Security: Understand ARP attack principles to prevent ARP attacks

Have you ever experienced a sudden disconnection when you access the Internet on a LAN? After a while, it will return to normal again. Or the client status becomes red frequently, the user is disconnected frequently, the IE browser is prone to errors, and some common software is faulty. Or, if your LAN is connected through identity authentication, it will suddenly become authenticated but not accessible (you cannot ping the gateway ). If the above problem occurs, you should be careful, because you are likely to be attacked by ARP.
So what is ARP? How is it attacked? How can this problem be solved? We will give you a one-by-one answer below.

1. What is ARP:

ARP stands for Address Resolution Protocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In Ethernet, a host can communicate directly with another host. You must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.

Ii. How ARP works:

Only by understanding how ARP works can we effectively prevent ARP attacks. To put it simply, the principle of ARP is: first, each host creates an ARP list in its own ARP buffer to indicate the ing between the IP address and the MAC address. When the source host needs to send a packet to the target host, it first checks whether the MAC address corresponding to this IP address exists in its ARP list, if yes, the packet is directly sent to the MAC address. If no, a broadcast packet for the ARP request is sent to the subnet segment to query the MAC address of the target host. This ARP request packet includes the IP address of the source host, the hardware address, and the IP address of the target host. When all hosts in the network receive this ARP request, they will check whether the destination IP address in the packet is consistent with their own IP address. Ignore this packet if they are different. If they are the same, the host first adds the MAC address and IP address of the sender to its ARP list. If the ARP table already contains information about this IP address, then it overwrites the packet and sends an ARP response packet to the source host, telling the other host that it is the MAC address it needs to find. After the source host receives the ARP response packet, add the IP address and MAC address of the target host to your ARP list and use this information to start data transmission. If the source host has not received the ARP response packet, ARP query fails.

The following is a simple example:

Suppose A's address is: IP: 192.168.10.1 MAC: AA-AA-AA-AA-AA-AA

Suppose B's address is: IP: 192.168.10.2 MAC: BB-BB-BB-BB-BB-BB

According to the above principle, we will briefly describe this process: A needs to know the MAC address of B to communicate with B, so A sends an ARP request broadcast (who is 192.168.10.2, please tell 192.168.10.1) When B receives the broadcast, it checks itself and finds that it is consistent with itself, and then sends an ARP unicast response to A (192.168.10.2 in BB-BB-BB-BB-BB-BB ).

<-- Pagination -->
Cause 3: ARP Spoofing

As a matter of fact, the sudden disconnection or wide-area network disconnection is mostly caused by ARP spoofing. From the perspective of Affecting Network Connection smoothness, there are two types of ARP spoofing: one is spoofing on the ARP table of the router, and the other is spoofing on the gateway of the Intranet PC.

The first principle of ARP spoofing is to intercept gateway data. It notifies the vro of a series of incorrect Intranet MAC addresses and keeps running at a certain frequency, so that the real address information cannot be updated and saved in the vro, as a result, all the data of the router can only be sent to the wrong MAC address, so that the normal PC cannot receive the information. The second principle of ARP spoofing is to forge a gateway. The principle is to establish a false gateway to send data to a spoofed PC, rather than accessing the Internet through a normal router. In the PC's view, the network cannot be connected, and the network is disconnected ".

The following is an example of ARP spoofing:

Each computer with TCP/IP protocol installed has an ARP cache table. The IP addresses in the table correspond to MAC addresses one by one, as shown in the following table.

Host IP address MAC address

A 192.168.16.1 aa-aa

B 192.168.16.2 bb-bb

C 192.168.16.3 cc-cc

D 192.168.16.4 dd-dd

Let's take host A (192.168.16.1) as an example to send data to host B (192.168.16.2. When sending data, host A searches for the target IP address in its ARP cache table. If you find the target MAC address, you can directly write the target MAC address into the frame and send it. If the corresponding IP address is not found in the ARP cache table, host A sends A broadcast on the network. The target MAC address is "FF. FF. FF. FF. FF. FF ", which means to send such a question to all hosts in the same network segment:" What is the MAC address of 192.168.16.2?" Other hosts on the network do not respond to ARP requests. Host B responds to host A only when it receives the frame: "the MAC address of 192.168.16.2 is bb-bb ". In this way, host A knows the MAC address of host B and can send information to host B. At the same time, it also updates its ARP cache table. The next time it sends a message to host B, it can directly find it from the ARP cache table. The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up query.

As can be seen from the above, the foundation of ARP is to trust all people in the LAN, so it is easy to implement ARP spoofing on Ethernet. The target A is spoofed, and A's Ping host C is sent to the DD-DD-DD-DD-DD-DD address. If the MAC address of C is spoofed into A DD-DD-DD-DD-DD-DD, the packets sent by A to C become sent to D. Isn't it because D can receive the packet sent by A? The sniffing succeeds.

A is not aware of this change at all, but the following things make A suspect. Because A and C cannot be connected. D. The data packet sent from A to C is not transferred to C. Perform "man in the middle" and perform ARP redirection. Enable the IP forwarding function of D. Forward the data packets sent by A to C, just like A router. However, if D sends ICMP redirection, the entire plan is interrupted.

D. directly modify and forward the entire package, capture all the packets sent by A to C, and then forward them to C, the packets received by C are completely considered sent from. However, the packets sent by C are directly transmitted to A, if the ARP spoofing to C is performed again. Now D has completely become the intermediate bridge between A and C, and you can understand the communication between A and C.

Iv. Defense Against ARP attacks:

Knowing the attack principles, we can better prevent ARP attacks. The following lists some basic defense methods for your reference.

1. Do not establish your network security trust relationship on the basis of IP or MAC (rarp also has the problem of spoofing). The ideal relationship should be on the basis of IP + MAC.

2. Set a static MAC --> IP address table. Do not refresh the conversion table you set on the host.

3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table.

4. Use the ARP Server. The server looks for its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure that the ARP Server is not hacked.

5. Use the proxy IP address for transmission.

6. Use hardware to shield hosts. Set your route so that the IP address can reach a valid path. (Configure route ARP entries statically). Note that using the exchange hub and bridge cannot prevent ARP spoofing.

7. The Administrator periodically obtains an rarp request from the response IP packet and checks the authenticity of the ARP response.

8. The Administrator regularly polls and checks the ARP cache on the host.

9. Use the firewall to continuously monitor the network.

The above method can greatly reduce the possibility of ARP attacks.