The solution of ARP attack defense in local area network
Catalog.
1. Preface 2. What are ARP and RARP?
3. What is ARP spoofing attack?
4. What is the purpose of ARP spoofing? What are the characteristics of its attack?
5. Classification and techniques of ARP attacks; why is it difficult for IPS to identify and defend against ARP attacks?
6. The defense of ARP attacks needs to rely on security switches – Introducing NBADswitch and NBADsensor
7. Conclusion
Appendix
additional materials
I. Introduction
There are many crises hidden in the vast Internet 路 World 裡, but due to the advancement of security equipment technology, most external attacks are effectively blocked. However, due to the changes in IT usage habits and invasion and viruses The communication technology is changing with each passing day, and in recent years, information and network security threats have begun to come from within the enterprise infrastrunture. The 2007 San Francisco RSA conference demonstrated this point, and the consensus reached during the conference stated that "simple single-point defense, or building a solid information defense wall, has gradually failed to meet the information security needs of enterprises (organizations). Instead, in the future, enterprises (organizations) will increasingly need a coordinated defense mechanism for the entire internal network and systems. "This chapter explains from a technical perspective the information security problems caused by ARP spoofing attacks on internal users of the enterprise (organizations). Why ARP spoofing attacks It is one of the favorite attack tools for viruses to attack the network at this stage, and one of the most favorite intrusion tools used by hackers at this stage. With this understanding, network managers will be able to deploy or integrate appropriate network and information security equipment more effectively. Detected the source of network and information threats.
2. What are ARP and RARP?
Address Resolution Protocol (ARP for short) is an address translation protocol. RARP is called a reverse address translation protocol. They are responsible for translating IP addresses and MAC addresses to each other. ARP is mainly designed to obtain the second layer address (MAC address) from the OSI model third layer address (IP address), this is because IP data packets are often transmitted through Ethernet, and the Ethernet device itself does not recognize the third The 32-bit IP address of the layer, but the Ethernet data packet of the 48-bit Ethernet address (MAC address) of the second layer is transmitted. Therefore, the IP destination address must be converted to the Ethernet destination address. There is a static image between these two addresses, which is what the ARP table does.
ARP packets will only be transmitted in the same subnet ﹷ (subnet), and it is rarely transmitted to the same network ﹷ through the router. The host's operating system will perform a calculation based on the IP address of the packet destination and the value of the subnet mask of the machine (subnet mask) to determine whether the IP of the packet destination belongs to the same subnet as the machine, if the source IP address and destination of the packet If the IP address does not belong to the same subnet, the packet must necessarily be sent to the router, and ARP can allow the machine to obtain the MAC address of the router's Ethernet device network card, and the packet can be sent to the router through the local Ethernet device network card. ARP and RARP are very important and frequently used protocols. Before any TCP / IP 連 line is established, 都 must obtain the physical network of the destination host via the Address Resolution Protocol (MAC). In a local area network (Local area network), two computers must communicate with each other. First, they must know the MAC address of each other's network card before sending the packet to each other; for example: If a certain computer (ip1 / mac1) gets another computer (ip2 / mac2) Wrong MAC address (ip2 / mac3), then this computer (ip1 / mac1) will not be able to send packets to the Ip2 computer.
3. What is ARP spoofing?
The basic principle of the ARP Spoofing (ARP spoofing) attack is because an ARP cache is maintained in the Windows computer (so that you can use the arp command to view your own ARP cache), and this ARP cache is continuously issued with the computer The ARP request and the ARP response are constantly updated. The purpose of the ARP cache is to map the machine's IP address and MAC address to each other, so that the IP packet can find the destination MAC address smoothly and correctly in the Ethernet, and then it is correct. Transmission. If you can disturb or tamper with the normal ARP table in a computer or router by issuing a standard ARP request or ARP response, causing the data packet sent by that computer (or router) to misrepresent the destination, or make the OSI second Layer 3 Ethernet and Layer 3 cannot be connected, which in turn paralyzes the network. We call you using ARP spoofing attacks.
An example: There are now three machines: Machine A: IP1 / MAC1, Machine B: IP2 / MAC2, and Machine C: IP3 / MAC3. Now the user on machine B is a hacker trying to interfere with machine A or monitor the communication between SNIFFER machine A and C. First, he sends an ARP Reply to machine A, where the destination IP address is IP1 and the destination MAC address It is MAC1, and the source IP address is IP3, and the source MAC address is MAC2. Okay, now machine A has updated his ARP cache and believes that the MAC address of the machine with IP3 address is MAC2. When the administrator on machine A issued an FTP command --- ftp IP3, the data packet was sent to the Switch, the Switch looked at the destination address in the data packet, and found that the MAC was MAC2, so he sent the data packet to machine B , And successfully attacked machine A. What if you do n’t want to affect the communication between A and C now? Only sniffer monitors the communication between the two, you can deceive both of them at the same time, use man-in-middle attack, you can achieve the effect.
