| With the rapid development and gradual popularization of network, its application has already infiltrated into every fields of the society, and become an indispensable and key tool for the social growth. However, its efficiency and safety attracts more and more attention. Of the various threats to network, ARP Spoof Attack has gradually gained the most concern.The base of modern Internet is TCP/IP protocol cluster, whose security was not fully considered in its original design. Therefore, there are some security risks in many of its protocols, which enable it easy for hackers to attack the network. There also exist some faults of ARP protocol due to its widespread transmission, and so on. Taking advantage of the fault of the ARP protocol, Hackers usually send forged ARP response packets, and make the target computer receive the forged mapping relation between the IP Address and the MAC Address, to update the ARP cache, and to realize network monitoring, stealing user account, and tampering site content, etc.. Furthermore, Hackers often combine the ARP deception theory with other ways to get other attacks---listening, denying service, mounting virus, and so on. Due to these, in order to keep the security, reliability and high efficiency of network, it is necessary for us to understand the ARP deception theory and its attacking ways, and so to improve our network security awareness and to take measures positively.Firstly, the present paper introduces TCP/IP protocol cluster and the basic knowledge of network security. Then, the working principle and features of the ARP protocol are presented, and its faults are analyzed. The faults include the base of ARP --- any host is reliable in the network, ARP request packets are widely transmitted, even if ARP request packet is not transmitted, ARP response packet can be received, The received ARP response packet, being stateless, needs no confirmation,and so on. Thirdly, ARP reception theory and its implementation are studied with the introduction of some functions and general defending methods for ARP deception. Lastly, the data transmitting and receiving process of NDIS intermediate driver is analyzed with the definition of NDIS packet. By using the Windows2000DDK Development Kit of Microsoft, basing on the NDIS intermediate driver and MicrosoftWindows2000/XP, under an development environment of MicrosoftVisualC++V6.0, an ARP spoof prevention methods---S-ARP for campus network is designed, which are applicable for efficient checking and preventing ARP spoof virus by filtering and analyzing the data packet received and transmitted.The method has some practial value. |
PDF Full Text Request