can successfully telnet to machine A through port 23, and bypass the firewall restrictions.

The above idea does not work in the following cases. If the trust relationship between host a and host C is based on the hardware address. In this case, host a needs to use ARP spoofing to change the hardware address mapped to 192.168.0.3 in its ARP cache to the hardware address of host B.

We can manually create an arp_reply response packet and send it to the host to be spoofed. This is possible because the Protocol does not stipulate that the response packet can be sent only after arp_echo is received. there are many such tools. We can also use snifferpro to capture an ARP response packet and then modify it.

You can create this package manually. You can specify the source IP address, target IP address, source MAC address, and target MAC address in the ARP packet.

In this way, you can use a false ARP response packet to modify the dynamic ARP cache on host a for spoofing purposes.

The procedure is as follows:

1. He first studied the 192.0.0.3 host and discovered the vulnerability.
2. Host C is suspended for the moment based on the discovered vulnerabilities.
3. During this period, intruders changed their IP address to 192.0.0.3.
4. He used a tool to send a packet with the source IP address 192.168.0.3 and the source MAC address BB: BB to host a, and asked host a to update its ARP conversion table.
5. The host updates the IP address --> Mac relationship of host C in the ARP table.
6. If the firewall fails, the compromised IP address becomes a valid MAC address, and you can telnet.

The above is an ARP spoofing process, which occurs in the same network segment. However, note that the above method does not work when B and C are in different network segments.

3.2 ARP spoofing for different network segments

Figure 3 ARP spoofing between different network segments

As shown in 3, A and C are in the same network segment while host B is in another network segment. The IP addresses and hardware addresses of the three machines are as follows:

A: IP address 192.168.0.1 hardware address AA: AA
B: IP address 192.168.1.2 hardware address BB: bb
C: IP address 192.168.0.3 hardware address CC: CC

In the current situation, how does host B in the CIDR block of 192.168.1 impersonate host C and cheat host? Obviously, even if spoofing succeeds, the telnet session cannot be established between host B and host a, because the router will not forward the packet from host a to host B, the router will find the address at 192.168.0. within this CIDR block.

Now, another spoofing method-ICMP redirection is involved. The combination of ARP spoofing and ICMP redirection can basically achieve the goal of cross-network segment spoofing.

What is ICMP redirection?

ICMP redirection is one of ICMP control packets. Under certain circumstances, when a router detects that a machine uses a non-optimized route, it will send an ICMP redirection packet to the host and request the host to change the route. The router also forwards the initial datagram to its destination.

We can use ICMP redirection packets for spoofing purposes.

The following describes how to perform an Attack Based on ARP spoofing and ICMP redirection:

1. In order to make the illegal IP packet sent by the user survive for a long time on the network, the TTL of the IP packet is modified to prepare for possible problems in the following process. Change TTL to 255. (TTL defines the time for an IP packet to survive on the network if the network cannot reach the host. In this example, it is helpful to make enough broadcast)
2. Download a tool (for example, hping2) that can make various packages freely)
3. Then, as with the above, find the host C vulnerability and use this vulnerability as the host C.
4. After the network host cannot find the original 192.0.0.3, the corresponding ARP table will be updated. So he sent an ARP response packet whose original IP address is 192.168.0.3 and its hardware address is BB: BB.
5. Now every host knows that a new MAC address corresponds to 192.0.0.3, and an ARP spoofing is completed. However, each host will only find this address in the LAN and will not throw the IP packet sent to 192.0.0.3 to the route. So he has to construct an ICMP redirection broadcast.
6. Customize an ICMP redirection package to tell the host on the Network: "the shortest route to 192.0.0.3 is not a LAN, but a route. Please redirect the host to your route path, all IP packets destined for 192.0.0.3 are dropped to the route. "
7. Host a accepts this reasonable ICMP redirection, so it modifies its route path and throws communication on 192.0.0.3 to the router.
8. The attacker can finally receive an IP packet from the host in the route. He can telnet to the host's port 23.

In fact, the above idea is just an ideal situation. The ICMP redirection packet that the host permits to receive actually has many restrictions. These conditions make ICMP redirection very difficult.

