Recently, I have often seen questions about ARP viruses on forums, so I searched for the keyword ARP on Google, and many discussions about such issues came up. Hehe, I have a strong thirst for knowledge, so I want to learn more about ARP-related knowledge. Therefore, I have summarized the common ARP issues currently present in the network.
1. ARP Concept
Before we talk about ARP, we still need to understand the concept and working principle of ARP. Understanding the principle will help us better face and analyze problems.
1.1 ARP Concept Knowledge
ARP, which stands for Address Resolution Protocol, is called 地址解析协议 in Chinese. It operates at the data link layer, connecting with hardware interfaces at this layer while providing services to upper layers.
IP packets are often sent through Ethernet. Ethernet devices do not recognize 32-bit IP addresses; they transmit Ethernet packets using 48-bit Ethernet addresses. Therefore, it is necessary to convert the IP destination address into an Ethernet destination address. In Ethernet, if one host wants to communicate directly with another host, it must know the MAC address of the target host. But how does this target MAC address get obtained? It is obtained through the Address Resolution Protocol. The ARP protocol is used to resolve IP addresses in the network into hardware addresses (MAC addresses) to ensure smooth communication.
1.2 ARP Working Principle
First, each host maintains an ARP list in its own ARP cache to represent the correspondence between IP addresses and MAC addresses. When the source host needs to send a data packet to the destination host, it first checks whether the corresponding MAC address exists in its ARP list for that IP address. If it exists, the data packet is directly sent to this MAC address; if it does not exist, it initiates an ARP request broadcast packet within the local network segment to query the MAC address corresponding to this destination host. This ARP request data packet includes the source host's IP address, hardware address, and the destination host's IP address. All hosts on the network receive this ARP request and check whether the destination IP in the data packet matches their own IP address. If it does not match, they ignore the data packet; if it matches, the host first adds the sender's MAC address and IP address to its own ARP list. If there is already information about this IP in the ARP table, it will be overwritten, then sends an ARP response unicast packet to the source host, informing it that it is the MAC address it needs to find; after the source host receives this ARP response packet, it adds the destination host's IP address and MAC address to its own ARP list and begins data transmission using this information. If the source host never receives an ARP response packet, it indicates that the ARP query failed.
For example:
A's address: IP: 192.168.10.1 MAC: AA-AA-AA-AA-AA-AA
B's address: IP: 192.168.10.2 MAC: BB-BB-BB-BB-BB-BB
According to the principle mentioned above, let me briefly explain this process: A wants to communicate with B, so A needs to know B's Ethernet address. Thus, A sends an ARP request broadcast (Who is 192.168.10.2, please tell 192.168.10.1). When B receives this broadcast, it checks itself and finds that it matches, then sends an ARP unicast response (192.168.10.2 is at BB-BB-BB-BB-BB-BB).
1.3 ARP Communication Pattern
Communication pattern (Pattern Analysis): In network analysis, analyzing communication patterns is very important. Different protocols and different applications will have different communication patterns. Sometimes, even the same protocol may exhibit different communication patterns in different enterprise applications. Under normal circumstances, ARP's communication pattern should be: Request -> Response -> Request -> Response, meaning it should be one question and one answer.
2. Common ARP Attack Types
Personally, I believe that common ARP attacks fall into two types: ARP scanning and ARP spoofing.
2.1 ARP Scanning (ARP Request Storm)
Communication pattern (possible):
Request -> Request -> Request -> Request -> Request -> Request -> Response -> Request -> Request -> Request...
Description:
There are a large number of ARP request broadcast packets in the network, almost all scanning all hosts within the subnet. A large number of ARP request broadcasts may occupy network bandwidth resources; ARP scanning is usually a prelude to ARP attacks.
Possible causes:
* Virus programs, eavesdropping programs, scanning programs.
* If the network analysis software is correctly deployed, it might be because we only mirrored some ports on the switch, so a large number of ARP requests come from other hosts connected to non-mirrored ports.
* If the deployment is incorrect, these ARP request broadcast packets come from other hosts connected to the switch.
2.2 ARP Spoofing
The ARP protocol does not only receive ARP responses after sending an ARP request. When a computer receives an ARP response packet, it updates the local ARP cache, storing the IP and MAC addresses from the response in the ARP cache. Therefore, in the network, if someone sends a forged ARP response, problems may occur in the network. This might be something the protocol designer did not consider initially!
