ARP Protocol notes

ARP Protocol notes

(I) ARP Definition
 
ARP (Address Resolution Protocol), Address Resolution Protocol, resolve the IP Address to a MAC Address
For example, 192.168.1.1-> 00-1E-37-44-86-5E. If a computer uses a data frame for communication within the LAN, the data frame header contains the MAC address information.
 
Take a look at the figure below:
 
To send data to PC2, PC1 must know the IP address and MAC address of pc2. why? Check again:
 
Any network is referenced by the OSI reference model. Data transmission requires installation.
Therefore, to send data to PC2, PC1 must know the MAC address of pc2!
 
So how can we know PC1?
 
When PC1 wants to send data to PC2, it first checks its ARP table. If there is no IP and MAC matching, PC1 sends a broadcast ARP request.
The content of this ARP request includes: Source IP192.168.1.2, source MAC: 0C. E1.12 ......, IP192.168.1.3, MAC: 00.00.00.00
What is broadcast? That is, "My PC1 is looking for the MAC address of PC2. Who is it? ", Machines in the same network receive this broadcast.
Because it is a broadcast form, so PC3 can also receive! After receiving PC3, start uninstalling it. When it reaches the network layer, it finds that it is not 192.168.1.3. Discard it!
PC2 also receives the same request. At the network layer, PC2 sends an ARP response when it finds that its IP address is the same as the requested IP address.
This response tells PC1 that I am the MAC address of 192.168.1.3: F2.A0.12 ....... After PC1 receives the IP address, it saves the MAC address corresponding to IP192.168.1.3 In the ARP table.
In this case, PC1 can send messages to pc2!
 
 
(Ii) proxy ARP
 
First look:
A simple understanding of proxy is that C was supposed to do this, and now router is used to do it.
When A ping C, host A first checks its ARP table.
In this case, no MAC for host C is found! No MAC corresponding to the target. A is broadcast.
Host B receives the broadcast and unencapsulates it to find that the destination IP address is not compatible with its own IP address. Discard this packet!
The broadcast is in the same network segment, and the E1 port of the router belongs to this network segment, so the E1 port receives the broadcast in the same way.
When the router receives the broadcast, it also unpacks it and then looks at its route table. Then, it finds that the address 172.16.1.2 is in the network segment 172.16.1.0 of the E0 port.
At this time, the router sends an ARP response instead of host C and attaches the MAC address of the E1 port to host!
In this way, the MAC address of 172.16.1.2 exists in the ARP table of host A (note that this MAC address is set to routerE1 )!
In fact, the response of this router is A kind of deception. It deceives host A, but it is only A positive deception.
Then, host A can send data to host C. Host A sends A data entry to the E1 port by viewing its ARP table.
After receiving the data, the router looks at its route table and forwards the data to the host C (3) ARP attack.
 
Similar to Think, I sent a text message to all the students saying, "I am Dave. This is my new number"
In this way, all the text messages sent to Dave will be sent back to me. Dave will not be able to "access the Internet", and I will complete a deception.
ARP spoofing is the spoofing of hackers in the LAN, so that other PCs and routers can map IP addresses to the wrong MAC.
 
ARP attacks include the following methods:
 
① Simple spoofing attacks
 
This is a common attack. By sending forged ARP packets to fool the route and target host, the target host is deemed as a valid host, and then the spoofing is completed.
This type of spoofing occurs mostly in the same CIDR block because the route does not forward packets in this segment to the outside.
Of course, there are methods to achieve attacks of different network segments, so we need to use the ICMP protocol to tell the router to reselect the route
 
② Sniffing in the exchange environment
 
In the initial small LAN, we used HUB for interconnection, which is a broadcast method.
Each packet passes through each host on the network. By using software, you can sniff the data of the entire LAN.
The current network is mostly a switching environment, and the transmission of data in the network is locked to a specific target.
Based on ARP spoofing, You can forge your host into an intermediate forwarding station to listen for communication between the two hosts.
 