In short, before sending the data packet, the machine will send out a MAC Ethernet broadcast packet about querying the destination IP address. Normally, only the host corresponding to the destination IP will respond with a 48-bit MAC host address unicast packet, and update the ARP cache in the machine corresponding to the IP and MAC address to save unnecessary ARP communication. If there is a poisoned computer or a hacker who is legally authorized to carry out illegal activities on the network, they have write access to the local network. It is very likely that such a machine will issue false ARP requests or respond to communications, deceiving other computers or routers. Turn all communications to itself, and then it can act as a certain machine or modify the data flow. This causes arp spoofing attacks and affects normal host communication.
4. What is the purpose of ARP spoofing? What are the characteristics of its attack?
Whether it is a poisoned attack without a specific target or a hacker conducts illegal interception and stealing activities with a specific target, ARP spoofing is one of the main attacks and the purpose. In fact, many well-known hackers use ARP spoofing as a tool. The most famous hacking methods such as Man-in-the-Middle attack and Session Hijacking are the use of ARP spoofing and other attack methods to achieve the security of deceiving the host, anti-tracking or avoiding switch access and secure access Mechanism of protection. Session hijacking uses ARP spoofing to snatch the user's normal online connection; man-in-the-middle attacks use ARP to deceive both the client (Client) and the server (Server) at the same time so that all conversations on both sides must pass through the intruder's narration, To achieve the purpose of deception, side recording, and tampering with data.
In addition, poisoned computers send ARP spoofing packets, or there are some software on the market such as NetCut (NetCut), which uses ARP spoofing packets to make ARP spoofing packets. It is for the purpose of an attack to paralyze and marry a specific or unspecified target. Harm to others. The original ç† of NetCut is responsible for forging ARP packets and providing fake physical network ï½· address (MAC) information to the target host. After the communication gateway (Gateway) receives it, it will send the wrong physical network è·¯ address (MAC) Noted in the ARP table, the return packet from the server (Client) cannot be delivered, and the Internet cannot be accessed to achieve the purpose of the attack.
The biggest feature of ARP spoofing is that it is secretly difficult to detect. Unlike the previous hacking or poisoning attack methods-DsS attack or flooding attack, the network harm caused by DoS or flood attack is obvious, but it is easy to be detected; Spoofing is for the purpose of spoofing, and in order to maintain the continued spoofing effect, ARP spoofing packets must be continuously sent. These ARP spoofing packets are short in length but may be quite large. Therefore, the network harm caused is not only possible data recording and theft. It can also be an attack on a specific target of the network, and even a large number of ARP broadcast packets can cause the whole or part of the network to be paralyzed.
Fives
Catalog.
1. Preface 2. What are ARP and RARP?
3. What is ARP spoofing attack?
4. What is the purpose of ARP spoofing? What are the characteristics of its attack?
5. Classification and techniques of ARP attacks; why is it difficult for IPS to identify and defend against ARP attacks?
6. The defense of ARP attacks needs to rely on security switches – Introducing NBADswitch and NBADsensor
7. Conclusion
Appendix
additional materials
I. Introduction
There are many crises hidden in the vast Internet 路 World 裡, but due to the advancement of security equipment technology, most external attacks are effectively blocked. However, due to the changes in IT usage habits and invasion and viruses The communication technology is changing with each passing day, and in recent years, information and network security threats have begun to come from within the enterprise infrastrunture. The 2007 San Francisco RSA conference demonstrated this point, and the consensus reached during the conference stated that "simple single-point defense, or building a solid information defense wall, has gradually failed to meet the information security needs of enterprises (organizations). Instead, in the future, enterprises (organizations) will increasingly need a coordinated defense mechanism for the entire internal network and systems. "This chapter explains from a technical perspective the information security problems caused by ARP spoofing attacks on internal users of the enterprise (organizations). Why ARP spoofing attacks It is one of the favorite attack tools for viruses to attack the network at this stage, and one of the most favorite intrusion tools used by hackers at this stage. With this understanding, network managers will be able to deploy or integrate appropriate network and information security equipment more effectively. Detected the source of network and information threats.
2. What are ARP and RARP?
Address Resolution Protocol (ARP for short) is an address translation protocol. RARP is called a reverse address translation protocol. They are responsible for translating IP addresses and MAC addresses to each other. ARP is mainly designed to obtain the second layer address (MAC address) from the OSI model third layer address (IP address), this is because IP data packets are often transmitted through Ethernet, and the Ethernet device itself does not recognize the third The 32-bit IP address of the layer, but the Ethernet data packet of the 48-bit Ethernet address (MAC address) of the second layer is transmitted. Therefore, the IP destination address must be converted to the Ethernet destination address. There is a static image between these two addresses, which is what the ARP table does.