In TCP/IP implementation, the host has the following restrictions on receiving ICMP redirection packets:

1. The new route must be direct.
2. The redirection package must come from the current route to the target
3. The redirection package cannot notify the host to use its own route
4. The changed route must be an indirect route.

Because of these restrictions, ICMP spoofing is actually difficult to implement. However, we can also take the initiative to find some other methods based on the above thinking. More importantly, we know the dangers of these spoofing methods, and we can adopt appropriate defense methods.

3.3 defense against ARP Spoofing

Given the methods and harms of ARP spoofing, we provide some preliminary defense methods:

1. Do not establish your network security trust relationship on the basis of IP addresses or hardware MAC addresses (RARP also has the problem of spoofing). The ideal relationship should be on the basis of IP + Mac.
2. Set a static Mac --> ip address table. Do not refresh the specified conversion table on the host.
3. Unless necessary, stop using ARP and save ARP as a permanent entry in the corresponding table. In Linux, ifconfig-ARP can be used to stop the NIC Driver from using ARP.
4. Send outgoing communication using the Proxy gateway.
5. Modify the system to reject ICMP redirection packets

In Linux, You can reject ICMP redirection packets on the firewall or modify the kernel option to re-compile the kernel to reject ICMP redirection packets.

In Win2000, ICMP packets can be rejected through firewall and IP policies.

4. Proxy ARP Application

Proxy ARP has two major applications. One advantage is the implementation of the transparent mode that we often say in implementing the firewall, another harmful thing is that it can enable sniffing in the exchange environment. it can be seen that the same technology is applied for different purposes and the effects are different.

Let's first look at the LAN sniffing in the exchange environment.

In the LAN environment, we usually access the Internet through the gateway in the exchange environment. In the exchange environment, in addition to capturing your own package, netxray or Nai sniffer sniffing tools cannot see the network communication of other hosts.

However, we can use ARP spoofing to implement sniffer.

ARP is a protocol used to resolve an IP address to a MAC address. Communication in a LAN is based on a MAC address.

Figure 4 ARP spoofing in the Exchange Network

As shown in figure 4, the three hosts are located in a switched network environment, where A is the gateway:

A: IP address 192.168.0.1 hardware address AA: AAB: IP address 192.168.0.2 hardware address BB: BBC: IP address 192.168.0.3 hardware address CC: cc: CC

In the LAN, 192.168.0.2 and 192.168.0.3 both access the Internet through the gateway 192.168.0.1. If the attacker's system is 192.168.0.2 and he wants to hear the communication between 192.168.0.3, then we can use ARP spoofing.

The central principle of this spoofing is the application of ARP proxy. host a is the proxy server in the LAN. each node in the LAN must communicate with each other through it. to listen to the communication between host C, host B needs to use ARP spoofing to make host C think it is host a. At this time, it sends an IP address 192.168.0.1 and the physical address is BB: the ARP response packet of BB: BB is sent to host C, so that host C sends the packet sent to host a to host B. similarly, make sure that gateway A believes that it is host C, and send a packet with the IP address 192.168.0.3 and the physical address BB: BB to Gateway.

The above operations are the same as the previous ARP spoofing principle, but there is still a problem. After a while, host B will find itself unable to access the Internet. therefore, another step is to forward packets from host a to host C on host B and forward packets from host C to host. now we can see that host B acts as a proxy in the communication between host a and host C, which is why ARP proxy is called.

Dsniff and fragrouter are used to implement the specific implementation. dsniff is used to implement ARP spoofing and fragroute is used to forward packets.

First, arpspoof in dsniff is used to implement ARP spoofing. The dsniff software can be downloaded at the following URL:

Http://naughty.monkey.org /~ Dugsong/dsniff

Before installing this software package, download and install Libnet.

Spoof 192.168.0.3 and tell the machine gateway that the MAC address of 192.168.0.1 is 192.168.0.2.

[root@sound dsniff-2.3]# ./arpspoof -i eth0 -t 192.168.0.3 192.168.0.1

Spoof 192.168.0.1 and tell the host 192.168.0.3 that the MAC address is 192.168.0.2.

