Instance parsing searches for ARP spoofing through traffic detection

ARP spoofing attacks are a common form of attacks. The Intranet of the attacked organization may slow or even stagnate the network due to ARP spoofing attacks. This article describes how to find out ARP spoofing attacks through network traffic detection through an example of a school's ARP spoofing attack, so as to solve the problem of network slowness.

The information center immediately started the investigation. According to the teachers, sometimes the webpage was very slow to open, sometimes there was no movement, and the webpage could not be opened directly. However, the network is normal during off-duty hours, such as noon and evening breaks.

According to this situation, the possibility of network hardware faults is minimal. No exceptions are found after inspection, and physical errors are eliminated. It seems to be a software problem. The first reaction in my mind is the popular ARP attack. The Chinese name of ARP is the Address Resolution Protocol, which is used to resolve IP addresses in the network to hardware addresses (MAC addresses) to ensure smooth communication. When a computer receives an ARP response packet, it updates the local ARP cache and stores the IP and MAC addresses in the response in the ARP cache. Therefore, if someone sends a self-built ARP response in the network, the network may be faulty. This is ARP spoofing. A common feature of ARP spoofing is that the host is frequently disconnected.

Our network symptoms are very similar, but ARP attacks need to find its source. The general method is hard to find and packet capture analysis needs to be performed on the switch, then IrisNetworkTrafficAnalyzer (Iris) is found ). This network traffic analysis and monitoring tool helps system administrators easily capture and view User usage, Detect incoming and outgoing information flows, and automatically store and collect statistics. The icon of this software looks like an eye. It seems that the "Eye of Fire" has been found. Now, how can we make good use of it!

Because the switch of the teaching building is a non-Network-tube switch, I had to hold my laptop in the network equipment room and "squat ". Connect your laptop to the vswitch port and enable Iris

As we are still familiar with the typical Windows software style, click the start capture button, Iris starts to work, capture packets. Iris analyzes the captured data packets. I can click the data packets at a certain time point to view the resolution content in the quick analysis window. In the Statistics window, we can browse the real-time data Statistics graph, including Protocol (network Protocol), TopHosts (highest traffic host), SizeDistribution (packet size classification), and Bandwidth (Bandwidth).

Soon, the "murderer" will appear! There are a large number of ARP packets in the Iris capture window, And the ARP packets shown in the Protocol (network Protocol) chart are growing! The network traffic has increased several times!

To facilitate analysis, use the Filters feature of Iris to filter out ARP and ReverseARP data. Finally, I found the real culprit of ARP spoofing. In the capture window, we can see that there are two fake IP addresses (0.136.136.16 and 1.136.136.16), and all ARP packet sources come from the MAC address 52: 54: AB: 37: 0D: B0 computer, finally got the evidence! That is to say, the computer that finds this MAC address can eliminate the root cause!

The next work is simple, take out the usual recording of the "MAC-IP-computer name" corresponding table, find the really fierce computer, its network disconnection, system reinstall, virus scanning and other operations, after confirming the security, connect to the Internet. The Network has restored the former silence, and the normal teaching order of the school has been guaranteed.