基于Linux的ARP攻击检测防护软件的设计模块包括MAC flood、DHCP flood、CC攻击和ARP欺骗攻击检测并且根据攻击类型输出信息扫描和记录局域网内活动主机的IP地址和MAC地址能够记录和保存攻击源的IP地址和MAC地址有一定的防御功能通过中文按钮实现可视化界面将结果保存在日志中。python基本代码实现多个代码文件将模块有机结合起来
,实现完整的ARP攻击检测防护软件。
以下是基于Linux的ARP攻击检测防护软件的设计和实现代码:
- arp_detect.py
该文件包含了ARP攻击检测的主要功能,包括MAC flood、DHCP flood、CC攻击和ARP欺骗攻击检测。
import os
import time
import threading
import logging
# 定义日志格式
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
# 定义常量
ARP_CACHE_FILE = '/proc/net/arp'
DHCP_SNOOP_FILE = '/var/log/messages'
# 定义全局变量
arp_cache = {}
dhcp_snoop = {}
arp_attackers = {}
cc_attackers = {}
# 定义函数:获取ARP缓存表
def get_arp_cache():
global arp_cache
with open(ARP_CACHE_FILE, 'r') as f:
lines = f.readlines()
for line in lines[1:]:
parts = line.split()
if len(parts) == 6:
ip = parts[0]
mac = parts[3]
arp_cache[ip] = mac
# 定义函数:获取DHCP Snooping日志
def get_dhcp_snoop():
global dhcp_snoop
with open(DHCP_SNOOP_FILE, 'r') as f:
lines = f.readlines()
for line in lines:
if 'DHCP_SNOOPING' in line:
parts = line.split()
if len(parts) == 9:
ip = parts[6]
mac = parts[7]
dhcp_snoop[ip] = mac
# 定义函数:检测MAC flood攻击
def detect_mac_flood():
global arp_cache
global arp_attackers
while True:
for ip, mac in arp_cache.items():
count = sum(1 for m in arp_cache.values() if m == mac)
if count > 10:
if mac not in arp_attackers:
arp_attackers[mac] = {'ip': [ip], 'time': time.time()}
logging.warning('Detected MAC flood attack from %s' % mac)
else:
arp_attackers[mac]['ip'].append(ip)
if time.time() - arp_attackers[mac]['time'] > 60:
logging.warning('MAC flood attack from %s is still ongoing' % mac)
arp_attackers[mac]['time'] = time.time()
time.sleep(10)
# 定义函数:检测DHCP flood攻击
def detect_dhcp_flood():
global dhcp_snoop
global arp_attackers
while True:
for ip, mac in dhcp_snoop.items():
count = sum(1 for m in dhcp_snoop.values() if m == mac)
if count > 10:
if mac not in arp_attackers:
arp_attackers[mac] = {'ip': [ip], 'time': time.time()}
logging.warning('Detected DHCP flood attack from %s' % mac)
else:
arp_attackers[mac]['ip'].append(ip)
if time.time() - arp_attackers[mac]['time'] > 60:
logging.warning('DHCP flood attack from %s is still ongoing' % mac)
arp_attackers[mac]['time'] = time.time()
time.sleep(10)
# 定义函数:检测CC攻击
def detect_cc_attack():
global arp_attackers
global cc_attackers
while True:
for mac, info in arp_attackers.items():
if len(info['ip']) > 10:
if mac not in cc_attackers:
cc_attackers[mac] = {'ip': info['ip'], 'time': time.time()}
logging.warning('Detected CC attack from %s' % mac)
else:
cc_attackers[mac]['ip'] = info['ip']
if time.time() - cc_attackers[mac]['time'] > 60:
logging.warning('CC attack from %s is still ongoing' % mac)
cc_attackers[mac]['time'] = time.time()
time.sleep(10)
# 定义函数:检测ARP欺骗攻击
def detect_arp_spoof():
global arp_cache
global arp_attackers
while True:
for ip, mac in arp_cache.items():
if mac != '00:00:00:00:00:00':
if ip in arp_attackers:
if arp_attackers[ip]['mac'] != mac:
logging.warning('Detected ARP spoofing attack from %s' % mac)
arp_attackers[ip]['mac'] = mac
