Research Of Defending ARP Spoofing Attacks Based On Winpcap

In recent years, with the rapid development of computer network, the issues of network security are concerned by people. There are more and more network security incidents owing to the loopholes of various network protocols, which cause lots of losses and affect the normal order of the network. ARP spoofing attacks is a serious issue of network security; it uses the loopholes of the ARP Protocol to attack. It updates the ARP cache table of the deception host by sending the wrong IP/MAC addresses, so the hosts can't communicate with each other normally. ARP spoofing attacks shows great destructive power, and it is very difficult to prevent, it poses a great threat to the network security. How to prevent ARP spoofing attacks and how to reduce the damage that caused by ARP spoofing attacks has been a hot issue and it aroused the network experts' widespread concern, but there is not a particularly effective method to defend it by now.The thesis analyses the ARP protocol and its working mechanism, analyses the existing methods of defending against ARP spoofing attacks, and understand their features. The thesis also researches the principles and complexity of these methods, and sums up their advantages and disadvantages.Based on the study of the existing methods and the Winpcap, aimed with the characters of Dalian Maritime University (the hosts that exist in the different layer of the LAN can't communicate with each other, and the ARP spoofing attacks achieved mainly by disguising the gateway),the thesis presents a method of defending ARP spoofing attacks based on Winpcap. The method is: Setting filtering rules by filtering mechanisms of the Winpcap, and the system just captures the ARP packets flowing through the local card, and then sends the packets to the analysis module; In the analysis module, the system parses out the IP address and MAC address from the data packets ,and sends them to the checking module; In the checking module, the system first judges whether the last number of the IP address is one, if not, the system gives up treating the packet, otherwise compares the IP/MAC to the right IP/MAC and sends the result to the response module; In the response module, if judging there exists ARP spoofing attacks, the system sends information to the users, modifies the ARP cache table and stores the information to the database server. The system has passed the testing and reached the expected result.