Master teaches you to identify the principle of ARP spoofing and prevent being cheated

I often hear friends around me saying that the network of my computer has been attacked. There are often some unscrupulous people who use ARP spoofing software to attack others, causing many people to drop the line and even make the entire network paralyzed. In response to this problem, we first come to understand its attack principle and deception principle, and the friends who are deeply hurt are hurry to take a look.

First, the principle of ARP spoofing is as follows:

Suppose such a network, a Hub connects to 3 machines

HostA HostB HostC where

A The address is: IP: 192.168.10.1 MAC: AA-AA-AA-AA-AA-AA

The address of B is: IP: 192.168.10.2 MAC: BB-BB-BB-BB-BB-BB

The address of C is: IP: 192.168.10.3 MAC: CC-CC-CC-CC-CC-CC

Normally C:\\arp -a

Interface: 192.168.10.1 on Interface 0x1000003

Internet Address Physical Address Type

192.168.10.3 CC-CC-CC-CC-CC-CC dynamic

Now suppose HostB starts Sinful ARP spoofing:

B sends a fake ARP reply to A, and the data in this response is the sender's IP address is 192.168.10.3 (the IP address of C), and the MAC address is DD- DD-DD-DD-DD-DD (C's MAC address should have been CC-CC-CC-CC-CC-CC, which was forged here). When A receives a B-forged ARP reply, it updates the local ARP cache (A does not know that it was forged). And A does not know that it is actually sent from B, A here only 192.168.10.3 (C's IP address) and invalid DD-DD-DD-DD-DD-DD mac address, there is no evidence related to criminal B, Haha, so criminals are unhappy.

Now the ARP cache for A machine is updated:

C:\\>arp -a

Interface: 192.168.10.1 on Interface 0x1000003

Internet Address Physical Address Type

192.168.10.3 DD-DD-DD-DD-DD-DD dynamic

This is no small matter. The network circulation of the local area network is not based on the IP address, but is transmitted according to the MAC address. The MAC address of 192.168.10.3 is now changed on A to a MAC address that does not exist. Now A starts Ping 192.168.10.3, the MAC address submitted by the network card is DD-DD-DD-DD-DD-DD, what is the result? The network is unreachable, A can't ping C!!

So, A machine in the LAN repeatedly sends such invalid and fake ARP response packets to other machines, especially to the gateway. NND, serious network congestion begins! The nightmare of the Internet cafe administrator started. My goal and mission is to catch him the first time. However, from the previous statement, it seems that the criminals perfectly exploited the defects of Ethernet and concealed their crimes. But in fact, the above methods have left a clue. Although the ARP packet does not leave the address of HostB, the ethernet frame carrying the ARP packet contains the source address of HostB. Moreover, in the ethernet data frame under normal circumstances, the MAC source address/destination address in the frame header should be paired with the ARP information in the frame data packet, and such an ARP packet is considered to be correct. If it is not correct, it must be a fake package. It can be reminded! But if it matches, it does not necessarily mean that it is correct. Maybe the counterfeiter also takes this step into consideration, and fakes the ARP packet that meets the format requirements but the content is fake. However, it does not matter, as long as the gateway has a network card database with all MAC addresses of this network segment, if it does not match the data in the Mac database, it is also a fake ARP packet. Can also remind criminals to start. Previous 12 Next page Total 2 pages