Campus Network ARP AttacK Defense

From the afternoon of June May 21, 2013 to June May 22, ARP attacked the campus network, resulting in a wide area of failure to access the Internet. Leaders were anxious and under great pressure.Article.

Due to ARP spoofing attacks, traditional methods such as packet filtering, IP + Mac + port binding, and so on are difficult to solve.

Through the analysis of ARP spoofing attack principles, if you want to defend against this type of attack, the best way is to check the content validity of ARP packets at the access layer, discard messages that fail the check. This technology is called ARP intrusion detection.

 

 

 

#< strong style = "background-color: # ffff66; color: Black ">
ARP -A
View local machine ARP cache . Normally, the first column prints the local IP address, the second column returns the IP address and MAC address of the current Gateway.
normal mode: there is only one gateway in the network, and client ARP-A has only one ARP record, and this record is the IP address of the current Gateway --> Mac ing.
hybrid mode: When ARP cache ARP there are multiple IP --> Mac records, it indicates that the current network is in the hybrid mode, and the Network Gateway is not unique.

 

ARP Intrusion Detection

ARP attack detection Solution

1. Try to use the "ARP-a" command to view the local ARP cache table and find the duplicate MAC address or the wrong gateway address.

2. Use nbtscan.exe to scan and analyze the IP addresses and MAC addresses in the network.

3. Try to use the "ping" command to test the delay time between the local host and other Intranet hosts. If the delay is high, it is suspicious.

4. Try to use Kingsoft shell arpfirewall to intercept ARP attack packets and determine based on attack interception logs.

5. Try to use "color shadow arpfirewall (formerly antiarpsnifer)" to analyze the traffic and find the suspicious attack source.

6. try to use "Wireshark", "kelai Network Analysis System", "Sniffer Pro" and other sniffer analysis software to capture network data, query and publish a large number of broadcast packet source hosts and other non-Request Response ARP packet sending sources, or compare the source MAC address of the ARP packet header with the SA field of the layer-2 Ethernet data frame, check whether they are consistent to determine whether they are under ARP attacks.

7. Enable the "protection against MAC Address Spoofing" function in the "Norton Enterprise Edition protection software" network threat protection item. [Other anti-virus software is the same]

8. Try to analyze and determine the physical location of the virus source host using the "Half method" (Network Connection of half of the host is cut off each time.

9. log on to the vro, check the DHCP allocation log information and the ARP cache table, and then bind the IP address and MAC address.

10. log on to the vswitch, view the MAC address table, find the physical port number of the suspicious Mac, and determine the host location. Or enable the "port image" technology to use other PCs for Traffic Analysis and judgment.

11. Identify the virus source based on the flashing frequency of the switch data transmission status indicator. If the frequency is high, it is suspicious.

12. Check whether the vroarp has enabled proxy ARP, which causes a large number of ARP broadcast storms or ARP scan data packets in the network, resulting in related software reporting attacks.