In the local area network, ARP attacks still occupy a high proportion. As we all know, the basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication. The basis of the ARP protocol is to trust all people in the LAN, so it is easy to implement ARP spoofing on the Ethernet. What's more, the ARP protocol works at a lower protocol layer than the IP protocol, so its harm is more subtle.
ARP type attacks were first used to steal passwords. A poisoned computer on the network could disguise itself as a router to steal the user's password. Later, it developed into a built-in software to disrupt the normal network communication of other LAN users.
As a network administrator, you may have this experience - the network is frequently dropped, the speed is slow, and you have no idea how to do it. This may be the manifestation of an ARP attack on the network. Here are five simple methods to help you quickly solve it.
First , establish a MAC database, record the MAC addresses of all network cards in the Internet cafe, and load each MAC, IP, and geographic location into the database for timely inquiries and records.
Second , establish a DHCP server (it is recommended to build it on the gateway, because DHCP does not take up much CPU, and ARP spoofing attacks generally always attack the gateway first, we just want him to attack the gateway first, because the gateway has a monitoring program here, the gateway address It is recommended to choose 192.168.10.2 and leave 192.168.10.1 empty. If the criminal program is stupid, let him attack the empty address.) In addition, the IP addresses and related host information of all clients can only be obtained from the gateway, and the gateway is opened here. DHCP service, but to bind a fixed unique IP address to each network card. Be sure to maintain a one-to-one correspondence between the IP/MAC of the machines in the network. In this way, although the client obtains the address through DHCP, the IP address is the same every time it is powered on.
Third , the gateway monitors network security. The gateway uses the TCPDUMP program to intercept each ARP package, and gets a script analysis software to analyze these ARP protocols. The packets of ARP spoofing attacks generally have the following two characteristics, and one of them can be regarded as an attack packet alarm: the source address and destination address of the first Ethernet data packet header do not match the protocol address of the ARP data packet. Or, the sending and destination addresses of the ARP data packets are not in the MAC database of the own network card, or do not match the MAC/IP of the own network MAC database. All these alarms are immediately reported, and by checking the source addresses of these data packets (Ethernet data packets) (which may also be forged), you can roughly know which machine is launching an attack.
Fourth , the gateway machine closes the process of ARP dynamic refresh and uses static routing. In this case, even if the suspect uses ARP spoofing to attack the gateway, it is useless to the gateway to ensure the security of the host.
The method for the gateway to establish static IP/MAC binding is to create the /etc/ethers file, which contains the correct IP/MAC correspondence in the following format:
192.168.2.32 08: 00: 4E: B0: 24: 47
Then /etc/rc.d/rc.local
Finally add: arp -f
to take effect
Fifth , sneak up to the machine to see if the user did it on purpose or was framed by any Trojan program. If the latter, quietly find an excuse to let him go, unplug the network cable (do not shut down, especially look at the scheduled tasks in Win98), check the current usage record and operation of the machine, and determine whether it is an attack. .
Sixth , use protection software. The ARP firewall adopts the system kernel layer interception technology and active defense technology, and includes six functional modules to solve most of the problems caused by deception and ARP attacks , thereby ensuring communication security (to ensure that communication data is not monitored and controlled by network management software/malware) , to ensure smooth network.
Seventh , network equipment with ARP protection function. The network problem caused by ARP attack is the most troublesome attack in current network management, especially in LAN management. His attack technology content is low, and anyone can use attack software to complete ARP spoofing attack, while preventing There is also no particularly effective method for attacks in the form of ARP.
At present, only passive measures can be taken in the form of remedial measures. The methods introduced in this article hope to be helpful to everyone.