Principle of ARP virus attacks

Abstract: Recently the school LAN ARP virus frequently attacks, causing inconvenience to the campus users this paper start from the ARP protocol, in-depth analysis of the ARP security vulnerabilities and virus attacks the principle, and principle of ARP spoofing attack and made a thorough study to clarify the ARP spoofing virus process, propose solutions to the users of this problem.

Keywords: network protocol IP address of ARP virus

1 Introduction

Starting from the first half broke the school's local area network "ARP spoofing," Trojan horses, viruses attack the symptoms of a computer network connection is working, but can not open a successful landing page, which greatly affected the normal use of LAN users.


2. ARP protocol works

Ethernet packets are transmitted Ethernet packets, Ethernet packets are addressed first based on its MAC address. Just to know the IP address of a host does not allow the kernel to send a data to the host, the kernel must know the MAC address of the destination host to send data. ARP protocol role is that the 32-bit IP address of the transformation into a 48-bit Ethernet address.

In the Ethernet LAN data packet transmission relies on the MAC address, IP address and MAC rely on the relationship between the corresponding ARP cache table, each host (including gateways) has an ARP cache table. Under normal circumstances the cache table can be effectively one of the data transmission to ensure we can on the command line window, enter the command ARP-A, to view, enter the command ARP-D to refresh.

When the data source host needs to send a packet to the destination host, it will first check its ARP table in the existence of the IP address corresponding to the MAC address, if it exists, would directly send packets to this MAC address; if there is no on the local network segment to initiate a broadcast ARP request packet, the host asked the purpose of the IP corresponding to the MAC address of all hosts in the network receives the ARP request, checks the packet's destination IP is the IP and their address the same, if not inconsistent with a response; if the same, the host first sends the client's MAC address and IP address to their ARP list, if the ARP table already exists in the IP information, it will be overwritten, to the data after source host sends an ARP response packet, to tell each other that they are it needs to find the MAC address; source host receives the ARP response packet, it will be the destination host's IP address and MAC address to their ARP list, and use this information to start data transfer. If the data source host has not received ARP response packet, said ARP query failed.


3. ARP spoofing virus deception theory and the process

The purpose of ARP spoofing is to achieve full data exchange environment monitoring, most of the Trojan horse or virus attack using ARP spoofing is to achieve this goal.

Suppose a local area network composed of only three computers, the LAN from the switch (Switch) connection, where a computer named A, on behalf of the attacker; a computer called the S, on behalf of the source host, that computer to send data; make a computer called D, on behalf of the destination host, the computer receives data, which were three computers IP address is: 192.168.0.2,192.168.0.3,192.168.0.4, MAC addresses are: MAC-A, MAC-S, MAC -D.

Now, S PC computers to send data to give D, the first inquiry of its own ARP cache table to see whether there is 192.168.0.4 which this computer's MAC address, if any, will be MAC-D encapsulated in the packet outside, can be sent directly and if not, S-wide computer network to send such a Pianxiang ARP broadcast packets: S IP is 192.168.0.3, the hardware address MAC-S, asked to return the IP address 192.168.0.4 host hardware address, while D computer receives the broadcast, verified the IP address, it changes its IP address and MAC-D address of the computer to return to the S now S computer can send packets to the destination address affixed to send MAC-D out, and it will dynamically update its own ARP cache table, the 192.168.0.4-MAC-D This is a record added to it, so that other computer next to give S D computer sends data, the ARP broadcast packets to send inquiry in. This is normally the packet process. Links to free download http://www.hi138.com However, the above data transmission system has a fatal flaw, that it is based on the computer on the LAN all based on trust, that it assumes that: no matter which computer in the LAN, send ARP packets are correct, such as in the above data transmission, when the S computer network to the whole inquiry, D computers to respond to their correct MAC address but when time, A computer was returned to the computer's IP address, and D and their own hardware address as A computer constantly send this response packet, it will lead to S again dynamically update the computer's own ARP cache table, this time recorded as: 192.168.0.4 and MAC-A corresponds to our table this step is called the ARP cache poisoning, so that later led to the computer to be sent to all S D computer, are A host will be sent to other words, A computer on the hijacked computers to send from S to D computer data, which is the process of ARP spoofing.

If the computer does not pretend D A computer, but posing as the gateway, then the consequences will be more severe. A LAN computer outside the network to connect, go through the LAN gateway forwarding in the LAN, the gateway IP address If the 192.168.0.1. if A computer network to stop sending the whole IP address is 192.168.0.1, the hardware address MAC-A broadcasts an ARP spoofing, the other LAN computers will update its own ARP cache table, the A computer as a gateway, so that when they send data to the gateway, the results will be sent to the MAC-A this computer so, A computer will monitor the entire LAN to send Internet data packets.


4 Conclusion

ARP spoofing is the network management, network management schools in particular, the most headache attacks, it attacks low-tech, easily a person can be done by ARP spoofing attacks on software attacks, while there is nothing to prevent ARP spoofing is also particularly effective method, to remedy the situation at present can only form through passive measures. both attack and defense, first and foremost is to find every attack of the "crux" of where the only way to find effective solutions. Of course the most fundamental way to prevent the client's own, such as time to download and install system patches are installed promptly update anti-virus software, designed to kill and prevent ARP installed software.


References:
[1] Zhang has branches, computer network, Tsinghua University Press, 2004.

[2] Qiu Xuesong, ARP virus theory and defense. Liuzhou Iron and Steel Science and Technology Publishing House .2006.

[3] Huang Yuchun, Wang Zinan, On the theory and sniffing the LAN ARP spoofing. Popular Science Publishing House .2006.

Links to free download http://www.hi138.com