Arp spoofing is a very annoying attack for servers.
For ease of description, we first assume a subnet environment:
Gateway: IP = IP-1, MAC = 11: 11: 11: 11: 11: 11
HOST: IP = IP-2, MAC = 22: 22: 22: 22: 22: 22
Host A: IP = IP-A, MAC = AA: AA
Host B: IP = IP-B, MAC = BB: BB
Host C: IP = IP-C, MAC = CC: CC
Any two hosts in the subnet (the gateway can also be regarded as a host) Need to Know each other's NIC address MAC for normal communication. If one party does not know the MAC of the other party, ARP queries are required.
ARP Query Process
Within a normal subnet, a complete ARP query requires a query broadcast and a point-to-point response. The query broadcast contains the IP address of the host to be queried. This broadcast can be received by the NIC of each host in the quilt network. The NIC checks whether the IP address to be queried is equal to its own IP address, if not, the packet is directly discarded. If not, the packet is submitted to the system kernel (an interrupt). The kernel calls the NIC Driver to parse the received packet and then constructs a response packet to send it back to the queried host, query the ARP cache table that the host updates after receiving the response.
Corresponds to the LnS settings. This communication process requires two rules. Take the local machine to query the MAC of host B as an example.
① 22: 22: 22: 22: 22: 22 => FF: FF (allow the local broadcasting station)
② 22: 22: 22: 22: 22: 22 <= BB: BB (allow host B to respond to the local inbound traffic)
Rule Description: => indicates outgoing, <= indicates incoming, = indicates bidirectional.
Note that when you set an LnS rule, always place the source on the left, the target on the right, and the local machine on the left and the remote end on the right if the direction is bidirectional.
If any step in the query process is disconnected, the query process will fail. For example, if someone asks your company for debt collection, the general manager's secretary can think of various reasons for the creditor to see the general manager. Even if he sees the General Manager, the general manager can also ask the financial manager if he is absent or he has no money to pay for it, debt Collection fails. These two methods are like blocking broadcast and blocking response.
The two hosts in the subnet must be able to communicate completely (both sides can send and receive data) with each other's MAC address. For example, the local host must communicate completely with host B, host B must also be able to query its MAC.
① 22: 22: 22: 22: 22: 22 => FF: FF (allow the local broadcasting station)
② 22: 22: 22: 22: 22: 22 <= BB: BB (allow host B to respond to the local inbound traffic)
③ FF: FF <= BB: BB (allow host B to broadcast the inbound site)
④ 22: 22: 22: 22: 22: 22 => BB: BB (allow the local host to respond to host B's outbound traffic)
Obviously rule ② ④ can be merged in LnS, the complete communication between the two machines requires only three rules:
① 22: 22: 22: 22: 22: 22 => FF: FF (allow the local broadcasting station)
② FF: FF <= BB: BB (allow host B to broadcast the inbound site)
③ 22: 22: 22: 22: 22: 22 = BB: BB (allow the host to respond to host B)
Simple ARP Spoofing
As mentioned above, a query process requires a broadcast and a response, but the ARP Protocol does not require the broadcast and response to appear in pairs, that is, the broadcast can be absent, any host can actively send response packets. If the target host does not use a static MAC, it will update its ARP cache table as long as it receives the response broadcast. Therefore, we can manually construct an incorrect response packet so that the target host can update its ARP cache.
For example, from the local control, do not allow host A to communicate with host B:
The local machine sends A response packet to host A, telling it that the MAC of the IP-B is XX: XX
The local machine sends a response packet to host B, telling it that the MAC of the IP-A is YY: YY
In this case, the ARP cache of host A and host B is incorrect about the MAC address of the other party. When sending data to each other, it will be sent to an incorrect Nic or the NIC does not exist (depending on the forged MAC address, communication between A and B naturally fails. (In fact, as long as one of the ARP cache errors occurs, communication between A and B will fail)
Think about what would happen if the spoofed response packet tells host B: The MAC OF THE IP-1 is ZZ: ZZ? If the communication between host B and the gateway is abnormal, the network is disconnected. If the gateway is spoofed at the same time and the MAC of host B is told to be an error value, and the spoofing continues, host B cannot access the Internet.
Internet law enforcement officials often say that they use ARP spoofing to kill people. When the server is running, the server will first send a large number of broadcasts to obtain the MAC addresses of all hosts, and then send forged response packets to anyone who wants to cheat.
Of course, ARP spoofing never stops here. For example, you can also forge your MAC into the MAC of the spoofed host after the target host is disconnected for a special purpose, or you can also trick the gateway and the target host at the same time, however, you can use your MAC instead of the random MAC in the forged response packet and enable the data forwarding function of the local machine. It is inserted into the communication between the gateway and the target host to act as a proxy to listen to the target host. However, this article describes how to set ARP rules in LnS. ARP spoofing is not the focus.
ARP prevention
Speaking of this, you must have discovered a problem: the attacker must be able to communicate with the victim to send forged response packets. Otherwise, the spoofing process cannot be completed. Based on this, we can prevent ARP spoofing from several points:
1. Do not allow untrusted hosts to query their MAC addresses. The attacker cannot communicate with the local host and thus cannot cheat the host.
It can intercept query broadcast (no entry is allowed if you want money)
It can intercept the response from the Local Machine (all come here, I just say, no money, dead pigs are not afraid of boiling water)
Ii. Use a static MAC and refuse to update the ARP cache.
The local machine fails to use this packet to update its ARP cache even if a counterfeit response arrives at the local machine. So why are the netizens using variant 2 actually "feasible? It is feasible because the filtering is too strict, which can prevent large numbers of ARP spoofing. The quotation mark is added because it is feasible and temporary. Continuous long-time testing may lead to network disconnection.
This is related to the specific network environment, which may be due to many reasons. One possible cause is that the LnS has a BUG. After the local device establishes a connection with the gateway, or uses a static MAC or a specified IP address to avoid DHCP lease failure, I cannot clearly analyze the details. However, in principle, this method is incorrect.
Security is relative
The best way to prevent ARP spoofing is to use static MAC binding on the gateway and each sub-machine. The firewall can only increase the security factor and cannot be completely guaranteed. First, the firewall may have bugs, its functions are not perfect, or its settings are poor. Second, there may be loopholes in the compromise in reality. For example, if the local machine trusts the gateway to access the Internet and shares the trust in host B, but host B does not have any security protection, attackers can start from host B, force host B to counterfeit the IP address and MAC address of host B after it becomes the host, obtain the ability to communicate with the host, and then use other methods to attack it. More seriously, if the gateway itself is not safe, therefore, the protection on the local machine cannot achieve better results.