Methods to solve ARP attacks
【Cause of failure】
Some people use ARP to cheat * programs on the LAN (for example, the software for legendary account robberies, and this program is also maliciously loaded in some legendary plug-ins).
【Fault principle】
To understand the principle of failure, let’s first understand the ARP protocol.
In a local area network, the conversion of IP addresses to the second layer physical address (i.e., MAC addresses) is completed through the ARP protocol. The ARP protocol is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, and a large amount of ARP traffic can be generated in the network to block the network.
The ARP protocol is the abbreviation of "Address Resolution Protocol". In a local area network, the actual transmission of "frames" in the network, and the frame contains the MAC address of the target host. In Ethernet, if one host wants to communicate directly with another host, it must know the MAC address of the target host. But how is this target MAC address obtained? It is obtained through the address resolution protocol. The so-called "address resolution" is the process by which the host converts the target IP address into the target MAC address before sending a frame. The basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth progress of communication.
Each computer with TCP/IP protocol installed has an ARP cache table, and the IP addresses and MAC addresses in the table correspond one by one, as shown in the following table.
Host IP address MAC address
A 192.168.16.1 aa-aa-aa-aa-aa-aa
B 192.168.16.2 bb-bb-bb-bb-bb-bb
C 192.168.16.3 cc-cc-cc-cc-cc-cc
D 192.168.16.4 dd-dd-dd-dd-dd-dd
Let’s take host A (192.168.16.1) to send data to host B (192.168.16.2) as an example. When sending data, host A will look for the destination IP address in its ARP cache table. If it is found, you will know the target MAC address and just write the target MAC address into the frame to send it; if the corresponding IP address is not found in the ARP cache table, Host A will send a broadcast on the network, and the target MAC address is "", which means that you will send such an inquiry to all hosts in the same network segment: "What is the MAC address of 192.168.16.2?" Other hosts on the network do not respond to ARP questions. Only when Host B receives this frame will it respond to Host A: "The MAC address of 192.168.16.2 is bb-bb-bb-bb-bb-bb-bb". In this way, host A knows the MAC address of host B, and it can send information to host B. At the same time, it also updated its ARP cache table. Next time it sends information to host B, it can search directly from the ARP cache table. The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up the query speed.
From the above, we can see that the basis of the ARP protocol is to trust everyone in the LAN, so it is easy to achieve ARP spoofing on Ethernet. Spoofing target A, A goes to Ping host C but sends it to the address DD-DD-DD-DD-DD-DD-DD-DD-DD-DD. If you cheat C's MAC address is defrauded as DD-DD-DD-DD-DD-DD-DD-DD-DD, and then all the data packets sent by A to C become sent to D. Isn't this just that D can receive the data packet sent by A? The sniffing is successful.
A was not aware of this change at all, but what happened next made A doubt. Because A and C can no longer be connected. D may not be transferred to C for the packet sent by A to C.
Do "man in the middle” and perform ARP redirection. Turn on D's IP forwarding function, and forward the data packets sent by A to C, just like a router. However, if D sends ICMP redirection, the entire plan will be interrupted.
D directly forwards the entire packet, captures the data packets sent by A to C, and then forwards them to C after modifying them. The data packets received by C are completely considered to be sent from A. However, the data packet sent by C is directly passed to A, if ARP spoofing is performed again. Now D has become a completely intermediate bridge between A and C, and you can understand the communication between A and C.
【Fault phenomenon】
When a host in the LAN runs ARP spoofed * program, it will deceive all hosts and routers in the LAN, so that all Internet traffic must pass through the virus host. Other users used to go online directly through the router and now they are transferred to the Internet through the virus host. When switching, users will be disconnected once.
After switching to the virus host to surf the Internet, if the user has logged into the legend server, the virus host will often forge the false image of disconnection, and the user has to log in to the legend server again, so that the virus host can steal the account.
Since ARP spoofing * programs will send a large number of data packets when they occur, resulting in congestion in LAN communication and limitations in their own processing capabilities, users will feel that the Internet speed is getting slower and slower. When the ARP spoofed * program stops running, the user will resume surfing the Internet from the router, and the user will disconnect the line again during the switching process.
