The principle of ARP spoofing is introduced with what is ARP and guarding against ARP spoofing 1th/3 Page _ Network security

What is ARP? How to prevent ARP spoofing technology?

What is ARP? How to prevent ARP spoofing technology?

First of all, what is ARP. If you enter arp-a under the Unix shell (also under 9x), your output should look like this:

Interface:xxx.xxx.xxx.xxx

Internet Address Physical Address Type

xxx.xxx.xxx.xxx 00-00-93-64-48-d2 Dynamic

xxx.xxx.xxx.xxx 00-00-b4-52-43-10 Dynamic

...... ......... ....

The first column here shows the IP address, and the second column shows the hardware address (MAC) of the network interface card corresponding to the IP address, and the third column is the corresponding type of the IP and MAC.

Visible, ARP is a kind of IP into IP corresponding to the physical address of the network of a protocol, or the ARP protocol is a kind of IP address into the MAC address of a protocol. It relies on maintaining a table stored in memory to enable IP to be answered on the network by the target machine.

Why do you want to convert IP into a mac? Simply put, this is because in the TCP network environment, where an IP packet goes, it is up to the routing table definition. However, when the IP packet arrives at the network, which machine responds to the IP packet but is identified by the MAC address contained in the IP packet. In other words, only the MAC address of the machine and the same MAC address in the IP packet will answer the IP packet. Because in the network, each host will have the time to send IP packets. So, in each host's memory, there is a arp--> Mac conversion table. Typically a dynamic conversion table (note that in routing, the ARP table can be set to static). That is, the corresponding table will be refreshed by the host when needed. This is because the Ethernet transmission on the subnet layer depends on the 48-bit MAC address.

Typically, the host searches the conversion table for the MAC address of the IP packet before sending an IP packet. If it is not found, the host sends an ARP broadcast packet that looks like this:

"I am host xxx.xxx.xxx.xxx, Mac is xxxxxxxxxxx, IP for xxx.xxx.xxx.xx1 host please tell your Mac to come"

IP-XXX.XXX.XXX.XX1 hosts respond to this broadcast, answering ARP broadcasts as:

"I'm xxx.xxx.xxx.xx1, my Mac is xxxxxxxxxx2."

The host then flushes its own ARP cache, and then emits the IP packet.

Understanding these common sense, now can talk about how to implement ARP spoofing in the network, you can look at such an example:

An intruder wants to enter a host illegally, he knows that the firewall of this host only to 192.0.0.3 (assumed) This IP open 23 (telnet), and he must use Telnet to access this host, so he wants to do this:

1, he first study 192.0.0.3 this host, found that the 95 machine using a OOB can let him die.

2, so, he sent a flood package to the 192.0.0.3 139, so the machine should be wrapped and died.

3, at this time, the host sent to the 192.0.0.3 IP packet will not be able to answer the machine, the system began to update its own ARP corresponding table. Rub the 192.0.0.3 item.

4, during this time, the intruder changed their IP to 192.0.0.3

5, he sent a ping (ICMP 0) to the host, requiring the host to update the host's ARP conversion table.

6, the host found the IP, and then in the ARP table to add a new ip-->mac corresponding relationship.

7, firewall failure, the intrusion of IP into a legitimate MAC address, you can telnet.

Current 1/3 page 123 Next read the full text