Network Application basics of ARP Address Resolution Protocol

In the network, addresses are the basis of our applications. Address-related attacks often occur. So how can we effectively stop this problem? This should start with the ARP Address Resolution Protocol. This article describes the application and principle of the Protocol.

1. interchanging network sniffing

The ARP Address Resolution Protocol does not receive ARP responses only when an ARP request is sent. When a computer receives an ARP response packet, it updates the local ARP cache, store the IP and MAC addresses in the response in the ARP cache. Therefore, in the preceding assumption, B sends A self-generated ARP response to, and the data in this response is the sender's IP address is 192.168.10.3 (C's IP address), MAC address is DD-DD-DD-DD-DD-DD (C's MAC address should have been a CC-CC-CC-CC-CC-CC, it was forged here) when A receives B's forged ARP response, it updates the local ARP cache and replaces the local IP-MAC table with the received data format, because all of this is automatically completed by system kernel A, A does not know it has been forged ｡

ARP spoofing is mainly used for sniffing in the exchange network. The sniffing of the exchange network is not discussed in this article ｡

Ii. IP address conflict

We know that if a host with the same IP address exists in the network, a warning of IP address conflict will be reported. How does this happen?

For example, if host B sets the IP address to 192.168.0.1, changing the IP address of host A to 192.168.0.1 will cause an IP address conflict: when host A connects to the network (or changes the IP address), it sends an ARP packet to broadcast its own IP address, that is, freearp. If host B with the same IP address exists in the network, B will use the ARP Address Resolution Protocol to reply this address. When A receives this reply, A will jump out of the IP address conflict warning. Of course, B will also have A warning ｡

Therefore, ARP spoofing can be used to forge this ARPreply, which keeps the target suffering from IP address conflict warnings ｡

3. Prevent the target data packets from passing through the gateway

For example, if you access the Internet through a gateway in a LAN, there is a gateway IP-MAC record in the ARP cache on the computer that is connected to the outside. If the record is changed, the data packets sent from the computer are always sent to the wrong gateway hardware address, so that the computer will not be able to access the Internet ｡

This is also mainly done through ARP spoofing. There are two ways to achieve this purpose ｡

1. Send a forged ARP response packet to the target. The sender's IP address is the gateway address, and the MAC address is a forged IP address. When the target receives the ARP packet, update your ARP cache. If the spoofing continues, the target gateway cache will always be a forged error record. Of course, if some people know ARP-a, they will know the problem ｡

2. This method deceives the gateway. It sends the reply packet of the forged ARP Address Resolution Protocol to the gateway, where the sender's IP address is the target IP address, the MAC address is a forged address. In this way, the target ARP record on the Gateway is an error, the gateway uses an incorrect MAC address for the datagram sent to the target. In this case, the target can send data to the gateway, but cannot receive any data from the gateway, the target can view ARP-a without any problems ｡

4. Detect nodes in hybrid mode through ARP

In the hybrid mode, the NIC performs packet filtering differently from the normal mode. In the normal mode, only packets with local addresses or broadcast (multicast, etc.) are available) these packets will be submitted to the system core by the Network Adapter. Otherwise, these packets will be discarded by the Network Adapter. Now, the hybrid mode allows all the packets passed to the system core, it is then used by programs such as sniffer ｡

Specially designed ARP requests can be used to detect nodes in the hybrid mode to a certain extent, for example, each node in the network sends an ARP request with the MAC address as the FF-FF-FF-FF-FF-FE. For NICs this is not a broadcast address (FF-FF-FF-FF-FF-FF ), therefore, nodes in the common mode will directly discard this packet, but most operating system cores Think This Is A broadcast address. If a general sniffer program exists and the NIC is set to the mixed mode, then the system core will respond, so that we can determine whether these nodes have a sniffer ｡

We can see that many ARP-based attacks are implemented through ARP spoofing. As for ARP spoofing prevention, we should try to use static ARP. For WIN, use arp-s to set static ARP. Of course, it would be better if static IP + MAC can be used completely, because static ARP cache is only relative ｡

Of course, there can be some methods to achieve ARP spoofing detection. Set an ARP Address Resolution Protocol sniffing, which maintains a local network of the IP-MAC address of the static table, view All ARP data and check the IP-MAC mappings. If the captured IP-MAC mappings do not match the maintained static mappings, it indicates that it is a spoofed ARP packet ｡

For the source code and compiled EXE program of an ARP packet sending program, refer to the ARPSender program. Note: Install WinPcap first ｡