|
1. 引言
2..ARP工作原理
ARP攻击在各大数据中心(IDC中心)泛滥,使得国内众多机房或网络运营商深恶痛绝。由于其攻击的特性,它可以导致被攻击网站或服务器的无法访问,或者 使访问者访问其他错误网址或接收到错误信息,直接危害着企业的利益。因此,ARP欺骗攻击严重影响了IDC中心的正常运行和信息安全,如何进行防范及清楚 ARP病毒已成为网络管理者迫切需要解决的问题。
ARP工作原理:主机A向主机B发送报文,会首先查询本地的ARP缓存表,通过B的IP地址找到对应的MAC地址后,就会进行数据传输。如果未找到,则A 会广播一个 ARP请求报文(此报文中包含主机A的IP地址到物理地址的映射及主机B的IP地址),请求主机B回答其物理地址。网上所有主机包括B都收到该ARP请 求,但只有主机B识别自己的IP地址,于是向A主机发回一个ARP响应报文。其中就包含有B的MAC地址,A接收到B的应答后,就会更新本地的ARP缓 存。接着使用这个MAC地址发送数据。因此,本地高速缓存的这个ARP表是本地网络流通的基础,而且这个缓存是动态的。
2 ARP works
ARP attacks in the major data center (IDC center) flooding, making many domestic room or network operator abhorrence. Due to its characteristics of attack, it can lead to being attacked or server can not access the site, or allow visitors to access other error URL or receive an error message, directly endangering the interests of business. Thus, ARP spoofing attack has seriously affected the normal operation of IDC center and information security, how to prevent and clear ARP virus has become an urgent need for network managers to solve the problem.
ARP (Address Resolution Protocol) is the ARP provides IP address to physical address mapping. The network layer by known (IP layer, which is equivalent to the third OSI layer) to obtain the data link layer address (MAC layer, which is equivalent to the OSI layer 2) MAC address.
ARP(Address Resolution Protocol)是地址解析协议,提供了从IP地址到物理地址的映射。即通过已知的网络层(IP层,也就是相当于OSI的第三层)地址获得数据链路层(MAC层,也就是相当于OSI的第二层)的MAC地址。
ARP works: Host A to Host B sends packets will first check the local ARP cache table, through the B's IP address to find the corresponding MAC address, it will for data transmission. If not found, then A will broadcast an ARP request packet (this packet contains the host A's IP address to a physical address mapping and host B's IP address), the requesting host B to answer its physical address. All hosts are online, including B receives the ARP request, but only Host B identify its own IP address, then sent back to the host A an ARP response packet. Which will contain a MAC address B, A to B received the response, it will update the local ARP cache. Then use the MAC address to send the data. Therefore, the local cache of the ARP table on the basis of the local network traffic, and the cache is dynamic.
3 IDC common ARP spoofing attacks
ARP attacks is through fake IP address and MAC address ARP deception to achieve, can produce large amounts of ARP network traffic so that network congestion, the attacker ongoing issue as long as the fake ARP response packet will be able to change the destination host's IP ARP cache addresses to MAC address mapping. If IDC's Managed Hosting by ARP virus infection, or controlled by hackers, it may appear ARP spoofing attack. Typically, infected or is controlled by a host to the network segment broadcasting forged ARP information, which will lead to the same network segment, or other managed host gateway ARP table confusion will cause these hosts can not communicate properly, more fraudulent claims will cause traffic on these hosts are listening or steal events and so on.
3.1 spoofing attacks
This is a relatively common attack by sending fake ARP packets to deceive the routing and destination host, so that the target host that this is a legitimate host. Will complete the deception. Such deception occurred in the same network segment, because the routing will not put out the network segment of the packet forwarding attacks in different network segments of course there are ways, we have to tell the router via the ICMP protocol to reselect route.
(A) the same network segment ARP spoofing
Such spoofing attacks usually forged a ARP_REPLY want a response packet to the host spoofing, man designated in the packet's source IP, destination IP, source MAC address, destination MAC address. Through this false ARP response packet to modify the host's ARP cache want to deceive, to deceive. An example in Figure 1, the same segments between ARP spoofing process.
Host C To Host intrusion B, the following are specific steps:
① Host C first study the normal communication with Host B Host A, Host A vulnerability discovery.
② According to Host A loophole to temporarily stop working.