2.2.1 Spoofing Principle
Assume a network environment where there are three hosts in the network: Hosts A, B, and C. Detailed information about the hosts is as follows:
A's address: IP: 192.168.10.1 MAC: AA-AA-AA-AA-AA-AA
B's address: IP: 192.168.10.2 MAC: BB-BB-BB-BB-BB-BB
C's address: IP: 192.168.10.3 MAC: CC-CC-CC-CC-CC-CC
Under normal circumstances, A and C communicate, but at this time, B sends a forged ARP response to A. The data in this response is the sender's IP address as 192.168.10.3 (C's IP address), and the MAC address as BB-BB-BB-BB-BB-BB (C's MAC address should originally be CC-CC-CC-CC-CC-CC, but here it is forged). When A receives B's forged ARP response, it updates the local ARP cache (A is deceived), and at this point, B pretends to be C. At the same time, B also sends an ARP response to C, where the sender's IP address is 192.168.10.1 (A's IP address), and the MAC address is BB-BB-BB-BB-BB-BB (A's MAC address should originally be AA-AA-AA-AA-AA-AA). When C receives B's forged ARP response, it also updates the local ARP cache (C is also deceived), and at this point, B pretends to be A. Thus, both hosts A and C are deceived by host B, and all communications between A and C pass through B. Host B can completely know what they are saying:). This is a typical ARP spoofing process.
Note: Generally speaking, one party in ARP spoofing should be the gateway.
2.2.2 Two Scenarios
There are two scenarios in ARP spoofing: one is to deceive the host as a "man-in-the-middle", where the data of the deceived host passes through it once for forwarding, allowing the deceiving host to steal the communication data between the hosts it has deceived; the other makes the deceived host directly lose internet access.
First Scenario: Data Theft (Sniffing)
Communication Pattern:
Response -> Response -> Response -> Response -> Response -> Request -> Response -> Response -> Request -> Response...
Description:
This situation belongs to the typical ARP spoofing we mentioned earlier. The deceiving host sends a large number of forged ARP response packets to the deceived host to carry out deception. After the communicating parties are successfully deceived, it assumes the role of a "man-in-the-middle". At this point, the deceived hosts can still communicate normally, except that they are "eavesdropped" during the communication process.
Possible Causes:
* Trojan virus
* Sniffing
* Human deception
Second Scenario: Causing Disconnection
Communication Pattern:
Response -> Response -> Response -> Response -> Response -> Response -> Request...
Description:
In this situation, during the ARP spoofing process, the deceiver only deceives one party, such as B deceiving A, but B does not deceive C at the same time. In reality, A is actually communicating with B, so A cannot communicate with C. Another possible scenario is that the deceiver forges a non-existent address for deception.
For spoofing using forged addresses, troubleshooting is relatively difficult. Here, it is best to use TAP equipment (Hehe, this thing seems a bit expensive), capturing and analyzing unidirectional data streams separately!
Possible Causes:
* Trojan virus
* Human sabotage
* Control functions of some network management software
3. Common Defense Methods
Searching online, the most common methods for defending against ARP attacks are binding IP and MAC addresses and using ARP defense software. Routers with ARP protection functionality have also emerged. Let's take a look at these three methods.
3.1 Static Binding
The most commonly used method is to statically bind IP and MAC addresses. Within the network, both the host and the gateway perform static binding of IP and MAC addresses.
Spoofing occurs through the dynamic real-time rules of ARP to deceive internal network machines. By setting ARP entirely to static, we can prevent deception of internal network PCs. Simultaneously, static binding of IP and MAC addresses should also be performed at the gateway for more secure bidirectional binding.
Method:
Perform static binding of IP and MAC addresses for each host.
Through commands, `arp -s` can achieve this: `arp –s IP MAC address`.
For example: `arp –s 192.168.10.1 AA-AA-AA-AA-AA-AA`.
If set successfully, you will see relevant prompts by executing `arp -a` on the PC:
Internet Address Physical Address Type
192.168.10.1 AA-AA-AA-AA-AA-AA static (static)
Generally, without binding, in a dynamic state:
Internet Address Physical Address Type
192.168.10.1 AA-AA-AA-AA-AA-AA dynamic (dynamic)
Note: For networks with many hosts, 500, 1000..., if we statically bind each one, the workload would be very large... Static binding requires re-binding every time the computer restarts, although you can create a batch processing file, it is still quite troublesome!
3.2 Use ARP Defense Software
Currently, there are quite a few ARP defense software options available. The most commonly used ARP tools are Xinxiang ARP tool, Antiarp, etc. Besides detecting ARP attacks themselves, their defense principle involves broadcasting correct ARP information at a certain frequency. Let's briefly discuss these two small tools.
3.2.1 Xinxiang ARP Tool
I have used this tool, and it has five functions:
A. IP/MAC List
Select the network card. If you have only one network card, no settings are needed. If you have multiple network cards, you need to set the network card connected to the internal network.
IP/MAC Scan. This will scan all machines in the current network for their IP and MAC addresses. Please run this scan when the internal network is operating normally, as this table will serve as a reference for subsequent ARP checks.
All subsequent functions depend on the support of this table. If a prompt appears indicating that it cannot obtain the IP or MAC, it means that the table does not contain the corresponding data.
