Before talking about ARP, we still need to understand the concept and working principle of ARP, and understand the principle knowledge, so as to better face, analyze and deal with problems.
1. 1 ARP concept knowledge
ARP, the full name of Address Resolution Protocol, is called Address Resolution Protocol in Chinese. It works in the data link layer, contacts the hardware interface of this layer, and provides services for the upper layer.
IP packets are usually sent over Ethernet. Ethernet devices do not recognize 32-bit IP addresses, but use 48-bit Ethernet addresses to transmit Ethernet packets. Therefore, the IP destination address must be converted into an Ethernet destination address. In Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how did you get this target MAC address? It is obtained through the address resolution protocol. ARP protocol is used to resolve IP addresses in the network into hardware addresses (MAC addresses) to ensure smooth communication.
The working principle of 1.2 ARP
First, each host will establish an ARP table in its own ARP buffer to represent the corresponding relationship between ip address and MAC address. When the source host needs to send a data packet to the destination host, it will first check whether there is a MAC address corresponding to the IP address in its ARP table, and if there is, it will directly send the data packet to this MAC address; If not, send an ARP request broadcast packet to the local network segment to query the MAC address corresponding to the destination host. This ARP request packet includes the IP address of the source host, the hardware address and the IP address of the destination host. After receiving this ARP request, all hosts in the network will check whether the destination IP in the packet is consistent with their own IP address. If not, the packet is ignored; If they are the same, the host first adds the MAC address and IP address of the sender to its ARP list. If the IP information already exists in the ARP list, it will be overwritten, and then an ARP response packet will be sent to the source host, telling the other party that this is the MAC address it needs to find. After receiving this ARP response packet, the source host will add the IP address and MAC address of the destination host to its own ARP list, and use this information to start data transmission. If the source host did not receive the ARP response packet, the ARP query failed.
For example:
The address of a is: IP:192.168./kloc-0.1MAC: aa-aa-aa.
The address of B is: IP:192.168.10.2mac: bb-bb-bb.
According to the principle mentioned above, let's briefly explain this process: A needs to know B's Ethernet address to communicate with B, so A sends an ARP request broadcast (who is192.168.10.2, please tell192.1. The result is consistent with my own, and then I sent an ARP unicast reply to A (192.168.10.2 in bb-bb).
1.3 ARP communication mode
Pattern analysis: In network analysis, the analysis of communication patterns is very important. Different protocols and different applications will have different communication modes. Sometimes, the same protocol will have different communication modes in different enterprise applications. The normal communication mode of ARP should be: Request->; Reply-> Request-> Answer, that is, you have to ask and answer.
2. Common types of ARP attacks
Personally, I think there are two common ARP attacks: ARP scanning and ARP spoofing.
2. 1 ARP scanning (ARP request storm)
Communication mode (possible):
Request-> Request-> Request-> Request-> Request-> Request-> Reply-> Request-> Request-> request ...
Description:
A large number of ARP request broadcast packets appear in the network, and almost all hosts in the network segment are scanned. A large number of ARP request broadcasts may occupy network bandwidth resources; ARP scanning is generally a prelude to ARP attacks.
Reason (possible):
* Virus programs, listeners and scanners.
* If the network analysis software is deployed correctly, it may be that we only mirror some ports on the switch, so a large number of ARP requests are sent by other hosts connected with non-mirror ports.
* If the deployment is incorrect, these ARP request broadcast packets come from other hosts connected to the switch.
2.2 ARP deception
The ARP protocol does not just send an ARP request before receiving an ARP reply. When the computer receives the ARP reply packet, it will update the local ARP cache and store the IP and MAC addresses in the reply in the ARP cache. So in the network, if someone sends a fake ARP reply, the network may have a problem. This may not be considered by the protocol designer at first!
2.2. 1 deception principle
Suppose that in a network environment, there are three hosts in the network, namely hosts A, B and C. Details of the host are described as follows:
The address of a is: IP:192.168./kloc-0.1MAC: aa-aa-aa.
The address of B is: IP:192.168.10.2mac: bb-bb-bb.
The address of c is: IP:192.168.10.3mac: cc-cc-cc-cc.
