As a member of the campus network management, I recently received one after another normal users can not access the report, makes us utterly exhausted.After further investigation, the truth has finally found a fault.
The outset that my school network topology: In a divided three main switch VLAN, VLAN1 switches using ordinary two-story, dormitory network connection.Use 192.168.0.0 as the network address and do in the main switch MAC address and IP address binding, to avoid IP address changes caused by the students themselves address conflict.All students in the computer connected to the second floor of an ordinary switch.
Symptom
Suddenly a computer can not connect to server or other clients, restart back to normal after a short time, the situation appeared.View local connection state found that only packets sent without the return packets.Based on past experience, the symptoms and the same MAC address binding error, so the switch look and found all right, but not the IP address of the data traffic.Meanwhile, in the network management software to monitor a large number of unknown MAC address of the packet appears.
Failure Analysis
Taken together, we believe that a forged MAC addresses situations.We find the Windows system key sniffer software, and the famous Libpcap Winpcap and focus, the focus on a final named "Network magistrate" of the software.
We immediately download the software to install, found on Winpcap.Because relatively more Winpcap information, we do not try to decompile the software, but only its basic functions were tested and found three of its work, and carried out basic tests:
1. Generation IP address conflict
In this mode, the software generates a virtual MAC address and MAC address forgery and use of this machine's IP address to be attacked the same packet, so that the attack machine dialog emerging IP address conflict, but because the MAC address isforged, so the attack machine which machines can not find an attack.
2. Disconnect the attack to contact the machine and the gateway
In this mode, the software on the gateway machine by attack aircraft and has produced an ARP of the "deceit", so the two can not properly informed of each other's MAC address, and thus can not communicate normally.However, the attack machine and the LAN can communicate with other hosts.
3. Disconnect the machine being attacked contact with all other hosts
In this mode, the software on the machine and LAN attack all hosts (including gateways) are the "ARP spoofing" attack machine can not communicate with any machine.However, the host can not be attack aircraft off contact (the software will not deceive itself host), so if the software if installed on the gateway machine to lose network management capabilities.
Obviously, this is a "ARP spoofing" attacks.The ARP protocol in the TCP / IP protocol in network layer, the main function is to address the WAN IP address into the MAC address of the LAN address.So, if we destroy the IP / MAC address translation, the host can not be attacked in the LAN to communicate (because there is no other host "know" it.)
So, we can not avoid ARP "spoofing" attack? It was regrettable that: ARP protocol in view of "autonomy" of, unless all use static ARP, otherwise it is impossible.
Magistrate against the network by any way? We from the investigation, hide, kill the three angles tested.
1. How do I know whether they are "ARP spoofing," the attack?
You can detect your network card working condition, if only send data not receive the data, is likely to be attacked.You can also use the command line, ARP-A state command to view the status of the machine's ARP cache, in addition to Gateway under normal circumstances, there are not many outside the record, you should check the gateway's MAC address is the same as the normal.If different, or gateway for the network card, or you are the "ARP spoofing" attacks.
Similarly, if there is no record or have too many ARP records, you may also be under attack (different versions of network attacks magistrates differently).
2. How to find the host in the LAN
Because the software is based on Winpcap-driven, their work inevitably take up the work of the host network card in "promiscuous" mode, the principle is similar to the common sniffing software, so the anti-sniffer software can find them.Frequently used are Antisniffer, ARPkiller and so on.Using anti-sniffing software to find LAN is "promiscuous" mode card, which can determine the IP address of the host attack.
Note: checked to find the host may not use the "ARP spoofing," and only got bugged.But the word is "mixed" state of the host is certainly not normal.
Similarly, you can also install the network version of the detection of law enforcement officials to detect the software to run this site hosts.
3. Escape the "ARP spoofing" attacks
If your network there are no binding at the gateway MAC address and IP address, you can target different types of attacks to choose different ways to avoid attacks:
(1) the attacks have IP address conflicts
If an address conflict, you can see something like "the system detects IP address and hardware address 00-50-FC-1F-4C-9E conflict" in the dialog box.You can set your MAC address for the hardware address to prevent the recurrence of the dialog box.
(2) Disconnect the attack machine and the gateway connection and disconnection of the attacked host machine and all the other attacks linked
You can modify the MAC address changes, you can avoid being attacked in a short time, but if the attacker is set in the network magistrate "found that Internet users to manage," after the attack again soon.
In short, to avoid using the modified MAC address is not effective.In fact, many LAN's MAC address and also the IP address of the binding, even if the magistrate avoid network attacks, and also not the normal Internet.
4. "Kill" is actually a kind of "exchange that"
ARP cache for a certain life cycle, so the network magistrate in a few seconds to produce a new ARP packets.First, we can use the static ARP on the local right up the gateway MAC address, and then use software such ARPkiller keep the machine in the network issued the correct IP and MAC data, making the gateway ARP cache is always kept on the machinethe correct data, so that communication can be maintained and the gateway, it can be a normal online.Indeed, we can also launch a "counterattack" that made the other "off net."