ubuntu下arp攻击防备和反击[Linux安全]

在windows下面,可以安装arp防火墙,还可以通过安装同类软件,举行检测.但是我已经转到ubuntu上了,总不能一旦被攻击,就回windows吧.于是上网找了一些关于linux下避免arp攻击的办法.

第一种办法

用静态arp.

这种办法就是通过在 /etc/ethers 成立ip和mac地址对应记录.然后用arp -f来读取记录.这样将网关的mac地址和ip都成立在静态arp文件里.就不简单被arp拐骗了.

还可以配合关闭arp解析,用ifconfig eth0 -arp

 

第二中办法

采取arping 

babo@babo-laptop:~$ arping 

Usage: arping [-fqbDUAV] [-c count] [-w timeout] [-I device] [-s source] destination

-f : quit on first reply

-q : be quiet

-b : keep broadcasting, don't go unicast

-D : duplicate address detection mode

-U : Unsolicited ARP mode, update your neighbours

-A : ARP answer mode, update your neighbours

-V : print version and exit

-c count : how many packets to send

-w timeout : how long to wait for a reply

-I device : which ethernet device to use (eth0)

-s source : source ip address

destination : ask for what ip address

 

用法举例:比方我的ip 192.168.1.101 网关:192.168.1.1

就用arping -U -I eth0 -s 192.168.1.101 192.168.1.1

显示后果以下

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.999ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 9.571ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.245ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.227ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.390ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 4.526ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.294ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.245ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.239ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.266ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.259ms

Unicast reply from 192.168.1.1 [00:21:29:94:62:47] 1.267ms

Sent 12 probes (1 broadcast(s))

Received 12 response(s)

 

终极办理办法

采取arpoison来办理是最好的办法了,这个办法还是参考了《linux下arp攻击的办理筹划［原］》的办法.

arpoison需求libnet的库才能精确编译,所以要下载libnet和arpoison两个软件.

 

arpoison主页

http://www.arpoison.net/

 

libnet主页

http://www.packetfactory.net/libnet

 

安装

现安装libnet,因为是源代码编译,需求gcc等我就不说了.去查看具体ubuntu源代码安装需求的软件包吧

tar zxvf libnet.tar.gz

cd libnet/

sudo ./configure

sudo make

sudo make install

编译历程中,会提醒也些告诫,没有关系.反正安装后,有/usr/lib/libnet.a便可以了

 

然后安装arpoison

tar zxvf arpoison-0.6.tar.gz 

cd arpoison/

sudo gcc arpoison.c /usr/lib/libnet.a -o arpoison

sudo mv arpoison /usr/sbin

用法举例:

babo@babo-laptop:~$ sudo arpoison

Usage: -i <device> -d <dest IP> -s <src IP> -t <target MAC> -r <src MAC> [-a] [-w time between packets] [-n number to send]

 

阐明

-i 指定发送arp包的网卡接口eth0

-d 192.168.1.1 指定目的ip为192.168.1.1

-s 192.168.1.101 指定源ip为192.168.1.101

-t ff:ff:ff:ff:ff:ff 指定目的mac地址为ff:ff:ff:ff:ff:ff(arp广播地址)

-r 00:1c:bf:03:9f:c7 指定源mac地址为00:1c:bf:03:9f:c7

 

比方我想避免arp攻击

sudo arpoison -i eth0 -d 192.168.1.1 -s 192.168.1.101 -t ff:ff:ff:ff:ff:ff -r 00:1c:bf:03:9f:c7

 

比方我想攻击192.168.1.50的机械不让他上网

sudo arpoison -i eth0 -d 192.168.1.50 -s 192.168.1.1 -t ff:ff:ff:ff:ff:ff -r 00:1c:bf:03:9f:c7

 

一些猜想

假如在本机开始NAT服务

然后通过arp拐骗把对方的网关地址拐骗到自己这里,因为自己这里开了NAT,对方应当也可以上网吧.然后在本地开wireshark抓包,对方就不知不觉的被监督了.这些设法没有测试,不知道这样拐骗的办法,NAT能否可以.