It may be a bit strange to see this question. No one in the cybersecurity circle has defined such a term. At first, I am not sure what kind of term to define, I just defined such a term according to the original term of the attack. If there is a better suggestion to give him a better name, such as "pandatv incense", it is well known.
I do not know whether this attack method has been studied. I have never seen it on the internet. Recently, I have spent some time thinking about this attack technology, we hope to provide another cornerstone for Security Technology enthusiasts, but we do not want everyone to use it for network damage. The consequences are very serious and the network administrator is angry because he cannot find the attack source, currently, there is no good solution to this type of attack, so you may think twice.
I spoke a lot of nonsense and entered the topic. At first, the discovery of such attacks was an early source of ARP Protocol learning and research. At that time, it was found that sending ARP packets in a specific format would have a certain impact on the network. If I was a B server, capture the ARP return packet sent from machine C to machine.
After being captured by sniffer pro on machine B, data packets are replayed. That is to say, machine B sends packets such as the source MAC is a C machine, the number of packets sent when the switch receives such continuous packets is closely related to the attack effect.) C machines suddenly lose contact with other machines in the network, other machines in the network cannot access the C machine. According to packet capture, the packets of the C machine can be sent, but the response packet is not received. Where is the problem ?.
People with ideas will surely think that the packets are forwarded to the B server by the switch. To prove our ideas, we can capture packets on the B server and find that, many data packets are the response packets from other IP addresses to machine C. Many people will not understand why. You know the difference between a vswitch and a HUB. A vswitch does not broadcast packets.
The working mode is as follows: machine A ---> machine B's data packets cannot be received by machine C, and the switch should have A forwarding list ACM ), the role of the AMC table is to establish the correspondence between the MAC address and the port. A port can correspond to many MAC addresses.
It seems that only one can be created under 802.1x). This seems to be okay. The problem is that ACM is dynamically updated in real time. It is clear that the above problems are described here, it is no problem for machine C to send data packets to machine A. the MAC of machine C establishes A temporary correspondence between the three ports. If machine A communicates with machine C after receiving the data packets, the switch will direct the data packet to three ports, and the data connection between them will succeed.
Continuous replay is performed when the B server captures this data packet. Just now, it also said that the data packet sent from the B server with the source address of the MAC address of the C machine is sent, when a packet passes through the switch, the correspondence between the MAC address of the C machine and the three ports is changed. The switch finds that the source MAC address of the packet is sent from the two ports of the switch.
Therefore, the correspondence between the MAC address of machine C and Port 2 will be established, and the data packets sent from machine A to machine C will be forwarded by the switch to port B on Port 2, all of these have led to the disconnection of the C machine. Now, we should understand that the above is my own understanding. Some problems may be explained in some places. I hope you can raise them.
Some people will say that the C machine is constantly sending packets, and it will also change the correspondence between the MAC and Port 2 of the C machine in the ACM table. As mentioned above, this depends on the number of data packets replayed by machine B. After my tests, we found that machine B replayed-data packets per second at the same time.
Machine C should be unable to communicate with machines or communicate very slowly. It is interesting that other machines can be pinged on machine C, which makes machine C quite depressing, in addition, machine C cannot receive any attack data packets. It should be the data packet corresponding to machine A of C, which is not broadcast. For example, if the number of data packets is about 10 thousand, machine C cannot receive any information.
You will also say why packet broadcasting is not performed. If packets should be broadcast, it will have a great impact on the switch, it will have an impact on other machines, and it is easy for others to discover such packets, although he cannot find you without checking the mac table of the vswitch, he is afraid of reading it.) If your network is large, broadcast will also affect your use.
Therefore, we need to send data packets in A targeted manner and find A slave machine. In the above case, A is our slave machine. If there is another slave machine, packet Capture on machine D cannot detect such attacks. Is it terrible? What's more terrible.
Everyone has to worry about it again. Now that we can launch attacks on a single machine or the gateway, what are the consequences of sending attacks to the gateway? That is, no one can communicate with the gateway, if the network is disconnected, you only need to send data packets whose source address is gateway on machine B.
We have already said that the broadcast package is the least desirable, so we need to find A zombie machine and still find machine A. No, this is because machine B and machine A are in the same vswitch. All that can be changed is the ACM table of this vswitch, which only affects the machines under this vswitch, how can we break through the scope? The broadcast is okay, but it is the most unfeasible method. What should we do?
Rest assured that smart people will always have a solution. At this time, the role of the slave machine is apparent. In professional terms, the slave machine sends packets whose source address is the gateway MAC address from the B server, all the switches it passes through will be changed to the corresponding relationship with the gateway ACM.
That is to say, how far a slave machine is, how far we attack a switch. Therefore, it is very important to select the network topology where the slave machine is located. It determines the range of the attack switch. If I want to disconnect the entire network, I will switch the following machine as a zombie machine in the trunk. Is it so bad.
Everyone understands it, and may also say that this attack is perfect. I am against it, because we think it is easy to block such attacks if they are limited to ARP protocols, during the test, many arpfirewalls do not allow this type of attack. Then I had to find a solution and I had to worry about it again.
In principle, the part of the data packet has an impact on the switch ACM. It is the DLC link layer, with the first fourteen bytes in the data packet, the fourteen bytes contain 6 source MAC addresses and 6 destination MAC addresses. The protocol type is two bytes.
Let's think about what other data packets contain these fourteen bytes. A lot of data packets, such as TCP, UDP, and ICMP, are available. Let's get started right away, send the UDP data packet with the source address of the MAC address of machine C to machine B and send it to machine A, such as Haha, TCP/ICMP. Later, we found that we were so happy that we were too early, the arpfirewall for color shadows and road patrols filters IP spoofing attacks.
It seems that I am able to go to bed, and some people have said that you have confused us with so many principles. You also asked us to learn how to use SNIFFER PRO first during testing, then fill in dozens to hundreds of bytes of data packets, when the day of the lily is cold.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
