Method of automatically detecting host-passing-off ARP spoofing

Abstract

The embodiment of the invention discloses a method of automatically detecting host-passing-off ARP (Address Resolution Protocol) spoofing. The method of automatically detecting host-passing-off ARP spoofing includes a data acquisition method and an ARP spoofing detection method, wherein a data acquisition program uses an SNMP (Simple Network Management Protocol) to automatically obtain an ARP table of three-layer equipment on time and saving the ARP table in a database; the ARP spoofing detection method includes an initial screening stage and an analysis determination stage and includes the following steps: initially screening and obtaining the record that the number of different IP (Internet Protocol) addresses corresponding to one MAC (Media Access Control) address in the database is greater than one threshold; performing analysis and determination on each MAC address of the initial screening result; and through a white list, analysis of the value of ipNetToMediatype, analysis of the distribution range and the tense change rule of IP addresses, and other technical means, eliminating the special situations that the address is the own MAC address of a router and other network devices and a plurality of virtual machines are running on one computer, determining that the address is the ARP spoofing.

Description

technical field [0001] The invention relates to the technical field of network communication, in particular to a method for automatically detecting ARP spoofing of fake hosts. Background technique [0002] ARP is the abbreviation of Address Resolution Protocol, which is an address resolution protocol. The function of ARP is to provide dynamic mapping between IP (Internet Protocol) addresses and MAC (Media Access Control) addresses. The original intention of the ARP protocol design is to assume that the hosts and data packets in the network are trusted, but the fact is far from this. ARP spoofing has caused huge security risks to network security. Many local area networks (LANs) have suffered greatly from it, and some ARP spoofing is caused by viruses, and some are artificially designed illegal monitoring and malicious counterfeiting network attacks. [0003] In order to deal with ARP spoofing, people have taken many methods: including installing an ARP firewall on the compu...

AI Technical Summary

Problems solved by technology

However, the above-mentioned methods have some disadvantages: it is difficult to centrally manage the installation of an ARP firewall on the user's computer, and the ARP firewall defends itself but not others, and even some ARP firewalls use attacks to counter attacks so as to cause harm to the entire network; two-way binding MAC-IP The maintenance workload is huge, and it cannot adapt to more and more laptops and WiFi environments; only the current ARP spoofing can be detected through network packet capture, and listening to different network segments in the switching network requires frequent port switching or configuration For different port mirroring, the workload of packet capture and analysis is very heavy and there are relatively high technical requirements for network administrators; enabling DHCP Snooping, IP Source Guard and DAI has relatively high requirements for the entire network environment and switch equipment, many low-end Switches (such as Cisco2960) do not support it. In addition, IP Source Guard still needs to statically bind MAC-IP in a network environment where static IP and DHCP coexist. In addition to DAI, there are many other methods to prevent ARP spoofing. Both are "invasive" to the existing network, need to change the network protocol, need to change the existing network equipment, these methods are still difficult to promote in reality even if they are perfect in theory; now there are some "non-invasive" through Analyzing the router's ARP table to detect fake host ARP spoofing methods, but some of these methods did not save the router's ARP table to the database, and other methods lost historical records because they did not find the best strategy for saving MAC-IP to the database or because Saving a large amount of duplicate data leads to a decrease in system performance, and the existing methods may lead to misjudgment due to special circumstances such as the MAC address of the gateway, computers running multiple virtual machines, and laptops for mobile office.

Images