The principle of ARP attack and its solving method

　　Cause of failure

The local area network person uses ARP to cheat the Trojan program (for example: legendary pilfer number's software, some legends plug-in also was maliciously loaded this program).

　　Fault principle

To understand the fault principle, let's take a look at the ARP protocol first.

In the LAN, the IP address is converted to the second level physical address (MAC address) through the ARP protocol. ARP protocol is of great significance to network security. ARP spoofing is achieved by spoofing IP address and MAC address, which can cause a large amount of ARP traffic in the network to block the network.

The ARP protocol is an abbreviation for "Address resolution Protocol" (Addressing Resolution Protocol). In the LAN, the actual transmission of the network is "frame", inside the frame is the target host MAC address. In Ethernet, a host to communicate directly with another host, you must know the target host's MAC address. But how does this target MAC address get? It is obtained through the Address Resolution Protocol. "Address Resolution" is the process by which a host converts a target IP address to a target MAC address before sending a frame. The basic function of ARP protocol is to inquire the MAC address of target device through the IP address of target device, so as to ensure the smooth communication.

Each computer installed with the TCP/IP protocol has an ARP cache table, and the IP address in the table and the MAC address is one by one corresponding, as shown in the tables below.

Host IP Address MAC address

A 192.168.16.1 Aa-aa-aa-aa-aa-aa

B 192.168.16.2 BB-BB-BB-BB-BB-BB

C 192.168.16.3 CC-CC-CC-CC-CC-CC

D 192.168.16.4 DD-DD-DD-DD-DD-DD

We use Host A (192.168.16.1) to send data to Host B (192.168.16.2) for example. When sending data, host a looks for a destination IP address in its own ARP cache table. If found, also know the target MAC address, directly to the target MAC address written in the frame to send on it; if the corresponding IP address is not found in the ARP cache table, host A sends a broadcast on the network with the destination MAC address "FF." Ff. Ff. Ff. Ff. FF, which means that all hosts within the same network segment are asked: "What is the MAC address of the 192.168.16.2?" "Other hosts on the network do not respond to ARP inquiries, and only Host B receives this frame to respond to host a:" 192.168.16.2 's MAC address is bb-bb-bb-bb-bb-bb. " In this way, host a knows the MAC address of Host B, and it can send the message to Host B. At the same time it also updated its own ARP cache table, the next time to send a message to Host B, directly from the ARP cache to look up the list. The ARP cache table, which uses an aging mechanism, is removed for a period of time if a row in the table is not used, which can greatly reduce the length of the ARP cache table and speed up the query.

From the above, we can see that the basis of the ARP protocol is to trust all the people in the LAN, then it is easy to implement ARP spoofing on the Ethernet. To target a spoofing, a to ping host C is sent to dd-dd-dd-dd-dd-dd this address. If you cheat, you cheat C's MAC address into DD-DD-DD-DD-DD-DD, so a packet sent to C will be sent to D. This does not happen to be D can receive a send packet, sniff success.

A is not aware of the change at all, but the next thing makes a suspicious. Because A and C are not connected. d the packet received from a sent to C is not forwarded to C.

Do "Man in the middle" for ARP redirection. Turn on D's IP forwarding function, a sent over the packet, forwarded to C, like a router. However, if D sends an ICMP redirect, it interrupts the entire plan.

D directly to the entire package of modification forwarding, capture a sent to C packets, all modified and then forwarded to C, and C received the packet is fully considered to be sent from a. However, the packet sent by C is passed directly to a, if ARP spoofing against C is done again. Now D is completely the middle bridge between A and C, and the communication between A and C can be well know.

　　Failure phenomenon

When a host in the LAN running ARP spoofing trojan program, will deceive all the local area network hosts and routers, so that all the Internet traffic must go through the virus host. Other users used to go directly to the Internet through the router now to the Internet through the virus host, switching time users will break a line.

Switch to the virus host after the Internet, if the user has logged the legendary server, then the virus host will often forge the false line, then the user will have to login legendary server, so that the virus host can be stolen.

Due to ARP spoofing Trojan program occurs when a large number of packets caused by the LAN traffic congestion and its own processing capacity restrictions, users will feel the speed of the Internet more and more slowly. When ARP cheat trojan program stops running, the user will restore the Internet from the router, the user will break the line again during the handover.