[HiPER users quickly discover ARP spoofing *s]
I see a lot of the following information in the router's "System History" (this prompt is only available in router software versions after 440):
MAC Chged 10.128.103.124
MAC Old 00:01:6c:36:d1:7f
MAC New 00:05:5d:60:c7:18
This message represents that the user's MAC address has changed. When the ARP spoofing * starts running, the MAC addresses of all hosts in the LAN are updated to the MAC address of the virus host (that is, the MAC New address of all information is the MAC address of the virus host). At the same time, the MAC address information of all users is seen in the router's "User Statistics" and the MAC address information of all users is the same.
If you see a large number of MAC Old addresses in the router's "System History" are the same, it means that ARP spoofing has occurred in the LAN (when the ARP spoofing * program stops running, the host restores its real MAC address on the router).
【Find virus hosts in LAN】
We already know the MAC address of the host that uses ARP to spoof *s, so we can use NBTSCAN (download address:https:///softs/) tool to find it quickly.
NBTSCAN can obtain the real IP address and MAC address of the PC. If there is a "legendary *" that is making a monster, you can find the IP/ and MAC addresses of the PC with the *.
Command: "nbtscan -r 192.168.16.0/24" (Search for the entire 192.168.16.0/24 network segment, i.e.
192.168.16.1-192.168.16.254); or "nbtscan 192.168.16.25-137" search 192.168.16.25-137 network segment, that is, 192.168.16.25-192.168.16.137. The first column of the output is the IP address and the last column is the MAC address.
Examples of use of NBTSCAN:
Suppose you look for a virus host with the MAC address "000d870d585f".
1) Scale the and decompression in the compressed package to c:.
2) Start Windows - Run - Open, enter cmd (enter "command" in windows98), and enter: C:
btscan -r 192.168.16.1/24 (here you need to enter it according to the actual network segment of the user), enter.
C:Documents and SettingsALAN>C:
btscan -r 192.168.16.1/24
Warning: -r option not supported under Windows. Running without it.
Doing NBT name scan for addresses from 192.168.16.1/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.16.0 Sendto failed: Cannot assign requested address
192.168.16.50 SERVER 00-e0-4c-4d-96-c6
192.168.16.111 LLF ADMINISTRATOR 00-22-55-66-77-88
192.168.16.121 UTT-HIPER 00-0d-87-26-7d-78
192.168.16.175 JC 00-07-95-e0-7c-d7
192.168.16.223 test123 test123 00-0d-87-0d-58-5f
3) By querying the IP-MAC correspondence table, find out that the IP address of the virus host of "000d870d585f" is "192.168.16.223".
【Solution idea】
1. Don’t build your network security trust relationship on IP or MAC (rarp also has the problem of deception), and ideal relationships should be based on IP+MAC.
2. Set the static MAC-->IP corresponding table, and do not let the host refresh the conversion table you set.
3. Unless it is very necessary, stop using ARP and save ARP as a permanent entry in the corresponding table.
4. Use an ARP server. Search for its own ARP conversion table through this server to respond to ARP broadcasts of other machines. Make sure this ARP server is not hacked.
5. Use "proxy"" to proxy the transmission of IP.
6. Use hardware to block the host. Set up your route to ensure that the IP address can reach the legal path. (Static configuration routing ARP entry), note that using switch hubs and bridges cannot prevent ARP spoofing.
7. The administrator regularly obtains a rarp request from the response IP packet, and then checks the authenticity of the ARP response.
8. The administrator regularly polls to check the ARP cache on the host.
9. Use a firewall to continuously monitor the network. Note that when using SNMP, ARP spoofing may lead to the loss of trap packets.
【HiPER user's solution】
It is recommended that users use two-way binding methods to solve the problem and prevent ARP spoofing.
1. Bind the router's IP and MAC address on the PC:
1) First, obtain the MAC address of the router's intranet (for example, the MAC address of HiPER gateway address 192.168.16.254 is 0022aa0022aa LAN port MAC address >).
2) Write a batch file as follows:
@echo off
arp -d
arp -s 192.168.16.254 00-22-aa-00-22-aa
Change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address.
Drag this batch software into "windows--start-program--start".
