Recognize falsehoods's ARP attack defense method

ARP spoofing/attack repeated attacks, is the recent network industry generally understand the phenomenon, with the escalating ARP attacks, the different solutions in the market spread. But the author recently found that some programs, in the short term seems to be effective, in fact, the real ARP attack can not play a role, but also reduce the efficiency of the LAN.

Multi-user response said that some ARP control method is easy to operate and implement, but after the actual in-depth understanding, found that the long-term effect is not big.

For ARP attack against the system, the best way is to get down to the basic prevention work well, is the fundamental solution. Because there are many solutions in the market, we can not explain the pros and cons, so this article explains the basic idea of the ARP attack prevention system. We think that if readers can understand this basic idea, they will be able to determine what kind of control method is effective and understand why two-way binding is a more comprehensive and durable solution.

One, the not firm ARP agreement

The original ARP protocol in a general computer is like a person who is not determined and easily affected by others, ARP spoofing/attack is to use this feature, misleading the computer to make the wrong behavior. ARP attack principle, the Internet is easy to find, here no longer repeat. The original ARP protocol operation, will be attached to the LAN received broadcast packet or ARP query package, unconditional coverage of the local cache in the Arp/mac table. This trait is like a person who is not determined, listens to everyone and speaks to him, and immediately decides on the latest news.

Like a courier who has no plans, want to send a messenger to "John", only on the road to ask "John live there?" and delivered to him recently and said, "I am!" Or "John live in that room!" to decide how to deliver the same. In a place where everyone is honest, the courier's work can be effectively carried out, but if others see the courier goods valuable, want to cheat obtained, courier this way of working will bring chaos.

We'll come back to see the ARP attack and this will not be determined by the express agent relationship. The common ARP attack object has two kinds, one is the network gateway, is the router, the second is the computer on the local area network, is also the general user. Attack Network Gateway is like sending the wrong address information to the courier, so that the entire work of the courier staff chaos, all letters can not be served normally, and attack the general computer is directly and the general people falsely lied that they are courier, so that the general user to send the goods to launch the attack of the computer.

Because the general computer and the router's ARP will not be determined, so long as the malicious computer in the local area network continues to send the wrong ARP message, it will make the computer and the router to believe, make the wrong transfer network packet action. The General ARP is in this way, resulting in the network operation is not normal, to steal user passwords or damage the network operation. For ARP attacks against the system, the common method,

Can be divided into the following three approaches:

1, the use of ARP echo to send the correct ARP message: Through frequent reminders of the correct ARP table, to achieve the effectiveness of the control system.

2, the use of binding methods, fixed ARP table is not affected by external: by fixing the correct ARP table, to achieve the effect of the control system.

3, discard the ARP protocol, using other addressing protocol: do not use ARP as a transmission mechanism, and other protocols such as PPPoE transmission.

Of the above three methods, the first two methods are more common, and the third method is suitable for the application with better technical ability because of the big change. The first two methods are described below.

Second, the PK game of "ARP echo"

ARP Echo is the first developed ARP attack solution, but with the development of ARP attack, gradually lose its effect. Now, this method not only faces the attack not to have the control effect, but also can reduce the LAN operation efficiency, but many users still use this method to carry on the control. In the previous introduction of the idea of the less determined courier example, ARP echo approach, is equal to always use the telephone to remind the courier to send the correct object and address, to reduce his proximity to the various information interference.

But there are a few obvious problems with this approach: first, even when reminded, but because the courier will not be determined, there will still be some of the letters because they want to send just received the wrong information, the wrong way to send out; if the wrong information frequency is very high, such as a person always in the courier around the continuous provision of information, Even call the reminder is immediately covered, the effect is not good; second, because must always remind, and in order to ensure the effect of a good reminder, but also to increase the interval of reminders to prevent being covered, just like The courier has been busy to answer the call from Headquarters, there is no time to send letters, delayed the business; Also to designate a person to always call the courier to remind, equals to send a staff responsible, and continue to remind, this person's work is also very heavy.

A similar situation can occur with ARP echo, which corresponds to ARP attacks. First, in the face of high-frequency new ARP attacks, ARP Echo can not play a role, the line off the network will still occur. ARP Echo's way of preventing the early attack software for the purpose of stealing treasure is effective, but the attack software, which has recently been attacked as a means, is generally accepted as ineffective. Second, the ARP echo means must be on the local area network continued to issue broadcast packet, occupy LAN bandwidth, so that the ability of LAN work, the entire LAN computer and switch are always processing ARP echo broadcast packet, has not been attacked LAN began to card. Third, there must be a LAN responsible for sending ARP Echo broadcast package device, whether it is a router, server or computer, because the contract is sent in hundreds of ways to send, the device is a great burden.