Principle and solution of ARP virus

ARP virus intrusion network, so that most Internet cafes and families into misery!! Middle recruit phenomenon: drop the line! I am here on the Internet to the relevant information, network Master of the study ~ ~

Ways to resolve ARP attacks

"Cause of failure"

The local area network person uses ARP to cheat the Trojan program (for example: legendary pilfer number's software, some legends plug-in also was maliciously loaded this program).

"Fault principle"

To understand the fault principle, let's take a look at the ARP protocol first.

In the LAN, the IP address is converted to the second level physical address (MAC address) through the ARP protocol. ARP protocol is of great significance to network security. ARP spoofing is achieved by spoofing IP address and MAC address, which can cause a large amount of ARP traffic in the network to block the network.

The ARP protocol is an abbreviation for "Address resolution Protocol" (Addressing Resolution Protocol). In the LAN, the actual transmission of the network is "frame", inside the frame is the target host MAC address. In Ethernet, a host to communicate directly with another host, you must know the target host's MAC address. But how does this target MAC address get? It is obtained through the Address Resolution Protocol. "Address Resolution" is the process by which a host converts a target IP address to a target MAC address before sending a frame. The basic function of ARP protocol is to inquire the MAC address of target device through the IP address of target device, so as to ensure the smooth communication.

Each computer installed with the TCP/IP protocol has an ARP cache table, and the IP address in the table and the MAC address is one by one corresponding, as shown in the tables below.

Host IP Address MAC address

A 192.168.16.1 Aa-aa-aa-aa-aa-aa

B 192.168.16.2 BB-BB-BB-BB-BB-BB

C 192.168.16.3 CC-CC-CC-CC-CC-CC

D 192.168.16.4 DD-DD-DD-DD-DD-DD

We use Host A (192.168.16.1) to send data to Host B (192.168.16.2) for example. When sending data, host a looks for a destination IP address in its own ARP cache table. If found, also know the target MAC address, directly to the target MAC address written in the frame to send on it; if the corresponding IP address is not found in the ARP cache table, host A sends a broadcast on the network with the destination MAC address "FF." Ff. Ff. Ff. Ff. FF, which means that all hosts within the same network segment are asked: "What is the MAC address of the 192.168.16.2?" "Other hosts on the network do not respond to ARP inquiries, and only Host B receives this frame to respond to host a:" 192.168.16.2 's MAC address is bb-bb-bb-bb-bb-bb. " In this way, host a knows the MAC address of Host B, and it can send the message to Host B. At the same time it also updated its own ARP cache table, the next time to send a message to Host B, directly from the ARP cache to look up the list. The ARP cache table, which uses an aging mechanism, is removed for a period of time if a row in the table is not used, which can greatly reduce the length of the ARP cache table and speed up the query.

From the above, we can see that the basis of the ARP protocol is to trust all the people in the LAN, then it is easy to implement ARP spoofing on the Ethernet. To target a spoofing, a to ping host C is sent to dd-dd-dd-dd-dd-dd this address. If you cheat, you cheat C's MAC address into DD-DD-DD-DD-DD-DD, so a packet sent to C will be sent to D. This does not happen to be D can receive a send packet, sniff success.

A is not aware of the change at all, but the next thing makes a suspicious. Because A and C are not connected. d the packet received from a sent to C is not forwarded to C.

Do "Man in the middle" for ARP redirection. Turn on D's IP forwarding function, a sent over the packet, forwarded to C, like a router. However, if D sends an ICMP redirect, it interrupts the entire plan.

D directly to the entire package of modification forwarding, capture a sent to C packets, all modified and then forwarded to C, and C received the packet is fully considered to be sent from a. However, the packet sent by C is passed directly to a, if ARP spoofing against C is done again. Now D is completely the middle bridge between A and C, and the communication between A and C can be well know.

"Symptom"

When a host in the LAN running ARP spoofing trojan program, will deceive all the local area network hosts and routers, so that all the Internet traffic must go through the virus host. Other users used to go directly to the Internet through the router now to the Internet through the virus host, switching time users will break a line.