else:
arp_attackers[ip] = {'mac': mac}
time.sleep(10)
# 定义函数:启动检测线程
def start_detect_threads():
t1 = threading.Thread(target=detect_mac_flood)
t2 = threading.Thread(target=detect_dhcp_flood)
t3 = threading.Thread(target=detect_cc_attack)
t4 = threading.Thread(target=detect_arp_spoof)
t1.start()
t2.start()
t3.start()
t4.start()
# 定义函数:输出攻击信息
def print_attack_info():
global arp_attackers
global cc_attackers
while True:
if arp_attackers:
logging.info('ARP attack detected:')
for mac, info in arp_attackers.items():
ips = ','.join(info['ip'])
logging.info(' MAC: %s, IP: %s' % (mac, ips))
if cc_attackers:
logging.info('CC attack detected:')
for mac, info in cc_attackers.items():
ips = ','.join(info['ip'])
logging.info(' MAC: %s, IP: %s' % (mac, ips))
time.sleep(60)
# 主函数
if __name__ == '__main__':
get_arp_cache()
get_dhcp_snoop()
start_detect_threads()
print_attack_info()
- host_scan.py
该文件包含了局域网内活动主机的IP地址和MAC地址的扫描和记录功能。
import os
import time
import threading
import logging
# 定义日志格式
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
# 定义常量
PING_TIMEOUT = 1
SCAN_INTERVAL = 60
# 定义全局变量
hosts = {}
# 定义函数:扫描主机
def scan_hosts():
global hosts
while True:
for i in range(1, 255):
ip = '192.168.1.%d' % i
ret = os.system('ping -c 1 -w %d %s > /dev/null' % (PING_TIMEOUT, ip))
if ret == 0:
mac = os.popen('arp -n %s | awk \'{print $3}\'' % ip).read().strip()
if mac != '':
if ip not in hosts:
hosts[ip] = {'mac': mac, 'time': time.time()}
logging.info('Discovered new host: %s (%s)' % (ip, mac))
else:
hosts[ip]['mac'] = mac
if time.time() - hosts[ip]['time'] > SCAN_INTERVAL:
logging.info('Host %s is still active' % ip)
hosts[ip]['time'] = time.time()
time.sleep(10)
# 定义函数:输出主机信息
def print_host_info():
global hosts
while True:
if hosts:
logging.info('Hosts in the network:')
for ip, info in hosts.items():
logging.info(' IP: %s, MAC: %s' % (ip, info['mac']))
time.sleep(60)
# 主函数
if __name__ == '__main__':
t1 = threading.Thread(target=scan_hosts)
t2 = threading.Thread(target=print_host_info)
t1.start()
t2.start()
- main.py
该文件包含了可视化界面的实现和结果的保存功能。
import tkinter as tk
import logging
# 定义日志格式和文件
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s', filename='arp_detect.log')
# 定义函数:创建窗口
def create_window():
window = tk.Tk()
window.title('ARP Attack Detection')
window.geometry('400x300')
return window
# 定义函数:创建按钮
def create_button(window, text, command):
button = tk.Button(window, text=text, command=command)
button.pack(pady=10)
return button
# 定义函数:启动ARP攻击检测和主机扫描
def start_detection():
import arp_detect
import host_scan
# 定义函数:保存日志
def save_log():
with open('arp_detect.log', 'r') as f:
content = f.read()
with open('arp_detect.txt', 'w') as f:
f.write(content)
logging.info('Log saved to arp_detect.txt')
# 创建窗口和按钮
window = create_window()
button1 = create_button(window, 'Start Detection', start_detection)
button2 = create_button(window, 'Save Log', save_log)
# 进入消息循环
window.mainloop()
``
原文地址: http://www.cveoy.top/t/topic/fmnw 著作权归作者所有。请勿转载和采集!