作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2008, Vol. 34 ›› Issue (13): 133-135. doi: 10.3969/j.issn.1000-3428.2008.13.048

• 安全技术 • 上一篇    下一篇

基于ARP缓存超时的中间人攻击检测方法

郭卫兴,刘 旭,吴 灏   

  1. (解放军信息工程大学信息工程学院,郑州 450002)
  • 收稿日期:1900-01-01 修回日期:1900-01-01 出版日期:2008-07-05 发布日期:2008-07-05

MITM Attack Detection Method Based on ARP Cache Overtime

GUO Wei-xing, LIU Xu, WU Hao   

  1. (College of Information Engineering, PLA Information Engineering University, Zhengzhou 450002)
  • Received:1900-01-01 Revised:1900-01-01 Online:2008-07-05 Published:2008-07-05

摘要: 探讨ARP协议工作机理,通过对内部网络通信危害较大的ARP欺骗技术的分析,提出一种交换网络环境下基于ARP缓存超时机制的中间人攻击行为检测方法,研究Windows操作系统中ARP缓存超时机制的设置,并给出检测实现的方法。实验表明,当主机收到ARP数据包,并更新自己的缓存项后,在该缓存项超时之前,不会再发出请求包,也就不会收到该项的应答包。如果ARP数据包统计情况与上述事实不符,则必定发生了ARP欺骗。

关键词: 内网通信安全, ARP欺骗, 中间人攻击, 缓存超时

Abstract: Through studying the ARP-spoofing which is one of the most dangers in the Intranet, based on the ARP-cache-overtime mechanism, this paper proposes a method to detect Man-In-The-Middle(MITM) attack in the switch network, investigates ARP-cache-overtime mechanism based on Windows, presents a method to detect and calculates the overtime. Experimental results show that when host receives an ARP packet, the ARP cache item is updated. Before this item is overtime, the host can not send ARP request packet to the item. Therefore, in this period the host does not receive any ARP reply packet related to this item. If the ARP packet statistic is not agreed with the principle, ARP-spoofing happens.

Key words: Intranet communication security, ARP spoofing, Man-In-The-Middle(MITM) attack, cache overtime

中图分类号: