Defense Against ARP attacks

ARP spoofing/repeated attacks are common phenomena in the network industry recently. As ARP attacks continue to upgrade, different solutions are available in the market. However, I recently discovered that there are some solutions that seem to be effective in the short term. In fact, they do not play a role in real ARP attacks and also reduce LAN work efficiency.

Many users say that some ARP prevention methods are easy to operate and implement, but after in-depth understanding, it is found that the long-term effect is not great.

The best way to prevent ARP attacks is to take basic measures first. Because there are many solutions on the market, we cannot describe the advantages and disadvantages one by one. Therefore, this article explains the basic idea of ARP attack prevention. We believe that if you can understand this basic idea, you can determine the effective prevention and control methods and understand why bidirectional binding is a comprehensive and persistent solution.

I. Uncertain ARP Protocol

In general, the original ARP protocol in a computer is like a person who is uncertain and easily influenced by others. ARP spoofing/attacks use this feature to mislead computers into making mistakes. The principle of ARP attacks can be easily found on the Internet. The original ARP operation is attached to the broadcast package or ARP inquiry package received by the LAN, unconditionally overwriting the ARP/MAC table in the local cache. This is like an uncertain-willed person who believes everything he or she talks to and immediately makes decisions based on the latest information.
Just like a non-planned courier who wants to send a mail to "Zhang San", he only asks "Zhang San lives there" on the road? ", And deliver it to him recently and say," I am! "Or" zhangsan lives there! ", To determine how to deliver the same. In a place where everyone is honest, the courier's work can still be done on the ground; but if someone else looks at the parcel items for money and wants to cheat the acquisition, the courier's work will be chaotic.

Let's look back at the relationship between ARP attacks and couriers who are determined by their will. There are two types of common ARP attacks: network gateways, routers, and computers on the LAN, that is, normal users. Attacking a Network Gateway is like sending a wrong address information to a courier, which makes the courier's work messy and all the emails cannot be delivered normally. However, in an attack, a computer directly falsely claims to be a courier with the average person, let the average user send the item to the computer that initiates the attack.

Generally, computers and routers do not have a strong will in ARP Protocol. Therefore, as long as a malicious computer continuously sends an incorrect ARP message on the LAN, it will make computers and routers believe it as true, make the wrong Transfer Network Package action. Generally, ARP is used in this way to cause abnormal network operations and achieve the goal of stealing user passwords or damaging network operations. Common Methods for Preventing ARP attacks,

There are three methods:

1. Use ARP echo to send the correct ARP message: the correct ARP table is frequently reminded to achieve the prevention effect.
2. Using the binding method, the fixed ARP table is not affected by external factors: the correct ARP table is used to prevent attacks.
3. Discard the ARP protocol and adopt other addressing protocols: use other protocols such as PPPoE instead of ARP for transmission.
Among the above three methods, the first two methods are common. The third method is suitable for applications with better technical capabilities due to great changes. The following describes the first two methods.

Ii. "ARP echo" in PK Competition"
ARP echo is the earliest developed ARP attack solution, but with the development of ARP attacks, it gradually loses its effect. Currently, this method not only does not prevent attacks, but also reduces the efficiency of LAN operations. However, many users still use this method to prevent attacks. In the previous example of an uncertain-thinking courier, ARP echo always reminds the courier by phone of the correct recipient and address, this reduces the interference of the neighboring information.

However, there are several obvious problems with this practice: first, even though reminders are sent from time to time, some emails may still be sent due to the weak will of the courier, if the error message is sent in an incorrect way, the result may be poor if the message is frequently sent. For example, if a person provides continuous information at the courier's side, even if the call reminder is immediately overwritten; second, because reminders must be sent from time to time, and in order to ensure a good reminder effect, we must increase the reminder interval to prevent overwriting. This is like a courier who has been busy answering calls from the headquarters, there is no time to send a letter, delaying the business. Third, we need to assign a person to call the courier to remind me from time to time. This means we need to assign another person to be responsible and keep reminding me, this person's work is also very heavy.

Similar situations may occur when ARP echo is used to respond to ARP attacks. First, in the face of high-frequency new ARP attacks, ARP echo will not work, and the disconnection will still happen. The ARP echo method is effective against the early attack software for the purpose of hacking, but it is recognized that it has no effect when it comes to attack software using the latest attack methods. Second, ARP echo means must continuously issue broadcast network packets on the LAN to occupy LAN bandwidth, reducing the lan's ability to work, the computers and switches in the LAN are always processing ARP echo broadcast packets, and the LAN is stuck before being attacked. Third, there must be a device in the LAN responsible for sending ARP echo broadcast packets, whether it is a router, server or computer, because the packet is sent in hundreds of seconds, this is a huge burden on the device.