ARP attack principles and Solutions

[Fault Cause]

Someone using ARP spoofing Trojans in the LANProgram(For example, some legendary plug-ins have also been maliciously loaded by the software with the legendary account theft code ).

[Fault principle]

To understand the fault principle, Let's first look at the ARP protocol.
In a LAN, ARP is used to convert an IP address to a layer 2 physical address (MAC address. ARP is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network.
ARP is the abbreviation of Address Resolution Protocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In Ethernet, to directly communicate with another host, you must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.
Each computer with TCP/IP protocol installed has an ARP cache table. The IP addresses in the table correspond to MAC addresses one by one, as shown in the following table.

Host IP address MAC address a 192.168.16.1 aa-aa B 192.168.16.2 BB- bb-bb c 192.168.16.3 CC-cc d 192.168.16.4 DD-dd-DD

Let's take host a (192.168.16.1) as an example to send data to host B (192.168.16.2. When sending data, host a searches for the target IP address in its ARP cache table. If you find the target MAC address, you can directly write the target MAC address into the frame and send it. If the corresponding IP address is not found in the ARP cache table, host a sends a broadcast on the network. The target MAC address is "ff. ff. ff. ff. ff. FF ", which means to send such a question to all hosts in the same network segment:" What is the MAC address of 192.168.16.2?" Other hosts on the network do not respond to ARP requests. Host B responds to host a only when it receives the frame: "the MAC address of 192.168.16.2 is BB-BB ". In this way, host a knows the MAC address of host B and can send information to host B. At the same time, it also updates its ARP cache table. The next time it sends a message to host B, it can directly find it from the ARP cache table. The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up query.
As can be seen from the above, the foundation of ARP is to trust all people in the LAN, so it is easy to implement ARP spoofing on Ethernet. The target a is spoofed, and a's ping host C is sent to the DD-DD-DD-DD-DD-DD address. If the MAC address of C is spoofed into a DD-DD-DD-DD-DD-DD, the packets sent by A to C become sent to D. Isn't it because D can receive the packet sent by a? The sniffing succeeds.
A is not aware of this change at all, but the following things make a suspect. Because A and C cannot be connected. D. The data packet sent from A to C is not transferred to C.
Perform "man in the middle" and perform ARP redirection. Enable the IP forwarding function of D. Forward the data packets sent by A to C, just like a router. However, if D sends ICMP redirection, the entire plan is interrupted.
D. directly modify and forward the entire package, capture all the packets sent by A to C, and then forward them to C, the packets received by C are completely considered sent from. However, the packets sent by C are directly transmitted to a, if the ARP spoofing to C is performed again. Now D has completely become the intermediate bridge between A and C, and you can understand the communication between A and C.

[Fault symptom]

When a host in the LAN runs the ARP spoofing Trojan program, it deceives all hosts and routers in the LAN so that all Internet traffic must pass through the virus host. Other users directly access the Internet through the vro and now access the Internet through the virus host. When switching, the user will be disconnected once.
After you switch to the virus host to access the Internet, if you have logged on to the legendary server, the virus host will often forge broken line images, so you have to log on to the legendary server again, in this way, the virus host can steal the number.
When a trojan program with ARP spoofing occurs, a large number of packets are sent, resulting in LAN communication congestion and restrictions on its processing capabilities. Users will feel that the Internet access speed is getting slower and slower. When the ARP spoofing Trojan program stops running, the user will resume accessing the Internet from the vro. During the switchover, the user will be disconnected again.

[HiPer users quickly discover ARP spoofing Trojans]

The following information is displayed in the "system history" of the vro (this prompt is only available in vro Software Versions later than 440 ):
Mac chged 10.128.103.124
Mac old 00: 01: 6C: 36: D1: 7f
Mac new 00: 05: 5D: 60: C7: 18
This message indicates that the user's MAC address has changed. When the ARP spoofing Trojan starts running, the MAC addresses of all hosts in the LAN are updated to the MAC addresses of the virus hosts (that is, the Mac new addresses of all information are consistent with the MAC addresses of the virus hosts ), in the "user statistics" of the vro, the MAC address information of all users is the same.
If a large number of old MAC addresses are consistent in the "system history" of the router, it indicates that ARP spoofing has occurred in the LAN (when the ARP spoofing Trojan program stops running, the host restores its real MAC address on the vro ).

