一种基于报文过滤防御ARP欺骗的系统架构

A system architecture against ARP spoofing based on packet filtering

本研究分析了ARP欺骗的基本原理及其常见的攻击方式;讨论了现有防御方法存在的局限性。在此基础上,提出了一种防御ARP欺骗的构想,并设计和开发了一套基于C/S模式的ARP防御系统软件。该系统以局域网内每台主机都有唯一的IP地址与MAC地址相对应为基础,通过在客户端对接收到的ARP报文进行ARP报文头信息检验和服务器端IP-MAC检验,过滤掉存在安全隐患的报文,来实现局域网内主机对ARP欺骗的防御,从而提高网络安全性。该系统适用于安全性较高的中小型局域网络。

This paper analyses the basic theory of ARP spoofing and some common attacking methods of ARP spoofing. The paper also discusses three preventive methods against ARP spoofing and their limitations. According to the analyses, an approach to designing a client-server model software is put forward in order to resist ARP spoofing. The system is based on the relative that every host in LAN has a unique IP address to its MAC address. The client detects header of all ARP packets that host receives and abandons the ARP packets of inconsistent- header. The server examines the authenticity of IP address and MAC address of source host in ARP packets from the client, then makes the client filter out the unsafe packets. Through this process, the system can effectively prevent local computer from ARP spoofing, and improve network security. The system is applicable to small and medium- sized local area networks, which need higher security requirements.