Shulou(Shulou.com)06/02 Report--

Encapsulation and unencapsulation

Encapsulation:

Unencapsulated:

An important protocol arp

We know that when we enter a URL into the browser, the DNS server automatically resolves it to the IP address, and the browser is actually looking for the IP address instead of the URL. So how are IP addresses translated into layer 2 physical addresses (that is, MAC addresses)? In the LAN, this is done through the ARP protocol. ARP protocol is of great significance to network security. ARP spoofing is realized by falsifying IP address and MAC address, which can generate a large amount of ARP traffic in the network and block the network. Therefore, network managers should have a deep understanding of ARP protocol.

What is arp? Which layer of the protocol is arp? What is the role of arp? What is arp *? What is arp deception?

Arp: address resolution protocol, at the network layer.

Function: resolve ip address to mac address

Let's take host A (192.168.1.5) sending data to host B (192.168.1.1) as an example. When sending data, host A looks for a destination IP address in its ARP cache table. If you find it, you will know the destination MAC address, and just write the destination MAC address into the frame and send it; if the corresponding IP address is not found in the ARP cache table, Host A will send a broadcast on the network with the destination MAC address "FF.FF.FF.FF.FF.FF", which means that all hosts in the same network segment are asked, "what is the MAC address of 192.168.1.1?" Other hosts on the network do not respond to ARP queries, and only when host B receives this frame does it respond to host A: "the MAC address of 192.168.1.1 is 00-aa-00-62-c6-09". In this way, host A knows the MAC address of host B, and it can send information to host B. At the same time, it also updates its own ARP cache table, and the next time it sends a message to host B, it can look it up directly from the ARP cache table. The ARP cache table adopts the aging mechanism, which will be deleted if a row in the table is not used within a period of time, which can greatly reduce the length of the ARP cache table and speed up the query.

The implementation of the arp function mainly depends on the arp cache table, so where is the arp cache table?

Arp-a view the host's arp cache table

You can delete everything in the ARP table with the "arp-d" command

Use "arp-d + space +" to delete the content of the specified ip line. With "arp-s", you can manually specify the correspondence between the IP address and the MAC address in the ARP table, the type is static (static), this item is stored in the hard disk, not the cache table, the computer still exists after reboot, and follows the principle that static is superior to dynamic, so this setting is incorrect and may lead to no access to the Internet.

Arp's cache table is stored in the memory of a network device or computer.

The arp cache table mainly stores the corresponding relationship between ip address and mac address. Every host or router equipped with TCP/IP protocol has an arp cache table, which stores the corresponding relationship between ip address and MAC address of this network.

Each computer's kernel implements the arp protocol. It maps the ip to the corresponding MAC through a cache with a cache time of 300s.

Resolution process (in the same network segment and not in the same network segment)

Suppose hosts An and B are present, and host A sends information to host B. The specific address resolution process is as follows: (1) Host A first looks at its own ARP table to determine whether it contains the ARP table entry corresponding to Host B. If the corresponding MAC address is found, host A directly uses the MAC address in the ARP table to encapsulate the IP packet and send the packet to host B. (2) if host A cannot find the corresponding MAC address in the ARP table, the data message will be cached and an ARP request message will be broadcast. The sender IP address and sender MAC address in the ARP request message are the IP address and MAC address of host A, and the target IP address and target MAC address are the IP address of host B and the all-zero MAC address. Because the ARP request message is broadcast, all hosts on the network segment can receive the request, but only the requested host (host B) will process the request. (3) Host B compares its own IP address with the target IP address in the ARP request message, and when they are the same, the following processing is carried out: the IP address and MAC address of the sender (host A) in the ARP request message are stored in its own ARP table. Then a unicast ARP response message is sent to host A, which contains its own MAC address. (4) after receiving the ARP response message, host An adds the MAC address of host B to its own ARP table for forwarding subsequent messages, and at the same time encapsulates the IP packet and sends it out. When host An and host B are not present, host A will first send an ARP request to the gateway, and the destination IP address in the ARP request message is the IP address of the gateway. When host An obtains the MAC address of the gateway from the received response message, it encapsulates the message and sends it to the gateway. If the gateway does not have the ARP entry of host B, the gateway will broadcast the ARP request, and the destination IP address is the IP address of host B. when the gateway obtains the MAC address of host B from the received response message, it can send the message to host B. if the gateway already has the ARP entry of host B, the gateway directly sends the message to host B.

What is ARP deception?

From the point of view of the ways that affect the smooth network connection, there are two kinds of ARP spoofing, one is to deceive the router ARP table, and the other is to cheat the gateway of the intranet PC.

The first principle of ARP spoofing is to intercept gateway data. It notifies the router of a series of wrong intranet MAC addresses and continues according to a certain frequency, so that the real address information can not be updated and saved in the router. As a result, all the data of the router can only be sent to the wrong MAC address, resulting in the normal PC can not receive the information. The second principle of ARP spoofing is to forge gateways. Its principle is to set up a fake gateway and let the deceived PC send data to the fake gateway instead of surfing the Internet through a normal router. In PC's view, it is not online, "the network is offline."

Solution method

If the computer already has the correct MAC address of the gateway, you only need to manually bind the gateway IP to the correct static MAC address when you cannot surf the Internet to ensure that the computer will no longer be deceived.

(1) arp spoofing is to deceive private network machines through arp's dynamic real-time rules, so we set all arp to static to prevent spoofing.

(2) bind the gateway to MAC statically to achieve double insurance. You can run the following command under the MS-DOS window: arp-s gateway IP gateway MAC.

What is arp***??

Arp*** is to achieve arp spoofing by forging ip addresses and mac addresses, and can generate a large number of arp communications in the network to block the network. * users can change the ip-mac entries in the target host's arp cache as long as they continuously send out fake arp packets, resulting in network interruption or middleman.

What are the flaws in the arp protocol?

Arp protocol is based on trusting all nodes in the local area network. It is very efficient, but it is not secure. It is a stateless protocol that does not check whether it has sent a request packet, regardless of whether it is a legitimate reply, and will accept and cache as long as the destination mac is its own arp reply packet or arp broadcast packet. This provides the possibility for arp spoofing, and malicious nodes can issue false arp messages to affect the communication of nodes in the network.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.