Experts interpret ARP virus (i)

First, ARP virus

ARP Address spoofing virus (hereinafter referred to as ARP virus) is a special kind of virus, the virus is generally a Trojan horse (trojan) virus, does not have the characteristics of active propagation, will not reproduce themselves. However, because of its attack will send a fake ARP packets to the whole network, interfering with the operation of the whole network, so its harm than some worms are much more serious.

Second, the ARP virus occurs when the phenomenon

Network off the line, but the network connection is normal, the intranet part of the PC can not access the Internet, or all computers can not access the Internet, can not open the Web page or open the slow, LAN time and slow speed and so on.

Third, the principle of ARP virus

3.1 Network Model Introduction

As we all know, according to the view of OSI (open Systems Interconnection Reference model), the network system can be divided into 7-layer structure, with different protocols and services running on each level, and the upper and lower layers cooperate with each other. Complete the network data exchange function, as shown in Figure 1:

Fig. 1 OSI Network system model

However, the OSI model is only a reference model, not an application model in the actual network. In fact, the most widely used commercial network model, the TCP/IP system model, divides the network into four tiers and operates different protocols and services at each level, as shown in Figure 2.

Fig. 2 TCP/IP four-layer system model and its supporting protocol

In the figure above, the blue font represents the name of the layer, and the green Word indicates the protocol running on that layer. As can be seen from Figure 2, the ARP protocol that we are about to discuss is the protocol that works on the internet level.

Introduction to 3.2 ARP protocol

We all know that in a local area network, a host to communicate with another host, you must know the target host IP address, but ultimately responsible for the LAN transmission data network card and other physical devices are not recognized IP address, can only identify its hardware address that is, MAC address. The MAC address is 48-bit, typically expressed as a 12 16-digit number, separated by a "-" or a colon, between 2 16 binary digits, such as: 00-0b-2f-13-1a-11 is a MAC address. Each card has its global unique MAC address, the network card to send data, can only be based on the other NIC's MAC address to send, then need a high-level packet of IP address into low-level MAC address protocol, and this important task will be completed by the ARP protocol.

ARP is all called address resolution Protocol, addressing Resolution Protocol. "Address Resolution" is the process by which the host converts the target host IP address to the target host MAC address before sending the packet. The basic function of ARP protocol is to inquire the MAC address of target device through the IP address of target device, so as to ensure the smooth communication. At this time, it involves a problem, a local area network in a few computers, many hundreds, so many computers, how to accurately remember the other computer network card MAC address, so that the data sent? This involves another concept, the ARP cache table. In any host on the LAN, there is an ARP cache table, which holds the control relationship between the IP address and MAC address of each computer in the network. When this host sends data to another host in the local area network, it is sent according to the corresponding relationship of the ARP cached table.