[Search for virus hosts in the LAN]

we have known the MAC address of the host using ARP spoofing Trojan, so we can use nbtscan (: http://down.wglm.net/Software/catalog21/339.html) tool to quickly find it.
nbtscan can obtain the real IP address and MAC address of the PC. If there is a "legend Trojan", you can find the IP address and MAC address of the PC with the Trojan.
command: "nbtscan-r 192.168.16.0/24" (search for the entire 192.168.16.0/24 network segment, that is,
192.168.16.1-192.168.16.254 ); or "nbtscan 192.168.16.25-137" to search for the 192.168.16.25-137 CIDR block, that is, 192.168.16.25-192.168.16.20. The first column of the output result is the IP address, and the last column is the MAC address.
nbtscan example:
suppose you want to find a virus host whose MAC address is "000d870d585f.
1. Decompress nbtscan.exe and cygwin1.dll In the compressed package to C.
2) Start-run-open in windows, Enter cmd (enter "Command" in Windows98), and enter C: /nbtscan-r 192.168.16.1/24 (input based on the actual network segment), and press Enter.

C:/Documents and Settings/Alan> C:/nbtscan-r 192.168.16.1/24 Warning:-r option not supported under windows. running without it. doing NBT name scan for addresses from 192.168.16.1/24 IP address NetBIOS Name Server user MAC address 255.192.168.16.0 sendto failed: cannot assign requested address 192.168.16.50 Server login 192.168.16.111 LLF administrator 00-22-55-66-77-88 192.168.16.121 UTT-HIPER 00-0d-87-26-7d-78 192.168.16.175 JC login 192.168.16.223 test123 test123 00-0d-87-0d-58-5f

3) by querying the corresponding table of the IP--MAC, find that the IP address of the virus host of "000d870d585f" is "192.168.16.223 ".

[Solution]

1. Do not establish your network security trust relationship on the basis of IP or Mac (RARP also has the problem of spoofing). The ideal relationship should be on the basis of IP + Mac.
2. Set a static Mac --> ip address table. Do not refresh the conversion table you set on the host.
3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table.
4. Use the ARP Server. The server looks for its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure that the ARP Server is not hacked.
5. Use the proxy IP address for transmission.
6. Use hardware to shield hosts. Set your route so that the IP address can reach a valid path. (Configure route ARP entries statically). Note that using the exchange hub and bridge cannot prevent ARP spoofing.
7. The Administrator periodically obtains an RARP request from the response IP packet and checks the authenticity of the ARP response.
8. The Administrator regularly polls and checks the ARP cache on the host.
9. Use the firewall to continuously monitor the network. Note that when SNMP is used, ARP spoofing may cause the loss of trap packets.

[Solutions for HiPer users]

we recommend that you use bidirectional binding to prevent ARP spoofing.
1. IP address and MAC address of the vro bound to the PC:
1) first, obtain the MAC address of the vro Intranet (for example, the MAC address of the HiPer gateway address 192.168.16.254 is 0022aa0022aa ).
2) Compile a batch processing file RARP. the bat content is as follows:
@ echo off
ARP-D
ARP-s 192.168.16.254 00-22-aa-00-22-aa
change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address. address.
drag the batch processing software to "windows -- start -- program -- start.
3) if it is an Internet cafe, you can use the paid software server program (pubwin or Vientiane can both) to send the batch processing file RARP. bat to the startup directory of all clients. The default startup directory of Windows is "C:/Documents and Settings/all users" start ".
2. Bind the IP address and MAC address of the user host to the vro (vro Software Versions later than 440 are supported ):
On the HiPer Management page-Advanced Configuration-user management, bind each host on the LAN.