簡易ARP欺騙攻擊偵測與防禦系統之實作

Abstract

網路傳輸過程中常用到的位址解析協定(Address Resolution Protocol，ARP)以便從網路位址(IP address)查出實體位址(physical address; MAC address)，用於製作要傳送的封包(packet)。然則 ARP 存在著驗證不嚴謹的漏洞，駭客(hacker)開始開發ARP欺騙(ARP Spoofing)為基礎的攻擊程式。攻擊程式可以在交換式乙太網路上實現網路監聽，也可以阻斷網路連線而造成阻斷服務攻擊(DoS)。這些程式不但在網路上容易取得，而且操作容易，嚴重威脅區網上使用者的資訊安全，更是網路管理者要煩惱的一大問題。 本論文提出一個可以抵抗ARP欺騙攻擊的方法並實作出可用在區網中管理IP之使用的系統。本系統透過偵測主機的ARP Table收集區域網路中所有的電腦主機IP、MAC對應關係，並建立資料庫。憑藉著資料庫中正確的IP與MAC對應關係，以ARP欺騙的手法來修正被ARP欺騙攻擊的主機的ARPTable表，讓被欺騙攻擊的之主機在傳送封包時，能將封包傳送到正確的主機位址，避免傳輸資料被監聽或電腦主機被阻斷上網。

Address Resolution Protocol (ARP) is a protocol used by hosts to map network address (IP address) into physical address (MAC address) when preparing the Ether frame for network transmission. Because of the protocol flaws, it is difficult to verify the sender of an arp packet. The hackers have begun developing the attack tools based on ARP spoofing. Some attacking tools are used to do network sniffing. Some tools are used to block the communication and thus results in a Denial of Service (DoS). What is worse, it is very easy to find and download these attacking tools from the Internet. Users with bad intention might use these tools to annoy the network admisistrator. In this thesis, we proposed a method to resist ARP attack and implementd it as a web-based system. The system can be used in a local area network. The system examines the ARP table, collects the map of IP and MAC and then creates the database. With the database, the system can check the sender address of an ARP packet. It will send a correct ARP packet to fix the problem when it finds a wrong ARP reply packet with wrong mapping of IP and MAC. As a result, the system can defend the hosts in the LAN so that the sniffing and the Denial of Service (DoS) attack won't harm the computer hosts in the LAN.