Arpfirewall breakthrough methods and principles

Defense scheme of Arp Firewall:

1. Bind the Mac address and IP address of the Gateway in the local Arp cache table (using the "arp-a" command, you can see that the gateway Mac address and IP address status are static ). Role: prevent other machines from sending packets to the local machine and disguise it as a gateway to cheat the local machine.

2. Use the driver to filter the packets received and sent by the local machine, analyze the Arp packets, and determine whether the packets are forged or incorrect. Purpose: intercept Arp spoofing data from the underlying layer, prevent other machines from sending packets to the local machine, and intercept Arp spoofing packets sent from the local machine.

3. Send a normal Arp packet to the gateway frantically. The sent data content is "I am the IP Address :***. ***. ***. * **, my Mac address is :**-**-**-**-**-**! ", The interval between sending data packets is very short, several milliseconds. Purpose: keep saying "I am the real machine" to the gateway to prevent other machines from disguising as local machines and deceiving the gateway.

4. Do not introduce other non-main defense measures.

--------------------------------------------------------------------------------

 

Arp firewall breakthrough solutions:

From the above defense scheme, the only defect is the gateway.

If the gateway is not bound, you can cheat the gateway. However, the target machine keeps sending packets to the network administrator, saying that the target machine is a real machine ......

How can we successfully cheat the gateway?

So, are you sending a package? I also sent it! I am faster than you!

Then, the situation becomes like this. Both the target machine and the hacker machine rush to the gateway and say, "I am the real one !!!", I am drowning in saliva. Haha, is it true or false?

Now the gateway is disconnected. How can this be done? So the gateway will change the Arp cache table to this one, and change it to that one ......

Because the hacker machine sends packets faster than the target machine, the address in the Arp cache table of the Gateway has a high chance of hackers in a short period of time, therefore, the gateway sends more data packets to the hacker machine than the target machine.

Therefore, the hacker machine obtains some data packets of the target machine, thus achieving the goal of deception ......

However, this scheme has a huge sequencebecause both parties are competing for the gateway. In a short time segment, the target machine will be lost when the hacker machine becomes a competition. The most typical phenomenon is: crazy packet loss and disconnection, so this method is a last resort ......

This is a very popular method to crack the wall for sending crazy packets. You can easily do it with Arp Emp v1.0 ......

In fact, in practice, this method is rarely effective, and it is easy to cause a disconnection. It is not recommended ......

If the Arp firewall is only bound to the gateway and does not process the addresses of other machines in the Arp cache table, you can modify other machines in the cache table of the target machine, but it is useless, generally, few machines communicate with each other in the IDC, and basically all of them communicate with each other ......