Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Linux \ Setting Lns firewall against ARP attacks     - Spring next ActiveMQ combat (Programming)

- CentOS Set the Mono environment variable (Server)

- Java polymorphism and exception handling (Programming)

- Zookeeper cluster deployment (Server)

- After installation of Debian 6.0 do a few things first (Linux)

- Use Ansible installation NGINX and NGINX Plus (Server)

- Security measures under Unix multi-user operating system (Linux)

- Getting the Linux shell expr use (Programming)

- Deploy Apache Spark cluster environment in Ubuntu (Server)

- Android development, may cause a memory leak problem (Programming)

- Memcached distributed caching (Server)

- Ubuntu 14.04 Docker installation (Linux)

- Linux Shell introduces (Linux)

- SSH does not require a password to log on to a Linux server (Server)

- Linux System Getting Started Learning: On Linux how to convert text files to PDF (Linux)

- CentOS 6.5 opens the Xmanager Remote Desktop login (Linux)

- How to network to share files between Windows, MAC and Linux (Linux)

- Linux based serial programming (Programming)

- Android use canvas board painting (Programming)

- Java proxy mode (Programming)

  Setting Lns firewall against ARP attacks
  Add Date : 2018-11-21      
  Lns firewall settings to resolve the ARP Defend

For purposes of illustration Lns firewall ARP Defend setup, we assume a subnet environment:

Gateway: IP = IP-1, MAC = 11: 11: 11: 11: 11: 11

The machine: IP = IP-2, MAC = 22: 22: 22: 22: 22: 22

Host A: IP = IP-A, MAC = AA: AA: AA: AA: AA: AA

Host B: IP = IP-B, MAC = BB: BB: BB: BB: BB: BB

Host C: IP = IP-C, MAC = CC: CC: CC: CC: CC: CC


Any two hosts on the subnet (gateway also be seen as a host) to communicate properly, we need to know each other's network card address MAC. If the party does not know each other's MAC, will be carried out ARP queries.

ARP query process

In normal within a subnet, a complete broadcast ARP query needs a query and one-point response. Query broadcast to query contains the host IP, this card can be broadcast each host subnet received, whether the card checks to query their IP and IP equal, unequal will be discarded will be equal this data package submitted to the system kernel (a break), the kernel calls the network card driver received packet parsing, and then build a query response packet back to the host, the host receives a query response updated its ARP cache table.

Corresponding to LnS setting, this communication process takes two rules to native queries MAC Host B Case

1) 22: 22: 22: 22: 22: 22 => FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)

2) 22: 22: 22: 22: 22: 22 for outgoing, FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)

2) 22: 22: 22: 22: 22: 22 BB: BB: BB: BB: BB: BB (Allow the unit answers Host B Outbound)

Apparently the rule is 2)4) in LnS can be combined, the two machines complete communication only three rules:

1) 22: 22: 22: 22: 22: 22 => FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)

2) FF: FF: FF: FF: FF: FF

Simple ARP spoofing

I said earlier, a query process requires time and a broadcast response, but the agreement does not require ARP broadcast and answer pairs, that is, you can not broadcast any host can take the initiative to send a response packet, if the target host does not use static MAC, as long as the answer is received broadcast will update their ARP cache table. Therefore, we can build a human error response packets make the target host to update their ARP cache.

For example, from the local control, not to communicate with Host A Host B:

The machine sends a response packet to Host A, telling it to MAC IP-B are XX: XX: XX: XX: XX: XX

The machine sends a response packet to Host B, tell it to MAC IP-A is YY: YY: YY: YY: YY: YY

At this time ARP cache host A and B in the MAC on the other side are wrong, they send each other data will be sent to a wrong or non-existent between both (depending on the fake MAC) network card, A, B, Natural communication failure. (In fact, as long as a communication station ARP cache error, A, B between the performance will not normal)

Think about it, if the response packet is forged tell the host B: IP-1 MAC is ZZ: ZZ: ZZ: ZZ: ZZ: ZZ What happens? Host B will not normal communication with the gateway, it will show off the network. If both the gateway to deceive, tell it to host B MAC as an error value, and this deception continues, the host B can not get online.

We often say that the network agents is the use of ARP spoofing kicking. Marshalls will first send a large number of run-time broadcast, access to all the host MAC address, and then, trying to deceive someone, sending forged reply packet to whom.

Of course, ARP spoofing must not stop here, for example, can also make the target host will break its own MAC faked be deceived host MAC to achieve a particular purpose, or both deceive the gateway and the destination host, but instead of using its own MAC forgery answer packet random MAC and turn on the machine's data forwarding function, and inserted into the gateway acts as a proxy target host communication, the purpose of the intercepted target host. But the purpose of this article is to explain how the rules LnS the ARP settings, ARP spoofing is not the point.

ARP prevention

Speaking of this, I am sure you have found a problem: cheater cheater must be capable of communication in order to send forged reply packet, otherwise cheat process can not be completed. Based on this, we can from several places to prevent ARP spoofing:

First, let untrusted hosts to check their MAC, cheaters can not this machine communication, naturally impossible to deceive

It can intercept queries broadcast (the money be allowed to the door)

The machine can intercept its response (have come to it, I sentence, money, dead pig is not afraid to open Shui Tang)

Second, the use of static MAC, refused to update the ARP cache.

Even with counterfeit answering reach the unit, but the unit does not use the package to update their ARP cache spoofing fails.

