Use traffic monitoring to locate ARP Spoofing

【ITExpert Network exclusive] The author is also the network administrator of a school. Recently, the Network in a school building suddenly experienced intermittent disconnection, which seriously affected normal teaching and the situation was critical, you need to solve it now!

As an author, I started my investigation immediately. According to the teachers, when the Internet is connected, sometimes the webpage is very slow, sometimes there is no dynamic movement, and the webpage cannot be opened. However, the network is normal during off-duty hours, such as noon and evening breaks. Judging from this situation, the possibility of network hardware faults is minimal. No exceptions are found after inspection, and physical errors are eliminated. It seems to be a software problem. The first reaction in my mind is the popular ARP attack.

The Chinese name of ARP is "Address Resolution Protocol", which is used to resolve IP addresses in the network to hardware addresses (MAC addresses) to ensure smooth communication. When a computer receives an ARP response packet, it updates the local ARP cache and stores the IP and MAC addresses in the response in the ARP cache. Therefore, if someone sends a self-built ARP response in the network, the network may be faulty. This is ARP spoofing. A common feature of ARP spoofing is that the host is frequently disconnected.

This is very similar to our network symptoms, but ARP attacks need to find its source, the general method is difficult to find, the need to perform packet capture analysis on the switch, then we found Iris Network Traffic Analyzer (Iris ). This network traffic analysis and monitoring tool helps system administrators easily capture and view User usage, Detect incoming and outgoing information flows, and automatically store and collect statistics. The icon of this software looks like an eye. It seems that the "Eye of Fire" has been found. Now, how can we make good use of it!

Because the switch of the teaching building is a non-Network-tube switch, I had to hold my laptop in the network equipment room and "squat ". Connect your laptop to the vswitch port and enable Iris. The page displays (1 ).

As we are still familiar with the typical Windows software style, click the start capture button, Iris starts to work, capture packets. Iris can analyze the captured data packets and click the data packets at a certain time point to view the resolution content in the quick analysis window. In the Statistics window, we can browse the real-time data Statistics graph, for Protocol (network Protocol), Top Hosts (highest traffic host), Size Distribution (packet Size classification) and Bandwidth (Bandwidth.

Soon, the "murderer" will appear! There are a large number of ARP packets in the Iris capture window, And the ARP packets shown in the Protocol (network Protocol) chart are constantly increasing (2 )! The network traffic has increased several times!

To facilitate analysis, use the Filters feature of Iris to filter out ARP and Reverse ARP data. Finally, I found the real culprit of ARP spoofing. In the capture window (3), we can see that all ARP packet sources come from the MAC address 00: 0A: E6: 98: 84: computer 87, finally got the evidence! That is to say, the computer that finds this MAC address can eliminate the root cause!

The next work is simple, take out the usual recording of the "MAC-IP-computer name" corresponding table, find the really fierce computer, its network disconnection, system reinstall, virus scanning and other operations, after confirming the security, connect to the Internet. The Network has restored the former silence, and the normal teaching order of the school has been guaranteed.

It seems that using network analysis software to solve network faults can often achieve twice the result with half the effort. I hope this case will help administrators solve similar faults.