Measures to prevent ARP spoofing in LAN

ARP spoofing, also known as ARP virus or ARP attack, is an attack technique for Ethernet Address Resolution Protocol (ARP). Such an attack could allow an attacker to obtain data packets or even tamper with data packets on the local area network, and to make it possible for a particular computer or all computers on the web to not connect properly. How to prevent ARP spoofing in LAN?

The principle of ARP spoofing is as follows:

Suppose such a network, a hub to pick up 3 machines

HostA HostB HOSTC which

The address of A is: ip:192.168.10.1 MAC:AA-AA-AA-AA-AA-AA

The address of B is: ip:192.168.10.2 MAC:BB-BB-BB-BB-BB-BB

The address of C is: ip:192.168.10.3 MAC:CC-CC-CC-CC-CC-CC

Under normal circumstances c:arp-a

interface:192.168.10.1 on Interface 0x1000003

Internet Address Physical Address Type

192.168.10.3 CC-CC-CC-CC-CC-CC Dynamic

Now suppose HostB began the evil ARP deception:

B sends a fake ARP reply to a, And this answer in the data for the sender IP address is 192.168.10.3 (c's IP address), MAC address is DD-DD-DD-DD-DD-DD (C's MAC address should be CC-CC-CC-CC-CC-CC, here was forged). When a receives a B-spoofed ARP reply, the local ARP cache is updated (A is not known to have been forged). And a Do not know is actually sent from B, a here only 192.168.10.3 (c's IP address) and invalid Dd-dd-dd-dd-dd-dd MAC address, there is no evidence related to criminal B, haha, so the criminals are not happy to die.

Now the ARP cache for a machine has been updated:

C: "Arp-a"

interface:192.168.10.1 on Interface 0x1000003

Internet Address Physical Address Type

192.168.10.3 DD-DD-DD-DD-DD-DD Dynamic

This is not a trivial matter. The network circulation of LAN is not based on IP address, but is transmitted according to MAC address. Now 192.168.10.3 's MAC address is changed to a MAC address that does not exist on a. Now a starts ping 192.168.10.3, the MAC address that the network card submits is DD-DD-DD-DD-DD-DD, what is the result? The network is impassability, a can not ping c!!

So, a LAN in a machine, repeatedly to other machines, especially to the gateway, send such invalid fake ARP reply packets, NND, serious network congestion began! The nightmare for Internet café administrators began. My goal and task, is the first time, seize him. But from what has just been said, it seems that criminals are perfectly exploiting the flaws of Ethernet and covering up their crimes. But in fact, the above methods have left a trail. Although the ARP packet does not leave a HOSTB address, the Ethernet frame that hosts the ARP packet contains the HOSTB source address. Moreover, normally in Ethernet data frames, the MAC source address/destination address in the frame header should be paired with the ARP information in the frame packet, so that the ARP packet is correct. If not correct, it must be counterfeit package that can be reminded! But if the match, also not necessarily represent the correct, perhaps the forger also considered this step, and forged a format to meet the requirements, but the content of fake ARP packets. But this also does not matter, as long as the gateway here has all the MAC address network card database, if and Mac database data mismatch is also a fake ARP packet. Can also remind criminals to do it.

Ii. Preventive measures

1. Set up a DHCP server (recommended to be built in the gateway, because the DHCP does not occupy the number of CPUs, and ARP spoofing attacks are always the first attack gateways, we just want him to attack the Gateway first, because the gateway here has the monitoring program, the gateway address recommended choice 192.168.10.2, Leave the 192.168.10.1 blank, if the criminal procedure stupid words let him attack the empty address bar, in addition all client's IP address and its related host information, only then obtains by the gateway, the gateway here opens the DHCP service, but wants to give each network card, binds the fixed unique IP address. Be sure to keep the machine in the net Ip/mac one by one corresponding relationship. This way, although the client is DHCP to address, but every time the IP address is the same.

2. Set up Mac database, the MAC address of all the network card in the net bar is recorded, each Mac and IP, the geographical position all load into the database, in order to inquire the record in time.

3. The gateway machine closes the ARP dynamic refreshing process, uses the static road mail, such words, even if the criminal suspect uses ARP to deceive attacks the gateway, such to Gateway is also useless, guarantees the host security.

The gateway establishes a static IP/MAC bundle by establishing the/etc/ethers file, which contains the correct IP/MAC correspondence, in the following format:

192.168.2.32 08:00:4e:b0:24:47

And then/etc/rc.d/rc.local the final add:

Arp-f Effective

4. Gateway Monitor network security. The gateway uses the TCPDUMP program to intercept each ARP package and get a script analysis software to analyze these ARP protocols. ARP spoofing attack packets generally have the following two features, one can be considered to meet the attack packet alarm: The first Ethernet packet header source address, Destination address and ARP Packet protocol address does not match. Alternatively, the sending and destination address of the ARP packet is not in its own network card Mac database, or it does not match its own network Mac database MAC/IP. These are all the first time to call the police, check the data packets (Ethernet packets) Source address (also may be forged), it is generally known that the machine is launching an attack.

5. Sneak up to the machine to see if the person is intentionally, or be allowed to put what Trojan program framed. If the latter, quietly find an excuse to get rid of him, unplug the network cable (do not shut down, especially to see the Win98 in the planning task), to see the machine's current use of records and operation, determine whether it is in the attack.