LnS settings

LnS can intercept (second countdown default rule will disable or block it) all ARP packets, so that security touches on security, but our machines will become orphans, and can not communicate with anyone. Must be set to the host trust clearance rules, the gateway is to be released, or else not on the external network.

For our hypothetical subnet environment, as follows:

1) 22: 22: 22: 22: 22: 22 => FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)

2) FF: FF: FF: FF: FF: FF

(Annex illustrates three rules below)

LAN sharing needs, we want to share a host for each increase as 2)3) two rules, the gateway to the MAC trusted hosts MAC.

A little trouble, each host needs to add two rules, and firewall rules are better, and the number of rules LnS easily reach the limit, as we were about to set up a little compromise: for all stations broadcasting into release, do not trust for each host to add rules. Some people may think this is unsafe, because any non-trusted host can send queries to the broadcast of the machine, in fact, do not worry, because there is no corresponding rule out the release of answering stations. (You take it, and I will not give you money, you can gnaw?)

The optimized rule is as follows:

1) 22: 22: 22: 22: 22: 22 => FF: FF: FF: FF: FF: FF (to allow native broadcasting outbound)

2) FF: FF: FF: FF: FF: FF

Finally, the penultimate of the rules to interception (second column red bars) or disable (cancel front of the hook).

Do not worry disabled, the final rule will block all packets that do not match (provided that no modification of the rule)

LnS Filter

Forum there are several ARP is set up, in fact, from the principle that the purpose to be achieved are the same, intercepts the blocking, the release of the release. But there is a wrong approach, some look different, in fact, set method and Z are the same boss.

Filtering firewall can blacklist (ban untrusted, the other allowed), you can also use a whitelist filtering (permit trust, other prohibited) may be mixed use. Filtered target selection method is divided directly select and set up options.

I explained above rules using a whitelist approach, that is, the rules listed above is to be released, and then intercept all need a rule (rule is the penultimate paragraph, block or cancel).

Is a good way to blacklist or whitelist mode is good? The principle of universality should be a priority target select few. If there are 10 kinds of data to be filtered packet (packet with 1-10 numbers), number 1 and 3 should be released, and the other should be filtered.

You can select the white list mode:

Release 1 (whitelist)

Release 3 (whitelist)

Block all

You can also select blacklisting:

Interception 2 (blacklist)

Interception 4 (blacklist)

Interception 5 (blacklist)

...... (Blacklist)

Interception 10 (blacklist)

Allow all

By contrast of course, should choose whitelist mode.

A variant:

Allow 1 or 3 (white list a selection method)

Block all

Variants Two:

Interception than 1 and not 3 (a selection method blacklist)

Allow all

Note that two variants of the way it uses a combination of the choice of target, if the firewall can implement this rule, of course, the effect is the same, but the Arp LnS rules can only fill a MAC address. Special variant two ways, the addition of combination can not be split into multiple rules to achieve the same purpose interception.

The second is the variant that prohibit non-native to the rules of non-bidirectional gateway into reciprocal second method allowed. This method is equivalent to the previous "LnS Settings" section for three rules in the last gateway, others have been intercepted. Should say this is a wrong method only allows this unit to the response packet gateway through the penultimate match of the rules can only answer this machine and gateways. Yet, if the response does not work, we have to allow the broadcast, only into the normal ARP queries.

So why use two variants of the method of actual users of "feasible" it? Say possible because the filter is too strict, can prevent the vast majority of large ARP spoofing, add quotation marks because feasible is temporary, long continuous test, it might break the network.

This specific network environment with the relationship, possibly more reasons. One possible reason is that LnS have BUG, after filtering function in the unit to establish a connection with the gateway, or use a static MAC, specify the IP to avoid failure of the DHCP lease classes, I also analyzed the specific unclear. But in principle that this approach is wrong.

Safety is relative

The best way to prevent ARP cheating on the gateway and each slave are static MAC binding. Firewall can only increase the safety factor, can not completely guarantee, first, because the firewall function itself may have BUG or incomplete or if set properly, the second is the reality of compromise may be flawed. For example, the unit trust to the Internet gateway, while trust in order to share the host B, host B but there is no security, an attacker could host B from the start, forcing the host B when the machine will forge their own Host B IP and MAC, gain the ability to communicate with the machine and then use other means to attack, more serious cases, if the gateway itself is unsafe, then the machine how protection can not achieve better results.
- Linux file permissions to modify the command: chmod (Linux)
- Install the latest development version of Wine on RedHat and Debian-based systems (Linux)
- MariaDB 10.1 and MySQL 5.7 in general performance on commodity hardware (Database)
- Commonly used Linux system camouflage method (Linux)
- 10 useful tools for Linux users (Linux)
- Docker command Detailed (Linux)
- OpenDJ installed on RHEL6 (Linux)
- Linux suffered SYN flood attack setting (Linux)
- Linux landing problem (Linux)
- Linux using RAID how to use Mdadm Tool Management Software RAID (Linux)
- Ubuntu 12.04 installation OpenCV2.4.1 and compile test (Linux)
- Keepalived + HAProxy high availability load balancing (Server)
- 64-bit Ubuntu 15.10 How to compile the latest version of the 32 Wine 1.7.53 (Linux)
- Internal class broadcasting needs public and static (Programming)
- Bootable ISO image using GRUB (Linux)
- Compression software on a simple comparison of zip and gz (Linux)
- Use ISO document production OpenStack used CoreOS mirror (Linux)
- MySQL stored procedures execute dynamic sql statement (Database)
- Docker + OpenvSwitch build experimental environment VxLAN (Server)
- To create a full command line Android Build System (Linux)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.