Recently, many friends and customers of the server encounter ARP spoofing attacks, resulting in the site was linked to the Trojan horse. Because it is the use of ARP technology deception, so the host did not invade, the server to view the source of the page is not any horse code, but the site in the visit is all hung horse!
At first, I don't understand. This is the network legend of ARP Deception, and later looked at the data to know that this is ARP spoofing. ARP spoofing we have to start from the principle of ARP work.
We first familiar with ARP, university computer network basic courses, ARP is Address Resolution Protocol. The OSI reference model divides the functionality of the entire network communication into seven levels. From low to High is: physical layer, link layer, network layer, Transport layer, meeting layer, presentation layer, Application layer. Layer fourth to seventh is primarily responsible for interoperability, and the first to three layers are used to create physical connections between two network devices.
ARP spoofing is a common tactic used in session hijacking attacks. The Address Resolution Protocol (ARP) uses layer 2nd physical MAC addresses to map layer 3rd logical IP addresses, and if the device knows the IP address but does not know the MAC address of the requested host, It sends an ARP request. ARP requests are usually sent as broadcasts so that all hosts can receive them.
In the telecommunications general terminal switches are 2 layer switch, the principle of exchange is to find the corresponding MAC network card address, because the TCP/IP protocol will only be addressed through the Mac to the corresponding switch physical port, it will be ARP spoofing attack.
Now let's do a metaphor to explain the ARP spoofing process and principle more vividly:
Assume that there is a chicken a, the ARP spoofing Host B. The broiler a keeps telling Host B that it is a gateway, and the result is that Host B also considers it a gateway, then send the connection data to it. Broiler a again to do a connection role, the Host B packet plus Trojan to the real gateway, the results of the user gets the information is a Trojan page, and Host B itself no Trojan.
At present, IDC Room can be similar to Cisco 2950 and Huawei 3026 and so on switches and start ARP broadcast shielding function, should be able to prevent ARP spoofing.
In addition, according to the working principle of the Resolution Protocol (ARP), the gateway IP and MAC address are bound to static and cannot be modified, so there will be no ARP spoofing because the Address Resolution Protocol (ARP) uses Layer 2nd physical MAC address to map the 3rd-tier logical IP address. That is, Mac addressing. Of course on each of our host also to bind the gateway Mac and IP, the command is simple, for example: Arp-s 58.66.176.29 00-aa-00-62-c6-09
Now summarize Shimonoseki to prevent ARP spoofing:
Create a new batch file with the following: @echo off arp-s The default gateway IP address the MAC address of the Gateway will put this batch into the startup. You can solve the problem at zero.
There are also software that can be solved:
1, open anti ARP Sniffer 3, enter the gateway IP address, click (Take Mac)
If your gateway is filled out correctly, it will display the MAC address of the gateway.
2, click [Automatic protection] to protect the current network card and gateway communication will not be monitored by third parties.
To track ARP attackers:
When someone in the local area network attempts ARP spoofing with this machine, its data will be anti ARP sniffer record. Select the line that you want to track in the spoofed data detail sheet, and then click (Hunt for the deception Machine) and take a few minutes during the hunt, if the ARP address is true, And will soon be able to hunt down the attackers. (need to stop automatic protection when chasing ARP attackers)
On the principle of ARP spoofing and prevention on the first written to this bar, I am engaged in network server security, the computer network physics work principle is not much, the most is the university textbooks have learned, so write this article checked a lot of information, look forward to the experts and explain!
The standard author of the morning Whirlwind authorized China Webmaster Station forwarding Please be sure to keep (Www.Xuanfeng.net) and author-related information