LAN Security: The method and principle of resolving ARP attack it World Network 2006-01-26 10:17
"Cause of failure"
A Trojan horse program that someone uses ARP spoofing in the LAN (for example: Legendary thief software, some legendary plug-ins have also been maliciously loaded this program).
"Principle of failure"
To understand the principle of failure, let's first look at the ARP protocol.
In the local area network, the IP address is converted to a second-tier physical address (that is, MAC address) through the ARP protocol. The ARP protocol is of great significance to network security. By spoofing IP addresses and MAC addresses, ARP spoofing can generate a large amount of ARP traffic in the network to block the network.
The ARP protocol is an abbreviation for "Address Resolution Protocol" (Addresses Resolution Protocol). In the LAN, the actual transmission in the network is "frame", inside the frame is a target host MAC address. In Ethernet, a host must be aware of the destination host's MAC address to communicate directly with another host. But how is this target MAC address obtained? It is obtained through the Address Resolution Protocol. The so-called "address resolution" is the process by which the host translates the destination IP address into the destination MAC address before sending the frame. The basic function of the ARP protocol is to check the MAC address of the target device through the IP address of the target device, so as to ensure the smooth communication.
Each computer with TCP/IP protocol installed has an ARP cache table, and the IP address in the table corresponds to one by one of the MAC address, as shown in the following table.
We use Host A (192.168.16.1) to send data to Host B (192.168.16.2) as an example. When data is sent, host a looks for the destination IP address in its own ARP cache table. If found, also know the target MAC address, directly to the target MAC address into the frame to send it, if the corresponding IP address is not found in the ARP cache table, host A will send a broadcast on the network, the target MAC address is "FF." Ff. Ff. Ff. Ff. FF ", which means that the query is sent to all hosts in the same network segment:" What is the MAC address of the 192.168.16.2? " "Other hosts on the network do not respond to ARP queries, and only Host B responds to host a when it receives the frame:" 192.168.16.2 's MAC address is Bb-bb-bb-bb-bb-bb ". In this way, host a knows the MAC address of Host B and it can send messages to Host B. It also updates its own ARP cache table, and the next time it sends information to Host B, it can be found directly from the ARP cache table. The ARP cache table uses an aging mechanism that, for a period of time, is deleted if a row in the table is not used, which can greatly reduce the length of the ARP cache table and speed up the query.
As can be seen from the above, the basis of the ARP protocol is to trust all the people in the LAN, then it is easy to implement ARP spoofing on the Ethernet. To spoof target A, a goes to ping host C but sends it to the DD-DD-DD-DD-DD-DD address. If you cheat, the MAC address of C is tricked into DD-DD-DD-DD-DD-DD, so that a packet sent to C will become sent to D. It's not just that D is able to receive a packet sent by a, sniff successfully.
A is not aware of this change at all, but the next thing makes a doubt. Because A and C are not connected. D Docking received a sent to C packets can not be forwarded to C.
Do "Man in the middle" for ARP redirection. Turn on the IP forwarding function of D, a sent over the packet, forwarded to C, like a router. However, if D sends an ICMP redirect, it interrupts the entire plan.
D directly to the entire package of modification and forwarding, capturing a sent to C packets, all modified and then forwarded to C, and C received the packet is fully considered to be sent from a. However, the packet sent by C is passed directly to a, if ARP spoofing to C is repeated. Now d becomes the middle bridge between A and C, and the communication between A and C can be very familiar.
"Failure Phenomenon"
When a host computer in the LAN runs ARP spoofing trojan, it will deceive all the hosts and routers in the LAN, so that all Internet traffic must pass through the virus host. Other users originally directly through the router to the Internet is now transferred through the virus host Internet access, when switching users will be broken once line.
Switch to the virus host after the Internet, if the user has logged into the legendary server, then the virus host will often forge the false image disconnection, then the user will have to re-login to the legendary server, so that the virus host can be stolen number.
Due to ARP spoofing Trojan program will emit a large number of packets caused by the LAN traffic congestion and its own processing capacity limits, users will feel the Internet speed is getting slower. When the ARP spoofing trojan program stops running, the user resumes the Internet from the router, and the user breaks the line once again during the switchover.
