Description and prevention of ARP spoofing attack under Linux


1、 Description of ARP Spoofing
Recently, many Internet cafes have encountered a kind of virus, which leads to frequent disconnection of Internet cafes. The specific reason is that some plug-ins and applications carry a virus that can cheat ARP. ARP Cheating is not a new thing. Many old Internet cafe tools, such asnetworkLaw enforcement officers use ARP attacks to cause the whole or part of the machines of Internet cafes to drop the line.
ARP is a bridge between IP layer and data link layer. Its function is to query the physical address (MAC address) of the network card corresponding to the given IP address. Although we are in peacetime andnetworkWhen communicating with machines on, we usually give each other’s IP address. It seems that we communicate with each other through IP address. It seems that as long as we know each other’s IP address, we can communicate with each other. In fact, this is not the case. IP is a high-level protocol. In fact, the establishment of connection between computers still depends on low-level electrical or optical signals, and it still needs to connect and communicate at the media level. The address used to mark the data link is the MAC address. The MAC address is burned on the chip of the network card when the network card leaves the factory. Theoretically, this address is the only one in the world. Of course, you can also change this address through the program.
When we need to communicate with an IP address, the localoperationsystemAccording to the Instituteset upTo determine whether the target address and itself are in the same IP network. If they are in the same IP network, thenoperationsystemIt will query the MAC address of the opposite end through the IP address of the target address, and then establish a connection with the opposite end at the data link layer; If the target address is not in the same IP network as itself, this opportunity will query the MAC address of the gateway and establish a connection with the gateway at the data link layer. The kernel module that resolves MAC addresses through IP addresses is ARP (address resolution protocol).
At present, the virus that causes frequent disconnection of Internet cafes, its principle is to interfere with and cheat the normal ARP desorption work. On the one hand, it deceives the gateway and confuses the corresponding relationship between MAC address and IP address on the gateway. In this way, the gateway cannot establish a correct data link layer connection with the workstation, and the TCP / UDP connection with the data link layer cannot be carried out normally. On the other hand, it deceives the client and tampers with the MAC address of the gateway on the client, which will lead to the workstation unable to correctly establish contact with the gateway on the data link layer and lose the connection with the external network.
Because the ARP protocol does not verify and confirm when working, the windows classoperationsystem, as long as you receive the ARP reply information, you will update your ARP cache table immediately. The protocol of the data link layer itself lacks a security mechanism. Therefore, ARP spoofing is difficult to defend, especially in the Internet cafe environmentnetworkIn the case of equipment. ShengtiannetworkThe anti ARP Spoofing program developed urgently is only an emergency version, which can effectively defend against ARP Spoofing against gateway and client. It can not only deal with the current virus ARP attack, but also effectively defend against the ARP attack using tools.

2、 ShengtiannetworkARP Spoofing protection program client program bmacclient Use of exemethod
1. On one of the workstations in the Internet cafe, Download bmacclient Exe program, double-click to run;
2、BMacclient. After exe runs, it will be directly hidden in thesystemTray, right click the tray icon – >set up
The dialog box appearsset upWindow, fill in the description in the remarks column, such as gateway, this option may not be filled in;
Fill in the gateway IP in the IP address column. Generally, we only need to bind the gateway;
After filling in the gateway IP, click to resolve the MAC address. The program will automatically resolve the MAC address of the gateway;
After filling in, click add directly, then save and exit.
3. Set bmacclient Exe file, put it into the movieserviceA directory on the device that can be normally accessed by all the following clients, and then on the entertainment platformsystemAdd a startup update item in the maintenance module,set upEach workstation will bmacclient Copy exe tool to local.
4. InsystemIn the maintenance module, a startup item is added at the same time,set upEach workstation starts bmacclient Exe program.
5. Access to online entertainment platformsystemMaintain the module and upload parameters onceoperation, so you can put what you just saidset upThe parameters of are updated to each workstation. Bmacclient on other workstations Exe program does not need to be repeatedset up
6. Other workstations can automatically download bmacclient by restarting once Exe program and automatically follow your instructionsset upTo run the protection program.networkARP Spoofing protection program gateway(serviceBmacforgetway Use of exemethod
Because the virus attacks not only the client, but also the gateway, it is not enough to protect the client only. The gateway must also be protected against ARP spoofing. If the gateway of Internet cafe uses Windows classoperationsystem, you can run bmacforgetway Exe program, if it is a Linux classoperationsystem, you can use the MAC address static binding function of Linux itself, and you can use bmacforgetway Exe program convenient collectionnetworkMAC address information.method
1. Download on the gateway Exe program. Double click to run;
    2、BmacForGetway. After exe runs, it will be directly hidden in thesystemTray, right click the tray icon – >set up
The dialog box appearsset upWindow. The window is divided into left and right parts as a whole. On the left is bindingset upWindow. On the right is the MAC address scanning tool window. First, we need to scan the MAC address of the whole network. Please enter the range of your IP address first. For example, if you use the address field /, fill in 192.168.1 in the first window, and thenset upFrom 1 to 254. Start at, and the MAC address of the whole network will be scanned soon. If there is more than one network segment, please repeat this step.
3. After scanning the MAC address of the whole network, click the “< < -” button in the middle to add all the scanned Mac to the binding column on the left. In the bind to IP column, fill in the IP address of the intranet} card, click save, and then click start.method
1. First use bmacforgetway Exe program to scan the MAC address of the whole network; specificoperationPlease refer to on Windows class gateway Exe usemethodThe first and second} steps.
2. Export the scanned data point “< < -” corresponding to MAC address and IP address to the binding window on the left, and then click “save as Linux format”. An ethers file will be generated.
3. Copy the ethers file to the / etc / directory of the Linux gateway through SFTP or other methods.
4. Enter the command ARP – F,systemYou will find the / etc / ethers file and statically bind the correspondence between IP address and MAC address.
5. If you want to bind the gateway every time you restart, please click / etc / RC Local file or / etc / RC d/rc. Add a line to the local file, ARP – F.