ARP protocol, ARP Spoofing

What is ARP2007-12-04 ARP is the abbreviation of Address Resolution Protocol, which is a link layer protocol that works on the second layer of the OSI model, connects the local layer and hardware interfaces, and provides services to the upper layer (Network Layer.

L2 Ethernet switches do not recognize 32-bit IP addresses. They transmit Ethernet data packets at 48-bit Ethernet addresses (MAC addresses. That is to say, IP packets are stored in the local
Domain
During internal network transmission, the IP address is not used to identify the target, but the MAC address. Therefore, there must be a correspondence between the IP address and the MAC address, and the ARP protocol is used to determine the corresponding relationship.
Protocol.

In Windows, enter the "ARP-a" command in the command line window to view the current ARP cache table of the local machine. The ARP cache table stores the correspondence between the IP address and the MAC address, as shown in:

"Internet address" refers to the IP address, and "physical address" refers to the MAC address.

How ARP works

ARP packets can be divided into two types based on different receiving objects:
1. Broadcast package (broadcast ). The MAC address of the broadcast packet is a FF-FF-FF-FF-FF-FF, which is forwarded to all hosts in the LAN after the switch device receives the broadcast packet.
2. Non-broadcast package (non-broadcast ). Only the specified host can receive a non-broadcast packet.

ARP packets can be divided into two types based on different functions:
1. arp request packets ). The ARP request packet is used to obtain the MAC address corresponding to an IP address in the LAN.
2. ARP reply packet (ARP reply ). The ARP reply packet is used to inform other hosts of the IP address and MAC address of the local host.

Generally, ARP requests are broadcast packets, and ARP reply packets are not broadcast packets.

Assume that there are two hosts in the LAN. The host name, IP address, and MAC address are as follows:
Host Name IP address MAC address
A 192.168.0.1 AA-AA-AA-AA-AA-AA
B 192.168.0.2 BB-BB-BB-BB-BB-BB

When host a needs to communicate with host B, it first checks whether host B's MAC address is in the local ARP cache. If yes, you can directly communicate. If not, host a needs to pass
ARP
Protocol to obtain the MAC address of host B, which is equivalent to host a shouting to all hosts in the LAN: "Hello ~ Who is 192.168.0.2? I'm 192.168.0.1, my
MAC address is AA-AA-AA-AA-AA-AA
. Tell me what your MAC address is. "The packet type sent by host a is broadcast-request.

After host B receives the "ARP broadcast-request" packet from host, it first saves/updates the ing between host a's IP address and MAC address to the local ARP cache table,
Then it will send an "ARP non-broadcast-reply" packet to host a, which is equivalent to telling host a: "Hey, I'm 192.168.0.2, my mac address is BB-BB-BB

-BB-BB-BB ". After host a receives a response from host B, it saves/updates the relationship between host B's IP address and MAC address to the local ARP cache table, and then host a and host B
You can communicate with each other.

The above LAN host communication process shows that the host saves and updates the local ARP cache table in two cases,
1. When receiving the "ARP broadcast-request" Packet
2. When an "ARP non-broadcast-reply" packet is received

Is there a problem with this mechanism, or the design of ARP?

Principles of ARP Spoofing

We have learned from the article ARP working principles that the host will save and update the local ARP cache table in two cases,
1. When receiving the "ARP broadcast-request" Packet
2. When an "ARP non-broadcast-reply" packet is received

We can see that the ARP Protocol has no authentication mechanism, and any host in the LAN can forge ARP packets at will. The ARP protocol design is inherently flawed.

Assume that there are three hosts (GW refers to the gateway) in the LAN. The host name, IP address, and MAC address are as follows:
Host Name IP address MAC address
GW 192.168.0.1 01-01-01-01-01-01
PC02 192.168.0.2 02-02-02-02-02-02
Pc03 192.168.0.3 03-03-03-03-03-03

Under normal circumstances, the data flow between the host PC02 and GW and their respective ARP cache tables are shown in:

After the appearance of the host pc03, a network enthusiast, he decided to implement an ARP spoofing attack for some purpose. Pc03 first sends an ARP packet to PC02, which is equivalent
Yu
Tell PC02: "Hey, I'm 192.168.0.1 and my mac address is 03-03-03-03-03-03". Then, he sends an ARP packet to GW.

It is equivalent to telling GW: "Hey, I am 192.168.0.2, and my mac address is 03-03-03-03-03 ". Therefore, the data flow between the host PC02 and GW,
And their respective ARP cache tables become as shown in:

As we can see, after ARP spoofing, all network data between the host PC02 and GW will flow through pc03, that is, pc03 has control over data communication between them. The above is the implementation process of ARP spoofing and the effect after spoofing.

Types and dangers of ARP Spoofing

ARP spoofing can be divided into three types based on the need for spoofing objects,
1. Only spoof the affected host. The effects of spoofing are as follows:

2. Only spoofing routers and gateways. The effects of spoofing are as follows:

3. Two-way spoofing, that is, the combination of the preceding two spoofing methods. The effects of spoofing are as follows:

The harm caused by ARP spoofing can be divided into several categories,
1. network exception. The specific manifestation is: disconnection, IP conflict, etc.
2. Data theft. Specifically, personal privacy leaks (such as MSN Chat records, emails, etc.), account theft (such as QQ accounts, bank accounts, etc ).
3. Data tampering. The specific manifestation is that the accessed webpage is added with malicious content, commonly known as "Trojan ".
4. Illegal control. Network speed and network access behavior (for example, some webpages cannot be opened or some network applications cannot be used) are illegally controlled by third parties.

ARP spoofing can be divided into two categories based on different initiating individuals,
1. Human attacks. Human attacks are mainly aimed at network exceptions, data theft, and illegal control.
2. ARP virus. ARP viruses are not a specific virus, but all viruses that contain ARP spoofing. ARP viruses are mainly used to steal data (such as account theft) and tamper with data (such as Trojans ).

According to the current situation, most ARP spoofing attacks (human or ARP virus) are discovered after network exceptions. Please note that well-planned human ARP Spoofing