ARP packets will only be transmitted in the same subnet ﹷ (subnet), and it is rarely transmitted to the same network ﹷ through the router. The host's operating system will perform a calculation based on the IP address of the packet destination and the value of the subnet mask of the machine (subnet mask) to determine whether the IP of the packet destination belongs to the same subnet as the machine, if the source IP address and destination of the packet If the IP address does not belong to the same subnet, the packet must necessarily be sent to the router, and ARP can allow the machine to obtain the MAC address of the router's Ethernet device network card, and the packet can be sent to the router through the local Ethernet device network card. ARP and RARP are very important and frequently used protocols. Before any TCP / IP 連 line is established, 都 must obtain the physical network of the destination host via the Address Resolution Protocol (MAC). In a local area network (Local area network), two computers must communicate with each other. First, they must know the MAC address of each other's network card before sending the packet to each other; for example: If a certain computer (ip1 / mac1) gets another computer (ip2 / mac2) Wrong MAC address (ip2 / mac3), then this computer (ip1 / mac1) will not be able to send packets to the Ip2 computer.
3. What is ARP spoofing?
The basic principle of the ARP Spoofing (ARP spoofing) attack is because an ARP cache is maintained in the Windows computer (so that you can use the arp command to view your own ARP cache), and this ARP cache is continuously issued with the computer The ARP request and the ARP response are constantly updated. The purpose of the ARP cache is to map the machine's IP address and MAC address to each other, so that the IP packet can find the destination MAC address smoothly and correctly in the Ethernet, and then it is correct. Transmission. If you can disturb or tamper with the normal ARP table in a computer or router by issuing a standard ARP request or ARP response, causing the data packet sent by that computer (or router) to misrepresent the destination, or make the OSI second Layer 3 Ethernet and Layer 3 cannot be connected, which in turn paralyzes the network. We call you using ARP spoofing attacks.
An example: There are now three machines: Machine A: IP1 / MAC1, Machine B: IP2 / MAC2, and Machine C: IP3 / MAC3. Now the user on machine B is a hacker trying to interfere with machine A or monitor the communication between SNIFFER machine A and C. First, he sends an ARP Reply to machine A, where the destination IP address is IP1 and the destination MAC address It is MAC1, and the source IP address is IP3, and the source MAC address is MAC2. Okay, now machine A has updated his ARP cache and believes that the MAC address of the machine with IP3 address is MAC2. When the administrator on machine A issued an FTP command --- ftp IP3, the data packet was sent to the Switch, the Switch looked at the destination address in the data packet, and found that the MAC was MAC2, so he sent the data packet to machine B , And successfully attacked machine A. What if you do n’t want to affect the communication between A and C now? Only sniffer monitors the communication between the two, you can deceive both of them at the same time, use man-in-middle attack, you can achieve the effect.
In short, before sending the data packet, the machine will send out a MAC Ethernet broadcast packet about querying the destination IP address. Normally, only the host corresponding to the destination IP will respond with a 48-bit MAC host address unicast packet, and update the ARP cache in the machine corresponding to the IP and MAC address to save unnecessary ARP communication. If there is a poisoned computer or a hacker who is legally authorized to carry out illegal activities on the network, they have write access to the local network. It is very likely that such a machine will issue false ARP requests or respond to communications, deceiving other computers or routers. Turn all communications to itself, and then it can act as a certain machine or modify the data flow. This causes arp spoofing attacks and affects normal host communication.
4. What is the purpose of ARP spoofing? What are the characteristics of its attack?
Whether it is a poisoned attack without a specific target or a hacker conducts illegal interception and stealing activities with a specific target, ARP spoofing is one of the main attacks and the purpose. In fact, many well-known hackers use ARP spoofing as a tool. The most famous hacking methods such as Man-in-the-Middle attack and Session Hijacking are the use of ARP spoofing and other attack methods to achieve the security of deceiving the host, anti-tracking or avoiding switch access and secure access Mechanism of protection. Session hijacking uses ARP spoofing to snatch the user's normal online connection; man-in-the-middle attacks use ARP to deceive both the client (Client) and the server (Server) at the same time so that all conversations on both sides must pass through the intruder's narration, To achieve the purpose of deception, side recording, and tampering with data.
In addition, poisoned computers send ARP spoofing packets, or there are some software on the market such as NetCut (NetCut), which uses ARP spoofing packets to make ARP spoofing packets. It is for the purpose of an attack to paralyze and marry a specific or unspecified target. Harm to others. The original ç† of NetCut is responsible for forging ARP packets and providing fake physical network ï½· address (MAC) information to the target host. After the communication gateway (Gateway) receives it, it will send the wrong physical network è·¯ address (MAC) Noted in the ARP table, the return packet from the server (Client) cannot be delivered, and the Internet cannot be accessed to achieve the purpose of the attack.
The biggest feature of ARP spoofing is that it is secretly difficult to detect. Unlike the previous hacking or poisoning attack methods-DsS attack or flooding attack, the network harm caused by DoS or flood attack is obvious, but it is easy to be detected; Spoofing is for the purpose of spoofing, and in order to maintain the continued spoofing effect, ARP spoofing packets must be continuously sent. These ARP spoofing packets are short in length but may be quite large. Therefore, the network harm caused is not only possible data recording and theft. It can also be an attack on a specific target of the network, and even a large number of ARP broadcast packets can cause the whole or part of the network to be paralyzed.
Fives
Food Delivery Bag,Food Delivery Backpack,Delivery Backpack,Thermal Bag For Food Delivery
Ningbo Fineweather International Trade Co., Ltd. , https://www.finewbag.com