[root@sound dsniff-2.3]# ./arpspoof -i eth0 -t 192.168.0.1 192.168.0.3

Now we have completed the first step of spoofing, which is completed through arpspoof. Of course, you can also use other tools or even send your own packets. now we can see that all the work we need is completed in the arp list of host a and host C. we will use another different idea in the later transparent proxy.

Next we will first turn on the option of packet forwarding in Linux:

[root@sound /root]# echo "1" >/proc/sys/net/ipv4/ip_forward

Next we can download another famous dugsong tool fragroute, which was previously called fragrouter (only one word difference) it is mainly used to detect the IP address and TCP packet processing functions of the intrusion detection system, and its own packet forwarding function. you can download it from the following website:

Http://monkey.org /~ Dugsong/fragroute/

Before installing this software package, download and install libpcap and libevent.

Of course, we can also use fragrouter to do the following:

Http://www.packetstormsecurity.org/groups/ w00w00/sectools/fragrouter/

[root@sound fragrouter-1.6]# ./fragrouter -B1fragrouter: base-1: normal IP forwarding

Now we can find the target of sniffing in the LAN. of course, the above is just a theoretical introduction. In actual use, there will be many problems, such as how to cheat gateway A and host C, and how to deal with possible broadcast storm problems, these can be learned in practice. there is also a tool named arpsniff that can easily complete this function. Many websites provide download and the interface is friendly, because it works in the same way as above, this is only because different tools are used and some additional functions are added, so we will not introduce them here.

Another application of proxy ARP is the implementation of the transparent proxy of the firewall. we all know that early firewalls were mostly based on the routing mode, that is, the firewall must complete a route. in this access mode, you must set the firewall IP address as the proxy on the host in the LAN, and add a route entry pointing to the firewall in the route table of the external router. the disadvantage of this method is that it is not transparent and requires too many settings and destroys the original network topology. so now almost all firewalls have implemented a transparent access function. The user's routers and clients do not need to make any changes, and the user does not even feel the existence of a transparent access firewall. the principle of this transparent access is ARP proxy.

Now let's look at how to configure a host as a firewall in transparent access mode (transparent access firewall does not require IP addresses ),

Figure 5

As shown in figure 5, a firewall connects the Intranet segment and DMZ segment to an external route. we use the Linux operating system on the host used as the firewall, so that we can conveniently use the iptables firewall. assume that the three NICs are eth0, eth1 and eth2, and eth0 are connected to the vro, and eth1 is connected to the Intranet. eth2 is connected to the Internet. assume that the DMZ zone has two servers.

Intranet address: 192.168.1.0/24dmz address: 192.168.1.2 --- 192.168.1.3 vro IP Address: 192.168.1.1eth0: AA: aaeth1: BB: bbeth2: CC

Similar to the previous steps, the first step is to implement ARP spoofing. This time we have a simple implementation. we bind the IP address of the router to the physical address of the eth1 and eth2 network card of the firewall, bind the IP address of the Intranet and DMZ network segment to the network card of eth0, and use ARP commands on Linux:

arp -s 192.168.1.1 BB:BB:BB:BB:BB:BBarp -s 192.168.1.1 CC:CC:CC:CC:CC:CCarp -s 192.168.1.0/24 AA:AA:AA:AA:AA:AA

In the second part, we need to set a route on the firewall based on Linux, forward the packet whose destination address is an external route to eth0, and forward the packet whose destination address is Intranet to eth1, forward the package of the target DMZ network segment server to eth2. use the route command in Linux.

route add 192.168.1.1 dev eth0route add -net 192.168.1.0/24  dev eth1route add 192.168.1.2  dev eth2route add 192.168.1.3  dev eth3

(A separate route is required for each server in the dmz cidr block.) Now we have implemented transparent access to a simple ARP proxy, of course, the iptables section corresponding to the firewall must be configured separately. The iptables configuration is not in the scope of this article.

 

Summary

This article introduces the ARP Protocol and related security issues. An important security issue is ARP spoofing. We talked about ARP spoofing for the same network segment and the combination of ARP spoofing for cross-network segments and ICMP redirection. Because of these security problems, we provide some basic solutions. Finally, we talked about the use of proxy ARP To implement transparent access to sniffing and firewalls in the exchange network.