Detailed analysis on how the AI-Thai router solves ARP attacks

The market demand for AI-Thai routers is very high. Here we mainly explain how Ai-Thai routers solve ARP attacks. Someone in the LAN uses ARP spoofing Trojans (for example, some legendary plug-ins are also maliciously loaded by the legendary software ). To understand the fault principle, Let's first look at the ARP protocol.

In a LAN, ARP is used to convert an IP address to a layer 2 physical address (MAC address. ARP is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network.

ARP is the abbreviation of Address Resolution Protocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In Ethernet, to directly communicate with another host, you must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.

Let's take host A (192.168.16.1) as an example to send data to host B (192.168.16.2. When sending data, host A searches for the target IP address in its ARP cache table. If you find the target MAC address, you can directly write the target MAC address into the frame and send it. If the corresponding IP address is not found in the ARP cache table, host A sends A broadcast on the network. The target MAC address is "FF. FF. FF. FF. FF. FF ", which means to send such a question to all hosts in the same network segment:" What is the MAC address of 192.168.16.2?" Other hosts on the network do not respond to ARP requests. Host B responds to host A only when it receives the frame: "the MAC address of 192.168.16.2 is bb-bb ". In this way, host A knows the MAC address of host B and can send information to host B. At the same time, it also updates its ARP cache table. The next time it sends a message to host B, it can directly find it from the ARP cache table. The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up query.

The foundation of ARP is to trust all people in the LAN, so it is easy to implement ARP spoofing over Ethernet. The target A is spoofed, and A's Ping host C is sent to the DD-DD-DD-DD-DD-DD address. If the MAC address of C is spoofed into A DD-DD-DD-DD-DD-DD, the packets sent by A to C become sent to D. Isn't it because D can receive the packet sent by A? The sniffing succeeds. I was not aware of this change, but the next thing raised A's doubts. Because A and C cannot be connected. D. The data packet sent from A to C is not transferred to C.

Perform "man in the middle" and perform ARP redirection. Enable the IP forwarding function of D. Forward the data packets sent by A to C, just like A router. However, if D sends ICMP redirection, the entire plan is interrupted. Directly modify and forward the entire package, capture all the packets sent to C by A, and then forward them to C. The packets received by C are considered to have been sent from. However, the packets sent by C are directly transmitted to A, if the ARP spoofing to C is performed again. Now D has completely become the intermediate bridge between A and C, and you can understand the communication between A and C.