ARP virus principle and defense

Posted on Edited on In Waline:

ARP virus principle and defense and how to quickly locate the source of ARP virus.

ARP protocol

ARP protocol (address resolution protocol)

A host communicates with another host to know the IP address of the target, but the network card that transmits data in the LAN cannot recognize the IP address directly, so the ARP resolution protocol is used to decode the IP address

The basic function of ARP protocol is to query the mac address of the target device by the IP address of the target device.

In any host on the LAN, there is an ARP cache table, which stores the IP addresses and MAC addresses of the hosts and routers on the LAN that are known to this machine.

The life cycle of the table is time-bound (typically no more than 20 minutes).

Suppose there are four hosts A,B,C,D in the LAN

Host A wants to communicate with Host B

Host A will first check its ARP cache table for B’s contact information, and if so, it will encapsulate the mac-b address outside the packet and send it out. If not, A will send a network-wide

ARP broadcast packet, asking aloud: My IP address is 192.168.0.2 and my hardware address is mac-a. I want to know what is the hardware address of IP address 192.168.0.3. At this moment, all the

Hosts are received, B will receive a separate private response: I am 192.168.0.3, my hardware address is mac-b, other hosts will not care about A

At this point, A knows the information of B, and also dynamically updates its own cache table

Defects

ARP protocol is based on trusting all nodes in the LAN and he is very efficient. But it is not secure. It is stateless protocol. He does not check whether he has sent the request packet or not.

Nor does he know if he has sent a request packet. He also doesn’t care if it’s a legitimate reply, as long as he receives an ARP reply or ARP broadcast packet (both ARP reply and ARP request) whose destination mac address is his own.

All will be accepted and cached.

ARP attack principle

ARP spoofing attacks build on mutual trust between LAN hosts

When A sends a broadcast asking: I want to know what is the hardware address of the IP is 192.168.0.3?

At this point B will of course talk back: I am IP 192.168.0.3 my hardware address is mac-b.

But at this time, the IP address is 192.168.0.4 C is also illegal back: I am IP 192.168.0.3, my hardware address is mac-c. And it is a lot of.

So A will mistakenly believe that the hardware address of 192.168.0.3 is mac-c, and dynamically update the cache table

This way host C hijacks the data sent by host A to host B. This is the process of ARP spoofing.

If C impersonates the gateway directly, at this time, host C will keep sending ARP spoofing broadcasts, saying loudly: my IP is 192.168.0.1, my hardware address is mac-c

At this time, all hosts on the LAN are tricked into changing their own cache tables, at which point C will listen to datagrams sent to the Internet from the entire LAN.

How to find the source of the virus quickly

Use Sniffer to capture packets

Run packet capture software on any host within the network to capture all packets arriving on this machine. If a certain IP is found to be constantly sending request packets, then this computer is generally the source of the virus. Principle: No matter what kind of ARP virus variants, there are two ways to behave, one is to deceive the gateway, and the other is to deceive all hosts in the network.

Use the arp -a command

Arbitrarily select two hosts that can not access the Internet, run the arp -a command under the DOS command window. For example, in the results, the two computers in addition to the IP of the gateway, MAC address corresponding items, both contain 192.168.0.186 of this IP, then you can conclude that 192.168.0.186 this host is the source of the virus. Principle: In general, the hosts in the network only communicate with the gateway.

Use the tracert command

On any of the affected hosts, run the following command in a DOS command window: tracert 61.135.179.148. Assuming that the default gateway is set to 10.8.6.1, when tracing an external address, the first hop is 10.8.6.186, then 10.8.6.186 is the source of the virus. Principle: The poisoned host plays the role of a “middleman” between the affected host and the gateway. All the packets that should have reached the gateway were sent to the poisoned host because of the wrong MAC address. At this point, the poisoned host oversteps its role and plays the role of the default gateway.

ARP Defense

ARP bi-directional binding

IP+mac binding on the PC side

Use ip+mac+port binding on network devices (switch routing)

The gateway also performs static binding of IP and mac

Establish DHCP server

ARP attacks generally attack the gateway first, setting up the DHCP server on the gateway

Delineate safe areas

ARP broadcast packets cannot be propagated across subnets or network segments, and network segments can isolate broadcast packets; VLAN is a logical broadcast domain, and multiple subnets can be created in the LAN through VLAN technology, which can isolate the broadcast in the LAN and reduce the scope of infection.