【Cause of failure】
Some people use ARP to cheat * programs on the LAN (for example, the software for legendary account robberies, and this program is also maliciously loaded in some legendary plug-ins).
【Fault principle】
To understand the principle of failure, let’s first understand the ARP protocol.
In a local area network, the conversion of IP addresses to the second layer physical address (i.e., MAC addresses) is completed through the ARP protocol. The ARP protocol is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, and a large amount of ARP traffic can be generated in the network to block the network.
The ARP protocol is the abbreviation of "Address Resolution Protocol". In a local area network, the actual transmission of "frames" in the network, and the frame contains the MAC address of the target host. In Ethernet, if one host wants to communicate directly with another host, it must know the MAC address of the target host. But how is this target MAC address obtained? It is obtained through the address resolution protocol. The so-called "address resolution" is the process by which the host converts the target IP address into the target MAC address before sending a frame. The basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth progress of communication.
Each computer with TCP/IP protocol installed has an ARP cache table, and the IP addresses and MAC addresses in the table correspond one by one, as shown in the following table.
Host IP address MAC address
A 192.168.16.1 aa-aa-aa-aa-aa-aa
B 192.168.16.2 bb-bb-bb-bb-bb-bb
C 192.168.16.3 cc-cc-cc-cc-cc-cc
D 192.168.16.4 dd-dd-dd-dd-dd-dd
Let’s take host A (192.168.16.1) to send data to host B (192.168.16.2) as an example. When sending data, host A will look for the destination IP address in its ARP cache table. If it is found, you will know the target MAC address and just write the target MAC address into the frame to send it; if the corresponding IP address is not found in the ARP cache table, Host A will send a broadcast on the network, and the target MAC address is "", which means that you will send such an inquiry to all hosts in the same network segment: "What is the MAC address of 192.168.16.2?" Other hosts on the network do not respond to ARP questions. Only when Host B receives this frame will it respond to Host A: "The MAC address of 192.168.16.2 is bb-bb-bb-bb-bb-bb-bb". In this way, host A knows the MAC address of host B, and it can send information to host B. At the same time, it also updated its ARP cache table. Next time it sends information to host B, it can search directly from the ARP cache table. The ARP cache table adopts an aging mechanism. If a row in the table is not used for a period of time, it will be deleted. This can greatly reduce the length of the ARP cache table and speed up the query speed.
From the above, we can see that the basis of the ARP protocol is to trust everyone in the LAN, so it is easy to achieve ARP spoofing on Ethernet. Spoofing target A, A goes to Ping host C but sends it to the address DD-DD-DD-DD-DD-DD-DD-DD-DD-DD. If you cheat C's MAC address is defrauded as DD-DD-DD-DD-DD-DD-DD-DD-DD, and then all the data packets sent by A to C become sent to D. Isn't this just that D can receive the data packet sent by A? The sniffing is successful.
A was not aware of this change at all, but what happened next made A doubt. Because A and C can no longer be connected. D may not be transferred to C for the packet sent by A to C.
Do "man in the middle” and perform ARP redirection. Turn on D's IP forwarding function, and forward the data packets sent by A to C, just like a router. However, if D sends ICMP redirection, the entire plan will be interrupted.
D directly forwards the entire packet, captures the data packets sent by A to C, and then forwards them to C after modifying them. The data packets received by C are completely considered to be sent from A. However, the data packet sent by C is directly passed to A, if ARP spoofing is performed again. Now D has become a completely intermediate bridge between A and C, and you can understand the communication between A and C.
【Fault phenomenon】
When a host in the LAN runs ARP spoofed * program, it will deceive all hosts and routers in the LAN, so that all Internet traffic must pass through the virus host. Other users used to go online directly through the router and now they are transferred to the Internet through the virus host. When switching, users will be disconnected once.
After switching to the virus host to surf the Internet, if the user has logged into the legend server, the virus host will often forge the false image of disconnection, and the user has to log in to the legend server again, so that the virus host can steal the account.
Since ARP spoofing * programs will send a large number of data packets when they occur, resulting in congestion in LAN communication and limitations in their own processing capabilities, users will feel that the Internet speed is getting slower and slower. When the ARP spoofed * program stops running, the user will resume surfing the Internet from the router, and the user will disconnect the line again during the switching process.
