局域网内ARP攻击及防范实现
局域网内ARP攻击及防范实现
摘要:局域网内有人使用ARP欺骗的木马程序来盗用用户的信息。该方法隐蔽性强,对于用户的危害非常严重,但是没有多少好的解决方法。总结了一套方法来防止ARP欺骗,希望对大家有所帮助。
关键词:ARP欺骗;MAC地址;防范
要了解攻击原理,我们先来了解一下ARP(Address Resolution Protocol,ARP)地址解析协议。它是在仅知道主机的IP地址时确定其物理地址的一种协议。因IPv4和以太网的广泛应用,其主要用作将IP地址翻译为以太网的MAC地址,但其也能在ATM和FDDI IP网络中使用。从IP地址到物理地址的映射有两种方式:表格方式和非表格方式。ARP具体说来就是将网络层(IP层,也就是相当于OSI的第三层)地址解析为数据链接层(MAC层,也就是相当于OSI的第二层)的MAC地址。
在每台主机的内存中,都有一个arp--> mac 的转换表。通常是动态的转换表(注意在路由中,该arp表可以被设置成静态)。也就是说,该对应表会被主机在需要的时候刷新。这是由于以太网在子网层上的传输是靠48位的mac地址而决定的。通常主机在发送一个ip包之前,它要到该转换表中寻和ip包对应的mac 地址。如果没有到,该主机就发送一个ARP广播包:“我是主机x , mac是xxxxxxxxxxx ,ip为1
的主机请告之你的mac来”ip为1的主机响应这个广播,应答ARP广播为:“我是1,我的mac 为xxxxxxxxxx2”于是,主机刷新自己的ARP缓存,然后发出该ip包。
一个入侵者想非法进入某台主机,他知道这台主机的防火墙只对192.0.0.3(假设)这个ip开放23端口(telnet), 而他必须要使用telnet来进入这台主机,所以他要这么做:①他先研究192.0.0.3这台主机,发现这台机器使用一个oob就可以让他死掉;②他送一个洪水包给192.0.0.3的139端口,于是,该机器应包而死;③主机发到192.0.0.3的ip包将无法被机器应答,系统开始更新自己的arp对应表。将192.0.0.3地址丢去;④这段时间里,入侵者把自己的ip改成192.0.0.3;⑤他发一个ping(icmp 0)给主机,要求主机更新主机的arp转换表;⑥主机到该ip,然后在arp表中加入新的ip-->mac对应关系;⑦防火墙失效了,入侵的ip变成合法的mac地址,可以telnet了。
2故障现象
当局域网内某台主机运行ARP欺骗的木马程序时,会欺域网内所有的主机和路由器,让所有上网的流量必须经过木马主机。其他用户原来直接通过路由器上网现在转由通过木马主机上网,切换的时候用户会断一次线。
切换到木马主机上网后,如果用户已经登录了网游服务器,那么木马主机就会经常伪造断线的现象,使用户重新登录服
受到arp攻击
务器,这样木马主机就可以盗号了。
由于ARP欺骗的木马程序发作的时候会发出大量的数据包导致局域网通讯拥塞,用户会感觉上网速度越来越慢。当ARP 欺骗的木马程序停止运行时,用户恢复从路由器上网,切换过程中用户会再断一次线。
3在局域网内查病毒主机
以我校局域网曾经出现的症状,演示如何查感染了ARP病毒(木马)的主机。
3.1网络拓扑图
如图1所示,上行S3206为用户网关,级联S2826为接入用户交换机,用户使用静态IP地址。
图1网络拓扑图
3.2故障现象
很多用户反映上网速度慢,ping网关时延抖动严重,且丢包。
3.3故障分析
由于故障涉及用户较多,且分布在不同的接入交换机上,所以在S3206上用命令show logging alarm查看,发现如下告警信息:
S3206#show logging alarm
An alarm 19712 level 6 occurred at 15:20:06 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address
10.40.190.10 is changed from 0015.58c4.3c48 to 0018.f3d9.ab19
An alarm 19712 level 6 occurred at 15:20:09 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.191.28 is changed from 0014.2ab6.6c53 to 0018.f3d9.ab19
An alarm 19712 level 6 occurred at 15:20:10 05/25/2010 UTC sen by MCP %ARP% The hardware address of IP address 10.40.190.70 is changed from 0018.f3d9.ab19 to 0011.435c.7eb3
An alarm 19712 level 6 occurred at 15:20:10 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.190.41 is changed from 0014.22a1.8c30 to 0018.f3d9.ab19
An alarm 19712 level 6 occurred at 15:20:12 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.190.172 is changed from 0018.f3d9.ab19 to 0018.f3d9.278c
An alarm 19712 level 6 occurred at 15:20:12 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.190.78 is changed from 0018.f3d9.ab19 to 0011.4360.b253
An alarm 19712 level 6 occurred at 15:20:12 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.190.22 is changed from 0018.f3d9.ab19 to 0040.d051.5f5c
An alarm 19712 level 6 occurred at 15:20:16 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.190.172 is changed from 0018.f3d9.278c to 0018.f3d9.ab19
An alarm 19712 level 6 occurred at 15:20:19 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.191.200 is changed from 0009.6b08.962c to 0018.f3d9.ab19
An alarm 19712 level 6 occurred at 15:20:20 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.190.65 is changed from 0017.083d.c4a3 to 0018.f3d9.ab19
An alarm 19712 level 6 occurred at 15:20:20 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.191.39 is changed from 0000.f082.b4f7 to 0018.f3d9.ab19
An alarm 19712 level 6 occurred at 15:20:20 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.191.200 is changed from 0018.f3d9.ab19 to 0009.6b08.962c
An alarm 19712 level 6 occurred at 15:20:20 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.190.97 is changed from 0018.f3d9.ab19 to 0015.c54c.f7f1
An alarm 19712 level 6 occurred at 15:20:22 05/25/2010 UTC sent by MCP %ARP% The hardware address of IP address 10.40.190.70 is changed from 0011.435c.7eb3 to 0018.f3d9.ab19
由上可看到有台计算机(MAC地址为0018.f3d9.ab19)在不断地抢占同网段其他计算机的IP,同时,该告警出现频次很高,怀疑应是ARP病毒所为。
3.4故障排除

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。