Principles and dangers of ARP spoofing in Internet cafes

Internet cafes are the most common local area networks. I believe many readers have been surfing the Internet. However, Have you ever experienced a situation where others can access the Internet while they are not able to access any page or network information? Although there are many situations that cause this phenomenon, ARP spoofing is currently the most common, many hacking tools and even viruses use ARP spoofing to attack the host and prevent the host from accessing any network information. Today, I will introduce the principles and dangers of ARP spoofing, let's have a clear understanding of this attack method.

I. What is ARP?

ARP is the abbreviation of Address Resolution Protocol. In the LAN, the actual transmission is frame, and the frame contains the MAC address of the target host. In Ethernet, to directly communicate with another host, you must know the MAC address of the target host. But how can I obtain the target MAC address? It is obtained through the Address Resolution Protocol. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication. So in a sense, ARP works at a protocol layer lower than the IP protocol. This is also why ARP spoofing can cause network faults without any knowledge, and its harm is more concealed.

Ii. Principles of ARP spoofing:

First of all, we can be certain that the ARP spoofing packet is automatically sent through a vicious program. Normally, the TCP/IP network will not send such an error packet, manual transmission is troublesome. That is to say, when a hacker does not run this vicious program, the network communication should be normal, and the ARP cache table retained on each connected computer should also be correct, some computers may encounter network access problems only when the program starts to send incorrect ARP messages and ARP spoofing packets. Next we will discuss the principles of ARP spoofing.

Step 1: Assume that A Hub or vswitch is connected to three machines in A network, which are computers A, B, and C in sequence.

A address: IP: 192.168.1.1 MAC: AA-AA-AA-AA-AA-AA B address: IP: 192.168.1.2 MAC: BB-BB-BB-BB-BB-BB C Address: IP: 192.168.1.3 MAC: CC-CC-CC-CC-CC-CC

Step 2: normally run ARP-A on computer A to query the ARP cache table. The following information should appear.

Interface: 192.168.1.1 on Interface 0x1000003 Internet Address Physical Address Type 192.168.1.3 CC-CC-CC-CC-CC-CC dynamic

Step 3: run the ARP spoofing program on computer B to send the ARP spoofing packet.

B sends A self-built ARP response to A, and the data in the response is that the sender's IP address is 192.168.10.3 (C's IP address ), the MAC address is a DD-DD-DD-DD-DD-DD (the MAC address of C should have been a CC-CC-CC-CC-CC-CC, Which is forged here ). When A receives A spoofing ARP response from B, it updates the local ARP cache (A does not know it is forged ). And A does not know is actually sent from B, A here only 192.168.10.3 (C IP address) and invalid DD-DD-DD-DD-DD-DD mac address.

Step 4: After spoofing is completed, run ARP-A on computer A to query ARP cache information. You will find that the original correct information has already encountered an error.

Interface: 192.168.1.1 on Interface 0x1000003 Internet Address Physical Address Type 192.168.1.3 DD-DD-DD-DD-DD-DD dynamic

From the above introduction, we can clearly understand that the packet transmitted in the original network is based on the MAC address information, that is, although our daily communication is through the IP address, however, you still need to use ARP to convert the IP address to the MAC address. In the preceding example, the MAC address of computer C on computer A is already incorrect, so even if you access computer C from computer A later, the address 192.168.1.3 will be parsed into a mac address as A DD-DD-DD-DD-DD-DD by ARP errors.

The problem will also increase as ARP spoofing packets target the gateway. When a machine in the LAN repeatedly sends such invalid and fake ARP response packets to other machines, especially the gateway, serious network congestion begins. Because the gateway MAC address is incorrect, the data sent from the computer in the network cannot be normally sent to the gateway, and the Internet access is naturally unavailable. This causes the inability to access the Internet. In addition, because the gateway still controls the LAN to access the Internet, the access to the LAN also becomes faulty.

Iii. hazards of ARP spoofing:

As mentioned above, ARP spoofing can cause internal network confusion, so that some spoofed computers cannot normally access the Intranet and Internet, and the gateway cannot communicate with the client normally. In fact, the harm is not just that. Generally, IP address conflicts can be avoided through multiple methods and means, while ARP works at a lower layer, with higher concealment. The system does not determine whether the ARP cache is correct or not, and cannot give a prompt like an IP address conflict. In addition, many hacker tools, such as network scissors, can send ARP spoofing packets and ARP recovery packets at any time, in this way, you can control the Internet access of any computer in the network by sending ARP packets on a general computer, or even directly attack the gateway, make all computers connected to the network unable to access the Internet normally. This was previously impossible, because ordinary computers do not have the management permission to control the gateway, but now it is possible, so the harm of ARP spoofing is huge and very difficult to deal, illegal users and malicious users can send ARP spoofing and recovery data packets at any time, which increases the difficulty for network administrators to find the real culprit. Is there no way to prevent ARP spoofing? In the next article, I will explain these content, so that we can say goodbye to ARP spoofing.