Shulou(Shulou.com)06/01 Report--

The original article was published in the fifth issue of Network Security and Informatization in 2017 and forwarded to the blog.

For more information, see the video tutorial "local area network security in action," http://edu.51cto.com/course/10348.html

In the 2016 competition questions of the "Information Security Management and Evaluation" Skills Competition in Higher Vocational Education, there is a question that requires Gratuitous ARP (Free ARP) to be configured on the switch to resist ARP spoofing against gateways **. Usually, free ARP is mainly used to detect IP address conflicts, limited to knowledge, I can also prevent ARP spoofing *** this part of the content is not very understanding, so I consulted the relevant information, and set up an experimental environment for verification, this article will be related to experience and share with you and discuss.

1. The role of free ARP

There are two types of ARP messages: one is an ARP Request broadcast message sent by the sender, and the other is an ARP Reply unicast message returned by the receiver. Free ARP (Gratuitous ARP) uses ARP Request broadcast messages, but its purpose is not to resolve the MAC address corresponding to an IP address. In this ARP message, the destination IP address and the source IP address are the same, that is, the host IP address that sends the free ARP message. Figure 1 shows the contents of the free ARP message captured by Wireshark.

Figure 1 Free ARP Message Content

There are two main roles of free ARP: one is for IP address collision detection, and the other is for updating the original records in the ARP address cache table. They are described separately below.

2. IP address collision detection

The main role of free ARP is to determine whether the IP address set by the current host has been used by other hosts. When the free ARP message is broadcast to the network, if a host uses the IP address of the current host, it will send back an ARP response, so that the current host will issue an IP address collision warning, and we can also know the MAC address of the conflicting host.

Therefore, for a host using a static IP address, if the IP address is reset, it is necessary to send a free ARP broadcast first. This can be confirmed by Wireshark packet capture. Set the filter condition to arp in Wireshark display filter. The captured free ARP message is shown in Figure 2.

Figure 2 Free ARP Message

3. Update the original records in ARP address cache table

When the MAC address of a host changes, that is, the IP address remains unchanged, but the MAC address changes, such as the host replaces the network card, then the host will also send a free ARP broadcast. All hosts in the network with corresponding entries in the ARP cache table (note that not all hosts) will update their cache table according to the free ARP message.

This point can be verified through experiments. There are three hosts in the network. The IP address of host A is 192.168.80.77, and the MAC is 00:0C:29:81:BA:30. In host B, communicate with host A, so that the corresponding record is generated in the ARP address cache table of host B:

192.168.80.77 00-0C-29-81-BA-30 dynamic

Then on host A, use the Kelai packet generator to construct a free ARP message, deliberately modify the source MAC address to another different address 00: 0C:29:81:BA:88, and then send the message in the form of broadcast, as shown in Figure 3.

Figure 3 Free ARP Message Constructed

The ARP cache table of host B will be updated accordingly:

192.168.80.77 00-0C-29-81-BA-88 dynamic

Since host C has not communicated with host A, there is no corresponding entry in the cache table, so no new entry will be generated. In fact, the purpose of this design is also very easy to understand, if host C wants to communicate with host A, then it will naturally resolve the current MAC address of host A through normal ARP requests, so host A does not need to use free ARP notification host C to update the ARP address cache table.

4. Use Free ARP to Prevent ARP***

By setting up ARP free on the switch to defend ARP***, it should be the second point of using ARP free of charge. In general, the IP address of the VLAN on the switch is the default gateway of the host in the network segment, so the switch can periodically broadcast free ARP in the network, so that all hosts in the network update their ARP address cache table according to free ARP, and the gateway IP address corresponds to the correct MAC address, thus preventing ARP spoofing against the gateway.

But this defense thinking is very strange, it is not to prevent ARP spoofing from the root, but through free ARP messages to compete with ARP spoofing messages, all the effectiveness of this defense will be marked with a big question mark. In the Internet to find some relevant information, very few mention the use of free ARP to prevent ARP***, but there are a lot of information mentioned how to use free ARP to ARP fraud ***, in fact, this is a very good idea.

On the whole, many of the questions in the 2016 "Information Security Management and Evaluation" Skills Competition of Higher Vocational Education are not brilliant. I only put forward some personal views from a technical point of view, hoping to discuss them with you. Of course, purely from the perspective of participating in the competition, the answer to this question is very simple. You only need to execute the following two commands on the Digital China DCRS switch used in the competition to configure free ARP on the switch:

DCRS_A(config)#interface vlan1

DCRS_A(config-if-vlan1)#ip gratuitous-arp

However, after configuration, it is not clear how often the switch broadcasts free ARP, nor can it be found in the switch configuration manual.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.