"Essays" Arp and RARP

　　What is the ARP protocol?

The ARP protocol is an abbreviation for "Address Resolution Protocol" (Addresses Resolution Protocol). In the LAN, the actual transmission in the network is "frame", inside the frame is a target host MAC address. In Ethernet, a host communicates directly with another host, and the MAC address of the target host must be known. But how is this target MAC address obtained? It is obtained through the Address Resolution Protocol. The so-called "address resolution" is the process by which the host translates the destination IP address into the destination MAC address before sending the frame. The basic function of the ARP protocol is to check the MAC address of the target device through the IP address of the target device, so as to ensure the smooth communication.

The ARP protocol is mainly responsible for converting the 32-bit IP address in the LAN to the corresponding 48-bit physical address, the MAC address of the NIC.

In each computer with TCP/IP protocol installed, there is an ARP cache table, the table IP address and MAC address is one by one corresponding, in Linux can be "arp-a" command to view the local ARP cache table, the ARP cache table will periodically refresh the rebuild, If a row in the table is not used for a period of time, it is deleted, which can greatly reduce the length of the ARP cache table and speed up the query.

What is the RARP protocol?

RARP protocol is the reverse of the ARP protocol process operation, it is to query the network other hosts and get their own IP protocol address.

When the host sends out a broadcast packet, the other host that receives the request queries the host's MAC record in its own ARP cache table and, if there is one, returns the response packet to the host and, if not, ignores it.

You can understand this:

ARP---> Host packet query: Who knows what I want to contact the MAC address of the host with IP 192.168.x.x?

Target host response: I am the host of IP 192.168.x.x, my MAC address is xx:xx:xx:xx:xx:xx

RARP---> Host contract query: Who knows what my IP is? Oh, right! My MAC address is xx:xx:xx:xx:xx:xx.

Target host response: I found your MAC address in my ARP cache table the corresponding IP address is 192.168.Y.Y

ARP Spoofing attack

From the previous know, in the Ethernet network packet transmission depends on the MAC address, the IP address and the relationship between the Mac depends on the ARP table, each host (including the Gateway) has an ARP cache table. Under normal circumstances, this cache table can effectively guarantee the data transmission of the one-on.

However, the host in the implementation of the mechanism of the ARP cache table has an imperfect place, when the host receives an ARP reply packet, it does not go to verify whether or not to send the ARP request, but rather directly to the answer packet in the MAC address and IP corresponding to the relationship between the original ARP cache table to replace the corresponding information.

In this way, attacker C sends an ARP response packet to host A that contains the MAC address of the attacker C and the IP information of Host B, so that host A's ARP cache table has a value of "Host B's IP: Attacker C's Mac", and then attacker C sends a packet to Host B. Contains the IP of host A and the MAC address of attacker C, and then Host B will also store this information in its own ARP cache table so that all packets destined to Host B will be sent to the attacker C's machine first, and then attacker C will then send the packet to Host B, so that Attacker C intercepts the communication between A and B. Whether or not the attacker C receives a packet of host A does not do processing, will inevitably affect the delivery of packets, so, the use of LAN will suddenly fall off, after a period of time will return to normal. Also has the client state frequently turns red, the user frequently breaks the net, the IE browser frequently error, as well as some commonly used software has the malfunction and so on. Attackers will also steal user account passwords through various means, trade, and so on Trojan virus will do.

How do I find an ARP spoofing attack?

Once an ARP attack exists in the LAN, it will deceive all hosts and gateways in the LAN so that all Internet traffic must pass through the host controlled by the ARP attacker. Other users originally directly through the gateway to the Internet, but now transferred to the host through the Controlled network forwarding. Due to the impact of host performance and program performance, this kind of forwarding is not very smooth, so the user will be slow to surf the internet or even frequent disconnection. In addition, ARP spoofing needs to send ARP reply packets constantly, which can cause network congestion.

If we suspect ARP attack, we can use the grab tool to grab the packet, if we find that there are a large number of ARP reply packets in the network, and all the IP addresses are pointing to the same MAC address, then there is an ARP spoofing attack, and this MAC address is the host MAC address used for ARP spoofing attack. We can find out its corresponding real IP address, thus take the corresponding control measures. In addition, we can also go to the router or gateway switch to view the IP address and MAC Address table, if you find a Mac corresponding to a large number of IP addresses, it also indicates the existence of ARP spoofing attacks, At the same time, the MAC address is used to detect the host on the switch for ARP spoofing attack on the corresponding physical port, so as to control.

How to prevent?

Through the binding of IP and real MAC address, the real IP and MAC information is broadcast periodically, and the firewall is built to prevent ARP spoofing attack.

"Essays" Arp and RARP