Someone in the LAN uses ARP spoofing.ProgramOr software (for example, the cyber law enforcement officer, P2P Terminator, and some legendary plug-ins are also maliciously loaded with this program ).
[Fault principle]
To understand the fault principle, Let's first look at the ARP protocol.
In a LAN, ARP is used to convert an IP address to a layer 2 physical address (MAC address. ARP is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network.
ARP is the abbreviation of Address Resolution Protocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In Ethernet, to directly communicate with another host, you must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.
Each computer with TCP/IP protocol installed has an ARP cache table. The IP addresses in the table correspond to MAC addresses one by one, as shown in the following table.
Host IP address MAC address
A 192.168.16.1 aa-aa
B 192.168.16.2 BB-bb
C 192.168.16.3 CC-CC
D 192.168.16.4 DD-dd
Let's take host a (192.168.16.1) as an example to send data to host B (192.168.16.2. When sending data, host a searches for the target IP address in its ARP cache table. If you find the target MAC address, you can directly write the target MAC address into the frame and send it. If the corresponding IP address is not found in the ARP cache table, host a sends a broadcast on the network. The target MAC address is "ff. ff. ff. ff. ff. FF ", which means to send such a question to all hosts in the same network segment:" What is the MAC address of 192.168.16.2?" Other hosts on the network do not respond to ARP requests. Host B responds to host a only when it receives the frame: "the MAC address of 192.168.16.2 is BB-BB ". In this way, host a knows the MAC address of host B and can send information to host B. At the same time, it also updates its ARP cache table. The next time it sends a message to host B, it can directly find it from the ARP cache table. The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up query.
As can be seen from the above, the foundation of ARP is to trust all people in the LAN, so it is easy to implement ARP spoofing on Ethernet. The target a is spoofed, and a's ping host C is sent to the DD-DD-DD-DD-DD-DD address. If the MAC address of C is spoofed into a DD-DD-DD-DD-DD-DD, the packets sent by A to C become sent to D. Isn't it because D can receive the packet sent by a? The sniffing succeeds.
A is not aware of this change at all, but the following things make a suspect. Because A and C cannot be connected. D. The data packet sent from A to C is not transferred to C.
Perform "man in the middle" and perform ARP redirection. Enable the IP forwarding function of D. Forward the data packets sent by A to C, just like a router. However, if D sends ICMP redirection, the entire plan is interrupted.
D. directly modify and forward the entire package, capture all the packets sent by A to C, and then forward them to C, the packets received by C are completely considered sent from. However, the packets sent by C are directly transmitted to a, if the ARP spoofing to C is performed again. Now D has completely become the intermediate bridge between A and C, and you can understand the communication between A and C.
[Fault symptom]
When a host in the LAN runs the ARP spoofing Trojan program, it deceives all hosts and routers in the LAN so that all Internet traffic must pass through the virus host. Other users directly access the Internet through the vro and now access the Internet through the virus host. When switching, the user will be disconnected once.
After you switch to the virus host to access the Internet, if you have logged on to the legendary server, the virus host will often forge broken line images, so you have to log on to the legendary server again, in this way, the virus host can steal the number.
When a trojan program with ARP spoofing occurs, a large number of packets are sent, resulting in LAN communication congestion and restrictions on its processing capabilities. Users will feel that the Internet access speed is getting slower and slower. When the ARP spoofing Trojan program stops running, the user will resume accessing the Internet from the vro. During the switchover, the user will be disconnected again.
[HiPer users quickly discover ARP spoofing Trojans]
The following information is displayed in the "system history" of the vro (this prompt is only available in vro Software Versions later than 440 ):
Mac chged 10.128.103.124
Mac old 00: 01: 6C: 36: D1: 7f
Mac new 00: 05: 5D: 60: C7: 18
This message indicates that the user's MAC address has changed. When the ARP spoofing Trojan starts running, the MAC addresses of all hosts in the LAN are updated to the MAC addresses of the virus hosts (that is, the Mac new addresses of all information are consistent with the MAC addresses of the virus hosts ), in the "user statistics" of the vro, the MAC address information of all users is the same.
If a large number of old MAC addresses are consistent in the "system history" of the router, it indicates that ARP spoofing has occurred in the LAN (when the ARP spoofing Trojan program stops running, the host restores its real MAC address on the vro ).