B. ARP Spoofing Detection
This function continuously detects whether any PC in the internal network is impersonating the IP in the table. You can add the main IPs to the detection table, such as routers, movie servers, and other machines requiring internal network access.
(Supplement) How to understand the "ARP Spoofing Record" table:
"Time": The time when the issue was detected;
"Sender": The IP or MAC sending the spoofing information;
"Repeat": The number of times the spoofing information has been sent;
"ARP info": The specific content of the spoofing information. For example:
time sender Repeat ARP info
22:22:22 192.168.1.22 1433 192.168.1.1 is at 00:0e:03:22:02:e8
This information means: At 22:22:22, a spoofing message sent by 192.168.1.22 was detected. It has been sent 1433 times, and the content of the spoofing message is: The MAC address of 192.168.1.1 is 00:0e:03:22:02:e8.
When the detection function is turned on, if there is spoofing targeting the IP in the table, a prompt will appear. Following the prompt, you can trace the root cause of ARP spoofing in the internal network. Note that any machine can impersonate other machines to send IP and MAC information, so even if a prompt indicates that a certain IP or MAC is sending spoofing information, it is not necessarily 100% accurate. Therefore, please do not solve some problems violently.
C. Active Maintenance
This function can directly solve ARP spoofing disconnection issues, but it is not an ideal method. Its principle is to continuously broadcast the correct MAC address of designated IPs within the network.
The "Designated Maintenance Object" table sets the IPs that need protection. The packet transmission frequency is the number of correct packets sent per second to all machines within the network. Strongly suggest minimizing the number of broadcast IPs and frequencies. Generally, setting it once is enough. Without binding IPs, if ARP spoofing occurs, you can set it to 50-100 times. If disconnections still occur, you can set it higher, which can quickly resolve ARP spoofing problems. However, to truly solve ARP issues, please refer to the binding method mentioned above.
D. Xinxiang Router Log
Collects system logs from Xinxiang routers and provides related functions.
E. Packet Capture
Similar to packet capture in network analysis software, the saved format is .cap.
3.2.1 Antiarp
This software interface is relatively simple. Below are the usage methods I have collected for this software.
A. Enter the gateway IP address, click [Get Gateway Address], which will display the gateway's MAC address. Clicking [Automatic Protection] will protect the current network card's communication with the gateway from being intercepted by third parties. Note: If an ARP spoofing prompt appears, it indicates that the attacker sent ARP spoofing packets to obtain the network card's data packets. If you want to track the attack source, remember the attacker's MAC address. Using a MAC address scanner can find the IP corresponding to the MAC address.
B. IP Address Conflict
If frequent IP address conflicts occur, it indicates that the attacker frequently sends ARP spoofing packets, resulting in IP conflict warnings. Using Anti ARP Sniffer can prevent such attacks.
C. You need to know the conflicting MAC address, Windows records these errors. To view the specific method, follow these steps:
Right-click [My Computer] -- [Manage] -- Click [Event Viewer] -- Click [System] -- View sources as [TcpIP] -- Double-click the event to see the displayed address conflict and record the MAC address. Copy this MAC address and enter it into the local MAC address input box in Anti ARP Sniffer (Note: Convert : to -), complete the input, then click [Protect Address Conflict]. To make the MAC address effective, disable the local network card and then enable it again. In the CMD command line, type Ipconfig /all to check if the current MAC address matches the MAC address in the local MAC address input box. If modification fails, please contact me. If successful, address conflicts will no longer appear.
Note: If you want to restore the default MAC address, click [Restore Default]. To make the MAC address effective, disable the local network card and then enable it again.
3.3 Routers with ARP Protection Functionality
These types of routers were rarely heard of before. Regarding the ARP protection functionality mentioned in these routers, its principle is actually to regularly send its own correct ARP information. However, this function of the router cannot solve true attacks.
The most common feature of ARP is disconnection. Usually, no handling is required, as normal internet access can be restored within a certain period of time because ARP spoofing has an aging time. After the aging time passes, it will automatically return to normal. Now, most routers continuously broadcast their correct ARP information within a short period of time, restoring the deceived host to normal. However, if an aggressive ARP spoofing attack occurs (essentially a large amount of spoofing ARP in a short time, hundreds or thousands per second), it continuously sends ARP spoofing packets to prevent internal network machines from accessing the internet. Even if the router continuously broadcasts correct packets, they will be overwhelmed by the large amount of erroneous information.
You might have a question: Can't we send more and faster correct ARP information than the attacker? If the attacker sends 1000 ARP spoofing packets per second, we could send 1500 correct ARP packets per second!
Facing the above question, let's carefully think about it. If the network topology is large, with many network devices and hosts connected, a large number of devices processing these broadcast messages would make network usage unpleasant, affecting our work and study. ARP broadcasts waste and occupy network resources. If there is a problem with the network, when we capture packets for analysis, there will also be many such ARP broadcast packets in the data packets, affecting the analysis.