+(65) 8344 4290 Ciscodumps.net@gmail.com Room 907, Block B, Baoneng Entrepreneurship Center, Guangrong Road, Hongqiao District, Tianjin

ThinkMo EDU Share – network 28.ARP attack

蒂娜 No Comments 10/30/2022

ThinkMo EDU Share – network 28.ARP attack

ARP Protocol Overview

ARP protocol (address resolution protocol) address resolution protocol.

When a host communicates with another host, it is necessary to know the IP address of the target, but the network card that transmits data in the LAN cannot directly identify the IP address, so the ARP resolution protocol is used to resolve the IP address into a MAC address. The basic function of the ARP protocol is to query the mac address of the target device through the IP address of the target device.

In any host of the local area network, there is an ARP cache table, which stores the comparison relationship between the IP addresses and MAC addresses of each host and router in the local area network known to the local area network. The life cycle of the ARP cache table is time-limited (generally no more than 20 minutes) .

For example: Suppose there are four hosts in the LAN

If host A wants to communicate with host B, host A will first check its own ARP cache table for the contact information of B. If so, it will encapsulate the mac-b address outside the data packet and send it out. If not, A will send an ARP broadcast packet to the whole network and ask loudly: My IP address is 192.168.0.2, and the hardware address is mac-a. I want to know what is the hardware address of the IP address 192.168.0.3? ,

At this time, all hosts in the LAN have received it, and B will respond privately after receiving it: I am 192.168.0.3, my hardware address is mac-b, and other hosts will not care about A. At this time, A knows the information of B. , and also dynamically updates its own cache table.

APR attack discovery

First diagnose whether it is an ARP virus attack

  1. When it is found that the Internet is obviously slow, or suddenly disconnected , we can use the arp -a command to check the ARP table: (Click the “Start” button – select “Run” – enter “cmd” and click the “OK” button. Enter the “arp -a” command in the window) If you find that the MAC address of the gateway has changed , or you find that many IPs point to the same physical address , then it must be caused by ARP spoofing. At this time, you can clear the arp list through ” arp -d ” and revisit it.
  1. Use ARP firewall software (such as: 360ARP firewall, AntiARPSniffer, etc.) .

How to determine whether a switch is under ARP attack and how to deal with it

  1. If the network is attacked by ARP, the following phenomena may occur:

User disconnection, frequent disconnection, slow Internet access, service interruption or failure to access the Internet.

The CPU usage of the device is high, the device is managed, the connected device is disconnected, the active and standby status of the device fluctuates, and the device port indicator flashes red quickly.

Ping has delay, packet loss or failure.

The machines in the LAN are attacked by ARP virus spoofing. If you find the source machine and kill the virus or Trojan horse, the machines in the LAN will return to normal. So how can you quickly locate the source machine of the attack?

  1. Use the arp -a command. When it is found that the Internet is obviously slow, or suddenly dropped , we can use the arp -a command to check the ARP table. If it is found that the MAC address of the gateway has changed, or that there are many IP addresses pointing to the same MAC address, it must be caused by an ARP attack.
  1. Use Color Shadow ARP firewall software to view. If the network card is in promiscuous mode or the speed at which ARP request packets are sent is high or the total amount of ARP request packets is very large, it may be judged that this machine is the “culprit”. After locating the machine, do virus information collection.
  1. Check the “System History” of the router. When the Trojan horse program attacked by ARP attacks, it will send a large number of data packets, which will block the communication of the LAN and limit its own processing capacity. Users will feel that the Internet speed is getting slower and slower. When the Trojan program attacked by ARP stops running, the user will resume Internet access from the router, and the user will be disconnected again during the switching process.

This message represents that the user’s MAC address has changed. When the ARP attack Trojan starts to run, the MAC addresses of all hosts in the LAN are updated to the MAC addresses of the virus hosts (that is, the MAC New addresses of all messages are the same as the MAC addresses of the virus hosts). ) , and you can see that the MAC address information of all users is the same in the “User Statistics” of the router.

If a large number of MAC Old addresses are consistent in the router’s “system history”, it means that an ARP attack has occurred in the LAN (when the Trojan program of the ARP attack stops running, the host recovers its real MAC address on the router) .

ARP attack process

ARP attack method

  1. Simple scam attack

This is a relatively common attack. By sending forged ARP packets to defraud the route and the target host, the target host thinks that this is a legitimate host, and then the fraud is completed. This kind of fraud mostly occurs in the same network segment, because the routing The packets on this network segment will not be forwarded to the outside. Of course, there are ways to complete attacks on different network segments. The ICMP protocol is used to tell the router to select a route from the beginning.

  1. DOS according to ARP

This is a new attack method. DOS is also known as a denial of service attack. When a large number of connection requests are sent to a host, because the processing capacity of the host is limited and cannot provide services for normal users, a denial of service occurs. If you use ARP to hide yourself in this process, the real IP attack will not appear in the log of the attacked host, and it will not affect the machine.

  1. MAC Flooding

This is a relatively risky attack that can overflow the ARP table of the switch, making the entire network unable to communicate properly.

  1. Sniffing of the communication environment

In the initial small local area network, we use HUB for interconnection. This is a broadcast method. Each packet will pass through each host in the network. By using software, we can sniff the data of all local area networks. The current network is mostly a communication environment, and the transmission of data within the network is locked in a specific policy. The determined target communication host, on the basis of ARP fraud, can fake its own host into a central forwarding station to monitor the communication between the two hosts.

ARP attack protection

  1. ARP cache timeout setting

Entries in the ARP cache generally need to set a timeout value, and shortening this timeout value can effectively avoid the overflow of the ARP table.

  1. IP+MAC access control (recommended)

It is not safe to rely solely on IP or MAC to establish a trust relationship. The ideal security relationship is established on the basis of IP+MAC, which is one of the reasons why our campus network must bind IP and MAC.

  1. Static ARP cache table

Each host has a corresponding table that temporarily stores IP-MAC. ARP attacks can change this cache to achieve fraudulent intentions. Using static ARP to bind the correct MAC is a useful method. Use arp on the command line – a can check the ARP cache table at that time.

  1. Automatic query

At a certain normal time, make a database corresponding to IP and MAC, and then regularly check whether the corresponding relationship between IP and MAC at that time is normal, regularly check the traffic list of the switch, and check the packet loss rate.

ARP cannot cause much damage in this province. Once it is contacted and used, its risk is immeasurable. Because of the doubts of ARP itself, it is very difficult to prevent ARP attacks. It is very difficult to check the network conditions at that time and monitor the traffic. good vibe.

ThinkMo CCNA Dump exam information exchange group:

CCNA/CCNP/CCIE telegram study group:https://t.me/ccie_ei_lab
CCNA/CCNP/CCIE dump:
WAHTAPP:+65 83444290
WAHTAPP:+63 9750724648

ThinkMo CCNA 200-301 Tutorial VIP Exclusive:
https://www.youtube.com/playlist?list=PLIq0cWorv-oyWHaoH79460mAa3-4AWpvw

The complete EVE_NG file, free learning PDF and PPT that can be used directly, as well as video explaining the technical points are all here!

Post Tags :

Leave a Reply

X