Under normal circumstances, there is communication between A and C, but at this time B sent its own forged ARP reply to A. The data in this reply is that the IP address of the sender is192.168.10.3 (IP address of C), and the MAC address is bb-bb-bb-bb (C). When A receives B's forged ARP reply, it will update the local ARP cache (A is cheated), then B will impersonate C, and B will also send an ARP reply to C. In the reply packet, the sender's IP address 4 is192.168.10.1(A's IP address. This is a typical ARP spoofing process.
Note: Generally speaking, the party cheating by ARP should be the gateway.
2.2.2 Two situations
There are two kinds of ARP spoofing: one is to trick the host as a "middleman", and all the data of the deceived host pass through it once, so that the deceived host can steal the communication data between the deceived hosts; The other is to let the deceived host directly disconnect the network.
The first type: stealing data (sniffing)
Communication mode:
Reply-> Reply-> Reply-> Reply-> Reply-> Request-> Reply-> Reply-> Request-> answer ...
Description:
This situation belongs to the typical ARP spoofing we mentioned above. The spoofing host sends a large number of forged ARP reply packets to the spoofed host for spoofing. When the two parties to the communication were deceived successfully, they acted as "middlemen". At this point, the deceived host can still communicate normally, but it is "eavesdropped" by the liar during the communication.
Reason (possible):
:: Trojan virus
* Sniffing
* artificial deception
The second type: lead to network disconnection.
Communication mode:
Reply-> Reply-> Reply-> Reply-> Reply-> Reply-> request ...
Description:
In this case, in the process of ARP deception, the deceived person only deceived one of them, for example, B deceived A, but at the same time B did not deceive C, so A was essentially communicating with B, so A could not communicate with C. Another case may be that the deceived person forged a nonexistent address to cheat.
It is more difficult to investigate the fraud of forging addresses. Here, it is best to borrow TAP equipment (hehe, this thing seems a bit expensive) to capture one-way data flow for analysis!
Reason (possible):
:: Trojan virus
* Man-made destruction
* Control functions of some network management software
3. Common protection methods
At present, the most common problems in ARP attack protection are binding IP and MAC, using ARP protection software, and routers with ARP protection function. Hehe, let's learn these three methods.
3. 1 static binding
The most common method is to do static binding between IP and MAC. In the network, both hosts and gateways are bound by IP and MAC.
Deception is to deceive the intranet machine through the dynamic real-time rules of ARP, so we can solve the deception of intranet PC by setting ARP to be completely static, and also bind IP and MAC statically at the gateway, so that the two-way binding is safer.
Method:
Static binding of IP and MAC addresses of each host.
Through the command, arp -s can realize "arp -s IP MAC address".
For example: "ARP–s192.168.10.1aa-aa".
If the setting is successful, you can view the relevant tips by executing arp -a on the PC:
Internet address physical address type
192.168.10.1aa-aa-aa-aastatic (static)
Generally not binding, in the case of dynamic:
Internet address physical address type
192.168.10.1aa-aa-aa-aadynamic (dynamic)
Note: There are many hosts in the network, 500 hosts, 1000 hosts ... If each host is statically bound like this, the workload is very heavy. . . . This static binding must be rebound every time the computer restarts. Although it can also be a batch file, it is still troublesome!
3.2 using ARP protection software
At present, there are many ARP protection software, and the commonly used ARP tools mainly include Xinxiang ARP tool and Antiarp. In addition to detecting the ARP attack itself, the working principle of protection is to broadcast correct ARP information to the network at a certain frequency. Let me briefly talk about these two gadgets.
Welcome to the ARP tool.
I used this tool, which has five functions:
A.IP/MAC list
Select the network card. If it is a single network card, no setting is required. If there are multiple network cards, you need to set the network cards to connect to the intranet.
IP/MAC scanning. The IP and MAC addresses of all machines in the current network will be scanned here. Please scan when the intranet is running normally, because this table will be used as a reference for ARP later.
The following functions require the support of this table. If you are prompted that IP or MAC cannot be obtained, there is no corresponding data in the table here.
B.ARP spoofing detection
This function will always detect whether there is a PC imitating the IP in the form in the intranet. You can set the main IP to the detection table, such as the IP of routers, movie servers and other machines that need intranet access.
(Supplementary) How to Understand the "ARP Deception Record" Table;
"Time": the time when the problem was discovered;
"sender": IP or MAC sends fraudulent information;
"Duplicate": the number of times fraudulent information is sent;
"ARP info" refers to the specific content of sending fraudulent information, such as the following example:
The time sender repeats the ARP message 22: 22: 22192.168.1.221433192.168./.