③ Host C will own IP address to 192.168.0.1.
④ host C to host B sends an ARP response packet, including the source IP address is 192.168.0.1, the source MAC address of CC: CC: CC: CC: CC: CC, requires the host B updates the ARP cache IP addresses to MAC addresses mapping table.
⑤ Host B updates its ARP cache.
⑥ successful invasion of the host C Host B.
More than in the same network segment as an ARP spoofing process.
(2) different segments ARP spoofing
If Host A and Host C in different network segments, the above methods are ineffective. Figure 2 as an example to illustrate the process of ARP spoofing between different networks.
In the present case, in 192.168.1 segment of the host C How posing spoofing Host A Host B do? Apparently using the above approach, even if the deception is successful, the Host C and Host A can not be established between the telnet session, because the router will not Host A to Host B packets transmitted outside, the router will find the address in the 192.168.0. within this segment.
Now it relates to another way of deception - ICMP redirect. The ARP spoofing and ICMP redirect together can basically achieve the purpose of inter-network deception.
ICMP ICMP redirect packet is a control packet. In certain circumstances, when the router detects a machine using a non-optimized routing, it will redirect to the host sends an ICMP packet requests the host to change routes. The router also the initial datagram forwarded to its destination. We can use ICMP redirect packets to achieve the purpose of deception. Here is a combination of ARP spoofing and ICMP redirect attack steps:
① Host C need to send their illegal IP packet into a maximum survival time.
② find loopholes so that Host B temporarily stop working.
③ When Host A can not find the original 192.0.0.2, will update their ARP correspondence table. At this point, the host C sends a raw IP address of 192.0.0.2, MAC address CC: CC: CC: CC: CC: CC ARP response packet.
④ Each host now know, a new MAC address 192.0.0.2, an ARP spoofing is complete, however, each host in the LAN will find this address and will simply not send 192.0.0.2 threw IP packet routing. So also need to construct an ICMP redirect broadcasts.
⑤ customize an ICMP redirect packet told hosts on the network, the shortest path routing to 192.0.0.2 instead of the LAN, but the route, redirect your host routing path, all the IP packets to 192.0.0.2 threw route.
⑥ host A to accept the reasonable ICMP redirect, then modify their routing path, communications are put on the 192.0.0.3 threw router.
⑦ successful invasion of the host C Host A.
In fact, the idea above is only an ideal situation if the host permits ICMP redirect packets received that there are many restrictions on conditions that enable ICMP redirect becomes very difficult.
(3) ARP spoofing new forms
Such spoofing attack ibid, to the whole network to send forged ARP packets, the difference lies in its HTTP packets changes.
Users visit certain websites, web pages may contain malicious code, which is commonly known as "Trojan" Such behavior is known as "hanging horse." There are three main methods to insert malicious code:
① LAN by ARP spoofing. When a host within the network want to access the network outside of the WEB server, the request is sent to the host is responsible for this site gateway, the gateway to the server to obtain the requested page is then sent to the host. At this time attacking host masquerading gateway will insert malicious code pages sent to the requesting host, the other hosts in the LAN can take such attack methods.
② server is ARP spoofing. Server is in the local area network, a host is infected with the virus, the server to the user's web page transmission process is insert malicious code.
③ server being attacked. Server is hacked or infected with viruses, hard disk page file is modified to insert malicious code.
3.2 MAC Flooding
MAC Flooding can be called MAC flooding phenomenon, which is a more dangerous attack, you can overflow the switch ARP table, so that the entire network can not communicate properly. Flooding is a fast spreading among network-connected devices (such as switches) updated information throughout a large network to fight each node in a way. Switches are also stored with an ARP cache table. Same host ARP cache table the same, it also plays recorded network device MAC address and IP address mapping function. But the switch ARP cache table size is fixed, which led to another ARP spoofing risks: Because the switch can take the initiative to learn the MAC address of the client, and to establish and maintain the ARP cache table, when someone use spoofing attacks continuous manufacture of a large number of MAC address spoofing, ARP cache table will be filled quickly, and update information in flood sent to all interfaces, will be distributed to all of the interfaces and the neighboring switches, will lead to other switches ARP table overflow, causing the switch load is too large, slow networks and packet loss and even paralysis. So MAC Flooding is a more dangerous attack, serious cause the entire network can not communicate properly.
