Abstract: Through studying the ARP-spoofing which is one of the most dangers in the Intranet, based on the ARP-cache-overtime mechanism, this paper proposes a method to detect Man-In-The-Middle(MITM) attack in the switch network, investigates ARP-cache-overtime mechanism based on Windows, presents a method to detect and calculates the overtime. Experimental results show that when host receives an ARP packet, the ARP cache item is updated. Before this item is overtime, the host can not send ARP request packet to the item. Therefore, in this period the host does not receive any ARP reply packet related to this item. If the ARP packet statistic is not agreed with the principle, ARP-spoofing happens.

Key words: Intranet communication security, ARP spoofing, Man-In-The-Middle(MITM) attack, cache overtime

摘要： 探讨ARP协议工作机理，通过对内部网络通信危害较大的ARP欺骗技术的分析，提出一种交换网络环境下基于ARP缓存超时机制的中间人攻击行为检测方法，研究Windows操作系统中ARP缓存超时机制的设置，并给出检测实现的方法。实验表明，当主机收到ARP数据包，并更新自己的缓存项后，在该缓存项超时之前，不会再发出请求包，也就不会收到该项的应答包。如果ARP数据包统计情况与上述事实不符，则必定发生了ARP欺骗。

关键词: 内网通信安全, ARP欺骗, 中间人攻击, 缓存超时

CLC Number: 

• TP393