【正文】 f the packets. If the accepted packet is a TCP packet it is passed on to the TCP layer. If a TCP SYN packet is received then the host will either respond back with a TCP SYN/ACK packet if the destination port is open or with a TCP RST packet if the port is closed”. Rule B: “The attacker can spoof ARP packets impersonating a host but he can never stop the real host from replying to ARP requests (or any other packet) sent to it. The valid assumption here is that the real host is up on the work.” 沈陽(yáng)航空航天大學(xué)畢業(yè)設(shè)計(jì)（論文）外文翻譯 —— 原文 8 It should be noted that these rules have been derived from the correct behavior that a host’s work stack should exhibit when it receives a packet. To exemplify Rule A, let a host have MAC address = X and IP address = Y. If this host receives a packet with destination MAC address = X and destination IP address = Z then even though the work interface card would accept the packet as the destination MAC address matches, the host’s work stack will silently discard this packet as the destination IP address does not match, without sending any error messages back to the source of the packet. Based on Rule A, we can conceive of two types of probe packets from a host’s work stack point of view which we will use to detect ARP spoofing. a. Right MAC – Wrong IP packet: The destination MAC address in the packet is of the host but the IP address is invalid and does not correspond to any of the host’s addresses. The destination host will silently drop this packet. b. Right MAC – Right IP packet: The destination MAC address and IP addresses pairs are of the host’s and its work stack accepts it. We will henceforth assume that the attacker is using an unmodified work stack. The performance of our technique in the presence of a modified work stack will be evaluated in Section . Based on the above observation we will construct our own packets based on Rule A and send them on the work. We will use the address information in the ARP response packet sent by the host whose authenticity is to be verified. We will use the MAC and IP addresses used in the ARP response packet to construct a TCP SYN packet . the destination MAC and IP in the TCP SYN packet will be the source MAC and IP address advertised in the ARP response packet and the source MAC and IP in the TCP SYN packet would be of the host running the Spoof Detection Engine. The TCP destination port will be chosen based on the presence/absence of packet filtering firewalls on the work hosts. If there is a firewall installed on the hosts we will choose the “allowed TCP port” (as in section ) and if no firewalls are there then we can choose any TCP port. The rest of the header values in the TCP SYN packet will be set as usual. When a TCP SYN packet as constructed above is sent to the source of the ARP reply packet, the host’s response will be based on Rule A. If the ARP response was from the real host its IP stack will respond back with either a TCP RST packet (If the destination port is closed) or a TCP SYN/ACK packet (if the destination port is open). 