　　HiPER users quickly find ARP spoofing trojan

A large amount of the following information is seen in the system history of the router (this hint is available in the router software version after 440):

MAC chged 10.128.103.124

MAC Old 00:01:6c:36:d1:7f

MAC New 00:05:5d:60:c7:18

This message represents the user's MAC address has changed, in the ARP spoofing Trojan began to run, the LAN all host MAC address update to the virus host MAC address (that is, all information Mac new address is consistent with the virus host MAC address), while in the router "user statistics" You can see all the user's MAC address information in the same way.

If it is in the router's "system history" to see a large number of Mac old address is consistent, it is indicated that the LAN has been ARP spoofing (ARP spoofing trojan program stop running, the host in the router to restore its real MAC address).

　　Locating a virus host within a local area network

We already know the MAC address of the host using ARP spoofing Trojan, so we can use the Nbtscan tool to find it quickly.

Nbtscan can take the real IP address and MAC address of the PC, if there is "legendary Trojan" in doing strange, can find the PC with Trojan IP and MAC address.

Command: "Nbtscan-r 192.168.16.0/24" (Search the entire 192.168.16.0/24 network segment, that is, 192.168.16.1-192.168.16.254) or "Nbtscan 192.168.16.25-137" Search 192.168.16.25-137 network segment, that is, 192.168.16.25-192.168.16.137. Output The first column is the IP address, and the last column is the MAC address.

　　Examples of the use of Nbtscan:

Suppose you look for a virus host that has a MAC address of "000d870d585f."

1 Extract the Nbtscan.exe and cygwin1.dll from the compressed package and put it under c:/.

2 in Windows Start-run-open, input cmd (windows98 input "command"), in the presence of the DOS window input: C:/nbtscan-r 192.168.16.1/24 (here needs to be based on the user's actual network segment input), enter.

C:/Documents and Settings/alan>c:/nbtscan-r 192.168.16.1/24

Warning:-r option not supported under Windows. Running without it.

Doing NBT name scan for addresses from 192.168.16.1/24

IP address NetBIOS Name Server User MAC Address

------------------------------------------------------------------------------

192.168.16.0 Sendto Failed:cannot Assign requested address

192.168.16.50 SERVER <server> <unknown> 00-e0-4c-4d-96-c6

192.168.16.111 LLF <server> ADMINISTRATOR 00-22-55-66-77-88

192.168.16.121 utt-hiper <server> <unknown> 00-0d-87-26-7d-78

192.168.16.175 JC <server> <unknown> 00-07-95-e0-7c-d7

192.168.16.223 test123 <server> test123 00-0d-87-0d-58-5f

3 through the query Ip--mac corresponding table, detect the "000d870d585f" Virus host IP address is "192.168.16.223".

　　Solving ideas

1, do not put your network security trust relationship based on the IP or on the basis of the Mac (Rarp also have the problem of deception), the ideal relationship should be based on Ip+mac.

2, set the static mac-->ip corresponding table, do not let the host refresh you set the conversion table.

3, unless it is necessary, otherwise stop using ARP, the ARP as a permanent entry to save in the corresponding table.

4, use the ARP server. The server finds its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure the ARP server is not hacked.

5, the use of "proxy" proxy IP transmission.

6, the use of hardware shielding host. Set your route and make sure the IP address is reachable to the right path. (statically configured to route ARP entries), note that using a swap hub and a network bridge cannot prevent ARP spoofing.

7, the administrator periodically in response to the IP packet to obtain a RARP request, and then check the authenticity of the ARP response.

8. The administrator periodically polls to check the ARP cache on the host.

9, the use of continuous firewall monitoring network. Note that the use of SNMP in the case of ARP spoofing may cause the trap packet to be lost.

　　HiPER Solutions for users

It is recommended that users use a two-way binding approach to resolve and prevent ARP spoofing.

1. Bind the IP and MAC address of the router on the PC:

1 First, obtain the router's intranet MAC address (for example HiPER gateway address 192.168.16.254 MAC address for 0022aa0022aa

2) The preparation of a batch document Rarp.bat reads as follows:

@echo off

Arp-d

Arp-s 192.168.16.254 00-22-aa-00-22-aa

Change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address.

Drag the batch software to the windows--start-Program-start.

3 If it is an Internet café, you can use the Billing Software server program (Pubwin or Vientiane can) send batch files Rarp.bat to all client's startup directory. The default startup directory for Windows2000 is "C:/Documents and Settings/all users" start "menu program start.

2, in the router binding user host IP and MAC address (440 after the router software version support):

In the HiPER management interface--Advanced configuration--user management binds each host in the LAN.