3.3 based on ARP DOS attack
DoS attacks aim is to make the attacked host the user is denied access to a service, disrupt the normal operation of the system. And finally to the user's Internet connection and the network portion of system failure. Its basic principle is: the attacker using ARP spoofing tools, continuing to attack the host sends a large number of connection requests, as were the hosts ARP spoofing ARP cache can not find each other according to the host, coupled with the host's processing capacity is limited, making it Normal users can not provide services, they appear denial of service. In this process, an attacker can use ARP spoofing to hide themselves, so that the attacked host will not appear on the log attacker's IP address. Attack the host can not be based on the log to find the IP address provided is true attacker.
4 Precautions
For frequently occur within IDC room ARP virus attack, in this introduction are several ways to prevent ARP attack.
4.1 Common Solution
(A) MAC and IP address binding
Eliminate the IP address of the embezzlement. If the Internet via a proxy server: Proxy server to allow network administrators to access a static IP address to the recorded address of the computer's network card bundled. Such as: ARP-s 192.16.10.400-EO-4C-6C-08-75. Way, it will access a static IP address 192.16.10.4 and NIC address 00-EO-4C-6C-08-75 computer bindings together, even if others steal your IP address, nor can the Internet through a proxy server. If it is connected through the switch can be the computer's IP address, network card's MAC address, and switch port binding.
(2) modify the MAC address spoofing ARP spoofing technology
Is a fake MAC address, so the safest way is to modify the machine's MAC address, as long as the MAC address to another, ARP spoofing can be deceived, so as to achieve the purpose of the blockade.
(3) Set the switch port
① Port Protection (similar to port isolation): ARP spoofing techniques require direct communication switch two ports, the port is set to protect the port can be simply and easily isolate information exchange among users, without the occupation VLAN resources. With a switch between the two ports can not communicate directly, you need to communicate with each other by forwarding.
② Data Filtering: If you need to make further packets can be used to control user ACL (Access Control List). ACL using the IP address, TCP / UDP ports on the switch out of packet filtering, according to the preset condition, the packet can be forwarded or blocked to make decisions. Huawei and Cisco switches support IP ACL and MAC ACL, respectively, for each ACL supports standard and extended format. ACL standard format based on the source address and the upper layer protocol type filter, extended format ACL based on source address, destination address, and the upper layer protocol type filter, different words check the MAC address of the frame camouflage.
(4) prohibits the network interface to do ARP resolution
In relative system prohibits a network interface to do ARP resolution (against ARP spoofing attacks , you can do static ARP protocol settings (because the other party does not respond to ARP requests) as ARP - s XXX.XXX.XX.X 08 - 00-20-a8-2e-ac on many operating systems, such as: Unix, NT, etc., can be combined with "disable the corresponding network interface to do ARP resolution" and "Use static ARP" setting against ARP spoofing attacks.
(5) regularly check the ARP cache
Administrators regularly with the response obtained an IP packet rarp request and then check the authenticity of ARP response. Periodic polling, check the ARP cache on the host.
4.2 Recommended methods
ARP spoofing attack under common way IDC room and its own characteristics, taken in recommended IDC room network gateway and host static IP-MAC-way binding way, this is a relatively more comprehensive and lasting solution.
Such bi-static binding approach, is the gateway ARP cache respectively the IP address-MAC address and its network within the host's IP address-MAC address statically and put the correct IP address and MAC address of the mind down.
The specific method is to build / etc / ethers file contains the correct IP / MAC correspondence between the following format:
192.168.2.32 08:00:4 E: B0: 24:47, and then in the / etc / rc.d / rc.local last added: arp-f enters into force.
By way without static binding can no longer interfere with other people's information, and then bind to the address in full accordance with the transmission of information, can be ruled out interference from other error directive can effectively complete the work. In such a case, can greatly reduce the user or host server can not be accessed during an attack and dropped to happen. Although such a solution IDC center will bring some amount of work, but its effect is significantly better than other methods, effectively resist ARP spoofing attacks.
5 Conclusion
ARP attack the problem has been plagued by a problem IDC center, but it is not insurmountable, through the establishment of a sound preventive mechanisms, to the greatest extent resist ARP spoofing attacks. With networking products and technologies constantly updated, IDC center network construction continues to improve, we have a better solution ARP spoofing attack problems and ensure safe and reliable operation IDC center.
|