沈陽(yáng)航空航天大學(xué)畢業(yè)設(shè)計(jì)（論文）外文翻譯 —— 原文 9 If the ARP response had been from a malicious host then its work stack would silently discard the TCP SYN packet in accordance with Rule A. Thus based on the fact that the Spoof Detection Engine does/does not receive any TCP packets in return to the SYN packet it sent, it can judge the authenticity of the received ARP response packet. 沈陽(yáng)航空航天大學(xué)畢業(yè)設(shè)計(jì)（論文）外文翻譯 —— 譯文 1 APR欺騙檢測(cè)：一種主動(dòng)技術(shù)手段 維克 拉瑪蒼蘭 和 舒庫(kù)瑪 南迪 思科系統(tǒng)公司 班加羅爾 印度 印度理工學(xué)院， 古瓦哈蒂，阿薩姆，印度 摘要 . 地址解析協(xié)議（ ARP）由于其無(wú)狀態(tài)性和缺乏對(duì)發(fā)送者身份進(jìn)行驗(yàn)證的機(jī)制，因而長(zhǎng)久以來(lái)常被用于欺騙攻擊。這種被動(dòng)方式的主要缺點(diǎn)在于地址學(xué)習(xí)與欺騙檢測(cè) 之間的時(shí)滯。與被動(dòng)方式相比，它是一種更快的，智能的，可擴(kuò)展的并且更可靠的攻擊檢測(cè)方式。這時(shí)相關(guān)主機(jī)就會(huì)回送一個(gè)填有它自己MAC 地址的 ARP 應(yīng)答包（ 單播 方式）。過(guò)期的條目將會(huì)從緩存中刪除，如果本機(jī)想與相同的主機(jī)再次通信，它將會(huì)再發(fā)送一個(gè) ARP請(qǐng)求。在大多數(shù)操作系統(tǒng)中，即使是 ARP緩存中沒(méi)有過(guò)期的動(dòng)態(tài) ARP條目也將被新的 ARP 應(yīng)答覆蓋。在最一般的 ARP欺騙中，攻擊者會(huì)周期性地向受害主機(jī)發(fā)送偽造的 ARP 應(yīng)答。 當(dāng)前的緩解和檢測(cè)技術(shù) 現(xiàn)存的 ARP欺騙檢測(cè)技術(shù)將在接下來(lái)依次進(jìn)行討論。由于 SARP 使用了數(shù)字簽名算法（ DSA），所以會(huì)有額外的加密計(jì)算開銷，盡管該協(xié)議的作者聲稱這個(gè)開銷并不顯著。 基于內(nèi)核的補(bǔ)丁 基于內(nèi)核的補(bǔ)丁，例如 Anticap和 Antidot，嘗試在內(nèi)核級(jí)來(lái)阻止 ARP欺騙。如果先前學(xué)習(xí)的 MAC還存活著那更新操作將被拒絕，并且新收到的 MAC地址將被加入到被禁止的地址列表中。只有管理員介入才能將它撤銷。這類工具中 最流行的是ARPWATCH。攻擊者可能在這段延遲時(shí)間里全身而退。一個(gè)典型的例子就是移動(dòng)主機(jī)（例如，客戶或者參觀者帶到公司的筆記本電腦）。在真實(shí)的攻擊中，我們的技術(shù)能把真實(shí)的 MAC地址到 IP地址映射檢測(cè)到相當(dāng)精確的程度。為了克服早期技術(shù)中的問(wèn)題，我們提出了一種新的 ARP 檢測(cè)技術(shù)。在實(shí)際的攻擊事件中，它還能額外地把真實(shí)的MAC地址到 IP地址映射檢測(cè)到相當(dāng)精確的程度。這一假設(shè)說(shuō)明在攻擊中 “準(zhǔn)備使用 ”ARP欺騙工具總是大多數(shù)攻擊者最普遍的選擇。它能保證我們的探測(cè)報(bào)（ TCP SYN 報(bào)文）能通過(guò)防火墻。 ：對(duì)一個(gè) ARP請(qǐng)求的 ARP應(yīng)答必須在一個(gè)額定的時(shí)間區(qū)間被接收。 ：這是使用我們的技術(shù)在網(wǎng)絡(luò)上學(xué)習(xí)到并驗(yàn)證過(guò)的所有合法的 IP到 MAC地址的映射。 ARP 數(shù)據(jù) 包：與封頭不一致的 ARP 包相反這種數(shù)據(jù)包中，MAC幀頭和 ARP頭部中的 MAC地址是匹配的。 ：出現(xiàn) ARP應(yīng)答但沒(méi)有對(duì)應(yīng)的 ARP請(qǐng)求。 我們 用模塊化的方法將欺騙檢測(cè)分為以下幾個(gè)模塊： ARP嗅探模塊：該模塊能嗅探網(wǎng) 絡(luò)上所有的 ARP流量。所有含有未知地址的新 ARP 數(shù)據(jù)包都將被送到欺騙檢測(cè)引擎進(jìn)行驗(yàn)證。 添加到數(shù)據(jù)庫(kù) 模塊：被欺騙檢測(cè) 引擎驗(yàn)證過(guò)的合法 ARP 條目將被本模塊加入到主機(jī)數(shù)據(jù)庫(kù)中。封頭不一致的 ARP 數(shù)據(jù)包條目將被送往欺騙警告模塊。所有新學(xué)到的ARP流量都會(huì)送往欺騙檢測(cè)引擎。 該引擎應(yīng)用的算法將在 節(jié)討論。 欺騙檢測(cè)引擎 欺騙檢測(cè)引擎是整個(gè)系統(tǒng)的核心。 IP 層只接收 IP 數(shù)據(jù)包地址是本機(jī) IP 地址的數(shù)據(jù)包，悄悄丟棄其他的數(shù)據(jù)包。這一假設(shè)有效的前提是真實(shí)主機(jī)已經(jīng)在網(wǎng)絡(luò)上打開了。 沈陽(yáng)航空航天大學(xué)畢業(yè)設(shè)計(jì)（論文）外文翻譯 —— 譯文 7 基于規(guī)則 A， 從主機(jī)的協(xié)議棧的觀點(diǎn)來(lái)看， 我們可以想象到兩種 用于 ARP欺騙檢測(cè)的偵探包。 我們將因此假設(shè)攻擊者將用沒(méi)有被修改過(guò)的協(xié)議棧。我們將用 ARP 應(yīng)答報(bào)文中的 MAC 到 IP 地址來(lái)構(gòu)造TCP SYN報(bào)文，例如， TCP SYN報(bào)文中的目的 MAC和 IP就是 ARP應(yīng)答報(bào)文中宣稱的 源 MAC和 IP 地址，而源 TCP SYN報(bào)文中的源 MAC和 IP 就是運(yùn)行欺騙檢測(cè)引擎的主 機(jī)的地址。 當(dāng) 上面所構(gòu)造的 數(shù)據(jù)包 將被發(fā)送到 ARP 應(yīng)答報(bào)文的源地址時(shí)，主機(jī)的應(yīng)答將按照規(guī)則 A來(lái)做。