"HiPER user quickly discovers ARP spoofing trojan"
A large amount of information is seen in the router's "System history" (this is only available in the router software version after 440):
MAC chged 10.128.103.124
MAC Old 00:01:6c:36:d1:7f
MAC New 00:05:5d:60:c7:18
This message indicates that the MAC address of the user has changed, when the ARP spoofing Trojan starts to run, the MAC address of all the hosts on the LAN is updated to the MAC address of the virus host (that is, all information of the MAC new address is consistent with the MAC address of the virus host) while the "User statistics" in the router The MAC address information for all users is the same.
If you see in the router's system history that a large number of Mac old addresses are consistent, then there have been ARP spoofing in the LAN (ARP Spoofing Trojan horse program stopped running, the host on the router to restore its true MAC address).
"Find a virus host in a local area network"
We already know the MAC address of the host using ARP spoofing Trojan, then we can use the Nbtscan (: http://www.utt.com.cn/upload/nbtscan.rar) tool to find it quickly.
Nbtscan can take the real IP address and MAC address of the PC, if there is a "legendary Trojan" In doing strange, you can find the ip/and MAC address of the PC containing the Trojan horse.
Command: "Nbtscan-r 192.168.16.0/24" (Search entire 192.168.16.0/24 segment, i.e. 192.168.16.1-192.168.16.254); or "Nbtscan 192.168.16.25-137" Search 192.168.16.25-137 network segment, i.e. 192.168.16.25-192.168.16.137. Output The first column is the IP address, and the last column is the MAC address.
Examples of Nbtscan use:
Suppose you look for a virus host with a MAC address of "000d870d585f".
1) Unzip the Nbtscan.exe and cygwin1.dll in the compressed package to C:.
2) in Windows Start-run-open, enter cmd (windows98 input "command"), enter in the DOS window that appears: C:btscan-r 192.168.16.1/24 (which needs to be entered according to the user's actual network segment), enter.
3) by querying the Ip--mac correspondence table, the IP address of the "000d870d585f" Virus host is "192.168.16.223".
"Solution Ideas"
1, do not put your network security trust relationship on the basis of IP or Mac, (Rarp also has the problem of deception), the ideal relationship should be based on the Ip+mac.
2, set the static Mac-->ip table, do not let the host refresh the conversion table you set.
3, unless it is necessary to stop using ARP, the ARP as a permanent entry is saved in the corresponding table.
4, use the ARP server. The server finds its own ARP conversion table in response to ARP broadcasts from other machines. Make sure that this ARP server is not hacked.
5, using "proxy" proxy IP transmission.
6, the Use of hardware screen host. Set up your route so that the IP address can reach the legitimate path. (Statically configure routed ARP entries), note that using interchange hubs and bridges does not prevent ARP spoofing.
7. The administrator periodically obtains a RARP request in the IP packet in response, and then checks the authenticity of the ARP response.
8. The administrator polls periodically to check the ARP cache on the host.
9. Use the firewall to monitor the network continuously. Note that with SNMP, the spoofing of ARP can lead to the loss of a trap packet.
"HiPER Solutions for users"
It is recommended that users use two-way binding to resolve and prevent ARP spoofing.
1. Bind the router's IP and MAC address on the PC:
1) First, obtain the MAC address of the router's intranet (for example, HiPER gateway address 192.168.16.254 MAC address is 0022AA0022AA).
2) Write a batch file Rarp.bat content as follows:
@echo off
Arp-d
Arp-s 192.168.16.254 00-22-aa-00-22-aa
Change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address.
Drag the batch software to "windows--Start – Program-Start".
3) If it is an Internet café, you can send batch files Rarp.bat to the startup directory of all clients using the Paid software service-side program (Pubwin or Vientiane). The default startup directory for Windows2000 is "c:documents and Settingsall users" Start menu program startup ".
2. Bind the IP and MAC address of the user host on the router (440 after the router software version support):
In the HiPER management interface--Advanced configuration--user management will be the LAN each host is bound.
Network reprint: LAN Security: The method and principle of resolving ARP attack