Shulou(Shulou.com)06/01 Report--

Address Resolution Protocol, or ARP (Address Resolution Protocol), is a TCP/IP protocol that obtains physical addresses based on IP addresses. When sending information, the host broadcasts the ARP request containing the target IP address to all hosts on the network, and receives the return message to determine the physical address of the target; after receiving the return message, the IP address and the physical address are stored in the local ARP cache and retained for a certain period of time, and the next request directly queries the ARP cache to save resources. ARP cache is a buffer used to store IP address and MAC address, which is essentially a corresponding table of IP address-> MAC address. Each entry in the table records the IP address and the corresponding MAC address of other hosts on the network.

The function of address resolution protocol: the OSI model divides the network work into seven layers. The IP address is in the third layer of the OSI model, and the MAC address is in the second layer. When sending IP packets over Ethernet, it is necessary to encapsulate the headers of layer 3 (32-bit IP address) and layer 2 (48-bit MAC address). However, because only the destination IP address is known, but not its MAC address, and cannot cross the second and third layers, the address resolution protocol needs to be used. Using the address resolution protocol, the target hardware address (MAC address) information can be parsed according to the IP address information in the IP packet header of the network layer, so as to ensure the smooth progress of the communication.

The hardware address length and the protocol address length indicate the length of the hardware address and the protocol address in bytes, respectively. For ARP requests or replies to IP addresses on Ethernet, their values are 6 and 4, respectively

Operation type (OP): 1 for ARP request, 2 for ARP reply

Sender MAC address: the hardware address of the sender device

Sender IP address: the IP address of the sender device

Destination MAC address: the hardware address of the receiving device.

Destination IP address: the IP address of the receiving device.

Next, we will explain the address resolution protocol in detail:

% &%-Host A first looks at its own ARP table to determine whether it contains an ARP entry for host B. If the corresponding MAC address is found, host A directly uses the MAC address in the ARP table to encapsulate the IP packet and send the packet to host B.

% &%-if host A cannot find the corresponding MAC address in the ARP table, it will cache the data message and then broadcast an ARP request message. The sender IP address and sender MAC address in the ARP request message are the IP address and MAC address of host A, and the target IP address and target MAC address are the IP address of host B and the all-zero MAC address. Because the ARP request message is broadcast, all hosts on the network segment can receive the request, but only the requested host (host B) will process the request.

% &%-Host B compares its own IP address with the destination IP address in the ARP request message. When the two are the same, the IP address and MAC address of the sender (host A) in the ARP request message are stored in its own ARP table. Then a unicast ARP response message is sent to host A, which contains its own MAC address.

% &%-after receiving the ARP response message, host An adds the MAC address of host B to its own ARP table for forwarding subsequent messages, and encapsulates the IP packet and sends it out.

What is ARP spoofing:

ARP spoofing is one of the most commonly used methods. ARP spoofing can be divided into two types: one is to deceive the router ARP table, and the other is to cheat the gateway of the private network PC.

The first principle of ARP spoofing is to intercept gateway data.

It notifies the router of a series of wrong intranet MAC addresses and continues according to a certain frequency, so that the real address information can not be updated and saved in the router. As a result, all the data of the router can only be sent to the wrong MAC address, resulting in the normal PC can not receive the information.

Enter arpspoof-i eth0-t 172.28.15.254 172.28.15.11 (target host ip) in the command window to cheat the gateway by telling the gateway that it is the target host.

The second principle of ARP spoofing is to forge gateways.

Its principle is to set up a fake gateway and let the deceived PC send data to the fake gateway instead of surfing the Internet through a normal router. In PC's view, it is not online, "the network is offline." Open a command window and enter: arpspoof-I eth0-t 172.28.15.11 (target host ip) 172.28.15.254 keep sending packets to the target host telling it that its own host physical address is the physical address of the gateway

The above two arpspoof instructions can be completed with the following instruction: arpspoof-I eth0-t 172.28.15.11-r172.28.15.254

Simple arp spoofing defense:

The user sets the static MAC → IP corresponding table. Take the Windows system as an example, the method of operation is to enter a command at a command prompt:

Arp-an obtains the MAC address of the gateway

Arp-d clears the ARP list

Arp-s 172.28.15.254 (gateway IP address) cc-cc (gateway MAC address).

The binding of IP address and MAC address is realized on the gateway (aggregation switch). Add a relational static address table corresponding to the IP address and MAC address for each host.

Use the following command on the switch:

System-view

Arp static (host IP address) (host MAC address)

The above command establishes a mapping table for MAC addresses and IP addresses within the switch.

When a user sends a data packet, if the IP and MAC addresses obtained by the switch match the previously established mapping table, the sent packet can pass, and if it does not conform, the data packet is discarded, which can prevent ARP spoofing.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.