[HiPER users quickly discover ARP spoofing *s]
I see a lot of the following information in the router's "System History" (this prompt is only available in router software versions after 440):
MAC Chged 10.128.103.124
MAC Old 00:01:6c:36:d1:7f
MAC New 00:05:5d:60:c7:18
This message represents that the user's MAC address has changed. When the ARP spoofing * starts running, the MAC addresses of all hosts in the LAN are updated to the MAC address of the virus host (that is, the MAC New address of all information is the MAC address of the virus host). At the same time, the MAC address information of all users is seen in the router's "User Statistics" and the MAC address information of all users is the same.
If you see a large number of MAC Old addresses in the router's "System History" are the same, it means that ARP spoofing has occurred in the LAN (when the ARP spoofing * program stops running, the host restores its real MAC address on the router).
【Find virus hosts in LAN】
We already know the MAC address of the host that uses ARP to spoof *s, so we can use NBTSCAN (download address:https:///softs/) tool to find it quickly.
NBTSCAN can obtain the real IP address and MAC address of the PC. If there is a "legendary *" that is making a monster, you can find the IP/ and MAC addresses of the PC with the *.
Command: "nbtscan -r 192.168.16.0/24" (Search for the entire 192.168.16.0/24 network segment, i.e.
192.168.16.1-192.168.16.254); or "nbtscan 192.168.16.25-137" search 192.168.16.25-137 network segment, that is, 192.168.16.25-192.168.16.137. The first column of the output is the IP address and the last column is the MAC address.
Examples of use of NBTSCAN:
Suppose you look for a virus host with the MAC address "000d870d585f".
1) Scale the and decompression in the compressed package to c:.
2) Start Windows - Run - Open, enter cmd (enter "command" in windows98), and enter: C:
btscan -r 192.168.16.1/24 (here you need to enter it according to the actual network segment of the user), enter.
C:Documents and SettingsALAN>C:
btscan -r 192.168.16.1/24
Warning: -r option not supported under Windows. Running without it.
Doing NBT name scan for addresses from 192.168.16.1/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.16.0 Sendto failed: Cannot assign requested address
192.168.16.50 SERVER 00-e0-4c-4d-96-c6
192.168.16.111 LLF ADMINISTRATOR 00-22-55-66-77-88
192.168.16.121 UTT-HIPER 00-0d-87-26-7d-78
192.168.16.175 JC 00-07-95-e0-7c-d7
192.168.16.223 test123 test123 00-0d-87-0d-58-5f
3) By querying the IP-MAC correspondence table, find out that the IP address of the virus host of "000d870d585f" is "192.168.16.223".
【Solution idea】
1. Don’t build your network security trust relationship on IP or MAC (rarp also has the problem of deception), and ideal relationships should be based on IP+MAC.
2. Set the static MAC-->IP corresponding table, and do not let the host refresh the conversion table you set.
3. Unless it is very necessary, stop using ARP and save ARP as a permanent entry in the corresponding table.
4. Use an ARP server. Search for its own ARP conversion table through this server to respond to ARP broadcasts of other machines. Make sure this ARP server is not hacked.
5. Use "proxy"" to proxy the transmission of IP.
6. Use hardware to block the host. Set up your route to ensure that the IP address can reach the legal path. (Static configuration routing ARP entry), note that using switch hubs and bridges cannot prevent ARP spoofing.
7. The administrator regularly obtains a rarp request from the response IP packet, and then checks the authenticity of the ARP response.
8. The administrator regularly polls to check the ARP cache on the host.
9. Use a firewall to continuously monitor the network. Note that when using SNMP, ARP spoofing may lead to the loss of trap packets.
【HiPER user's solution】
It is recommended that users use two-way binding methods to solve the problem and prevent ARP spoofing.
1. Bind the router's IP and MAC address on the PC:
1) First, obtain the MAC address of the router's intranet (for example, the MAC address of HiPER gateway address 192.168.16.254 is 0022aa0022aa LAN port MAC address >).
2) Write a batch file as follows:
@echo off
arp -d
arp -s 192.168.16.254 00-22-aa-00-22-aa
Change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address.
Drag this batch software into "windows--start-program--start".