This message means that at 22:22:22, the cheating message sent by192.168.1.22 was detected and has been sent 1433 times. The content of the cheating message he sent was: 192.6438+068.
Turn on the detection function, and if there is fraud against the IP in the table, a prompt will appear. You can follow the prompts to find the root of ARP deception in the intranet. By the way, any machine can impersonate other machines to send IP and MAC, so even if it is suggested that an IP or MAC is sending fraudulent information, it may not be 100% accurate. So please do not use violence to solve some problems.
C. Active maintenance
This function can directly solve the dropping problem of ARP spoofing, but it is not an ideal method. His principle is to constantly broadcast the correct MAC address of IP in the network.
In the Set Maintenance Object table, set the IP to be protected. Packet sending frequency refers to how many correct packets are sent to all machines in the network every second. It is strongly recommended to broadcast IP as little as possible and as little as possible. Generally, it can be set to 1 time. If ARP spoofing occurs without IP binding, it can be set to 50- 100 times. If there are still dropped calls, you can set it higher, which can quickly solve the problem of ARP spoofing. But to really solve the ARP problem, please refer to the above binding method.
D. welcome to the router log
Collect system logs of Xinxiang router and other functions.
E. grab the bag
Similar to network analysis software, the saving format is. capital
3.2. 1 anti-armor
The interface of this software is relatively simple. Here is how to use it.
A fill in the IP address of the gateway, and then click [Get Gateway Address] to display the MAC address of the gateway. Click [Auto-Protect] to protect the communication between the current network card and the gateway from being monitored by a third party. Note: If the ARP spoofing prompt appears, it means that the attacker sent ARP spoofing packets to get the packets of the network card. If you want to trace the source of the attack, please remember the attacker's MAC address and use the MAC address scanner to find out the MAC address corresponding to the IP.
B.IP address conflict
If IP address conflicts occur frequently, it means that attackers will send ARP spoofing packets frequently, and then a warning of IP conflicts will appear. Anti-ARP sniffer can prevent this attack.
C. You need to know the conflicting MAC addresses, and Windows will record these errors. The specific methods of inspection are as follows:
Right-click [My Computer]-[Management]-click [Event Viewer]-click [System]-view the source as [tcpip]-double-click the event to view the address conflict and record the MAC address. Please copy the MAC address and fill it in the local MAC address input box of Anti ARP Sniffer (please note the conversion: to-), after the input is completed. In order to make the MAC address valid, please disable the local network card and then enable the network card. Enter Ipconfig /all at CMD command line to see if the current MAC address matches the MAC address in the local MAC address input box. If the change fails, please contact me. If successful, the address conflict will not be displayed again.
Note: If you want to restore the default MAC address, click [Restore Default]. In order to make the MAC address valid, please disable the local network card and then enable the network card.
3.3 Router with ARP protection function
This kind of router is rarely heard of before. For the ARP protection function mentioned in this kind of router, its principle is to send its own correct ARP information at regular intervals. But this function of the router can't solve the real attack.
The most common feature of ARP is disconnection. Under normal circumstances, normal Internet access can be restored without treatment for a certain period of time, because ARP spoofing has aging time, and it will automatically return to normal after aging time. At present, most routers will broadcast their correct ARP information in a short time, so that the deceived host can return to normal. However, if there is aggressive ARP spoofing (in fact, there are a lot of spoofing ARP in a short time, and there are hundreds of ARP spoofing packets in 1 second), it keeps sending ARP spoofing packets to prevent intranet machines from surfing the Internet, even if the router keeps broadcasting the correct packets, it will be flooded with a lot of error messages.
Maybe you have a question: Can we also send more and faster ARP messages than cheaters? If the attacker sends 1000 ARP spoofing packets per second, then we will send 1500 correct ARP packets per second!
Faced with the above problems, let's think about it carefully. If the network topology is very large, there are many network devices and hosts connected to the network, and a large number of devices handle these broadcast information, then the network will be very uncomfortable to use and will affect our work and study. ARP broadcast will cause waste and occupation of network resources. If there is something wrong with the network, we will analyze the packet, and many such ARP broadcast packets will appear in the data packet, which will also have a certain impact on the analysis.