[Search for virus hosts in the LAN]
We already know the MAC address of the host that uses ARP spoofing Trojans, so we can use the nbtscan (: http://www.utt.com.cn/upload/nbtscan.rar) tool to quickly find it.
Nbtscan can obtain the real IP address and MAC address of the PC. If there is a "legend Trojan", you can find the IP address and MAC address of the PC where the trojan is installed.
Command: "nbtscan-r 192.168.16.0/24" (search for the entire 192.168.16.0/24 CIDR block, that is
192.168.16.1-192.168.16.254); or "nbtscan 192.168.16.25-137", search for the 192.168.16.25-137 CIDR block, that is, 192.168.16.25-192.168.16.20. The first column of the output result is the IP address, and the last column is the MAC address.
Example of nbtscan:
Suppose you want to find a virus host with the MAC address "000d870d585f.
1. Decompress nbtscan.exe and cygwin1.dll In the compressed package to C.
2) Start-run-open in windows, Enter cmd (enter "Command" in Windows98), and enter C:
Btscan-r 192.168.16.1/24 (enter according to the actual network segment), and press Enter.
C: documents and settingsalan> C:
Btscan-r 192.168.16.1/24
Warning:-r option not supported under Windows. Running without it.
Doing NBT name scan for addresses from 192.168.16.1/24
IP address NetBIOS Name Server user MAC address
------------------------------------------------------------------------------
192.168.16.0 sendto failed: cannot assign requested address
192.168.16.50 server 00-e0-4c-4d-96-c6
192.168.16.111 LLF administrator 00-22-55-66-77-88
192.168.16.121 UTT-HIPER 00-0d-87-26-7d-78
192.168.16.175 JC 00-07-95-e0-7c-d7
192.168.16.223 test123 test123 00-0d-87-0d-58-5f
3) by querying the corresponding table of the IP--MAC, find that the IP address of the virus host of "000d870d585f" is "192.168.16.223 ".
[Solution]
1. Do not establish your network security trust relationship on the basis of IP or Mac (RARP also has the problem of spoofing). The ideal relationship should be on the basis of IP + Mac.
2. Set a static Mac --> ip address table. Do not refresh the conversion table you set on the host.
3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table.
4. Use the ARP Server. The server looks for its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure that the ARP Server is not hacked.
5. Use "proxy" to transmit the proxy IP address.
6. Use hardware to shield hosts. Set your route so that the IP address can reach a valid path. (Configure route ARP entries statically). Note that using the exchange hub and bridge cannot prevent ARP spoofing.
7. The Administrator periodically obtains an RARP request from the response IP packet and checks the authenticity of the ARP response.
8. The Administrator regularly polls and checks the ARP cache on the host.
9. Use the firewall to continuously monitor the network. Note that when SNMP is used, ARP spoofing may cause the loss of trap packets.
[Solutions for HiPer users]
We recommend that you use bidirectional binding to prevent ARP spoofing.
1. the IP address and MAC address of the vro bound to the PC:
1) First, obtain the MAC address of the vro Intranet (for example, the MAC address of the HiPer gateway address 192.168.16.254 is 0022aa0022aa LAN port MAC address> ).
2) Compile a batch file RARP. bat with the following content:
@ Echo off
ARP-d
ARP-s 192.168.16.254 00-22-aa-00-22-aa
Change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address.
Drag the batch processing software to "windows -- start -- program -- start.
Appendix: static address Method
The static address method means to set the MAC address of the vro to static on the local server to prevent ARP attacks, if you get a similar ARP spoofing attack, you can also set it by referring to this method.
First, find the real MAC address of the vro, and enter the IP address of the ARP-a gateway without being attacked. The physical address contains the MAC address of the gateway, display is similar to 00-07-e9-0a-77-93, and its type is usually dynamic. Our goal is to set it to static.
Then, run the ARP-D command to delete the current ARP list, and then use the ARP-s gateway IP address to set the MAC address of the gateway to static.
At this time, the system's ARP will become static, but if the server restarts, these settings will disappear. Therefore, edit a BAT file whose content is the above ARP-s content, add it to the "Start" menu, and modify the Windows registry so that Windows can automatically log on, so that the static ARP will be automatically set at each start.