③ MAC Flooding
 
This is a dangerous attack. It can overflow the ARP table of the switch, making the entire network unable to communicate normally.
 
④ ARP-based DOS
 
This is a new type of attack. D. O.S is also called a Denial-of-Service attack.
When a large number of connection requests are sent to a host, the host cannot provide services to normal users due to its limited processing capabilities.
In this process, if ARP is used to hide itself, there will be no real IP addresses in the logs of the attacked host, and the attack will not affect the local machine.
 
 
Protection Method:
 
① IP + MAC Access Control
 
It is insecure to Establish a trust relationship by relying solely on IP addresses or MAC addresses. The ideal security relationship is based on IP addresses and MAC addresses.
This is one of the reasons why we must bind an IP address and a MAC address to the Internet on the campus network.
 
② Static ARP cache table
 
Each host has a corresponding table that temporarily stores the IP-MAC, ARP attacks are done by changing the cache
It is an effective method to bind a correct MAC with static ARP. Use arp-a on the command line to view the current ARP cache table.
The following is the local ARP table:
[SQL]
C: \ Users \ asus> arp-
 
Interface: 192.168.1.101 --- 0xe
Internet address physical address type
192.168.1.1 29-cd-6e-88-6f-ba dynamic
192.168.1.100 35-56-97-bc-7c-11 dynamic

"Dynamic" indicates the dynamic cache, that is, the ARP packet will be modified when it receives the corresponding ARP packet. If it is an invalid ARP packet containing an incorrect gateway, the table will be automatically changed.
In this way, we cannot find the correct gateway MAC, and we cannot communicate with other hosts normally.
Use ARP-s ip mac to create a static table.
After "arp-s 210.31.197.94 00-03-6b-7f-ed-02" is executed, we can view the ARP cache table again:
[SQL]
C: \ Users \ asus> arp-
 
Interface: 192.168.1.101 --- 0xe
Internet address physical address type
210.31.197.94 00-03-6b-7f-ed-02 static

In this case, the "type" item is changed to "static" and "static". In this state, the local cache is not changed when the ARP packet is received.
This effectively prevents ARP attacks. Static ARP entries disappear after each restart and need to be reset.
 
③ ARP high-speed cache timeout settings
 
Table items in the ARP high-speed cache usually need to set a timeout value. shortening this timeout value can effectively prevent ARP table overflow.
 
④ Active Query
 
Make a database corresponding to the IP address and MAC address at a normal time, and regularly check whether the current IP address and MAC relationship are normal.
Periodically checks the vswitch traffic list to view the packet loss rate.
 
 
For more arp commands, see arp /?
[SQL]
C: \ Users \ asus> arp /?
 
Displays and modifies the "IP to physical" address translation table used by the Address Resolution Protocol (ARP.
 
ARP-s inet_addr eth_addr [if_addr]
ARP-d inet_addr [if_addr]
ARP-a [inet_addr] [-N if_addr] [-v]
 
-A displays the current ARP entry by querying the current protocol data.
If inet_addr is specified, only the specified computer is displayed.
. If more than one network
When ARP is used, items in each ARP table are displayed.
-G is the same as-.
-V displays the current ARP entry in detail mode. All invalid items
And items on the loop interface are displayed.
Inet_addr specifies the Internet address.
-N if_addr: displays the ARP entry of the network interface specified by if_addr.
-D: Delete the host specified by inet_addr. Inet_addr
To delete all hosts.
-S: add the host and set the Internet address to inet_addr.
It is associated with the physical address eth_addr. The physical address is
Six hexadecimal bytes separated by a hyphen. This item is permanent.
Eth_addr specifies the physical address.
If if_addr exists, this option specifies the interface to be modified for the address translation table.
. If it does not exist, use the first
.
Example:
> Arp-s 157.55.85.212 00-aa-00-62-c6-09... add static items.
> Arp-a... displays the ARP table.