How to handle ARP attack techniques

The following is the OMG small series for everyone to collect and organize the article, hope to help everyone.

The method of resolving ARP attack from principle and application:

Many internet cafes and business network instability, without reason, the economy suffered a great loss. It can be seen from the situation that this is a common problem that exists in the network. The main reason for this type of problem is the ARP attack. Now ARP is not only a shorthand for the agreement, but also a synonym for dropping the line. Many technicians and businesses are at their wits ' end because of the number of variants and the speed of transmission. Here is to give you from the principle of application to talk about this topic. Hope to help you solve such problems, purify the network environment.

In the LAN, through the ARP protocol to complete the IP address conversion to the second level of physical address, LAN machine to achieve communication. ARP protocol is of great significance to network security. This is based on mutual trust. If ARP spoofing is achieved by spoofing IP address and MAC address, a large amount of ARP traffic will be generated in the network to block, drop, redirect, and sniff attacks.

We know that each host uses an ARP cache that holds the mapping record between the nearest IP address and the MAC hardware address. The lifetime of each record in the Windows cache is typically 60 seconds, starting at the time it was created. By default, ARP reads the IP-MAC entry from the cache, and the Ip-mac entry in the cache is dynamically changed according to the ARP response packet. Therefore, the IP-MAC entry in the ARP cache is updated whenever an ARP response packet is sent to the computer on the network. For example: X sends a fake ARP reply to Y, and the data sender IP address in this answer is 192.168.1.3 (z's IP address), MAC address is dd-dd-dd-dd-dd-dd (Z's real MAC address is CC-CC-CC-CC-CC-CC, was forged here). When y receives an X-spoofed ARP reply, the local ARP cache is updated (Y is not known to have been forged). What if it's forged into a gateway?

Switch on the same maintenance of a dynamic Mac cache, it is generally the case, first of all, the switch has a corresponding list inside the port corresponding to the switch MAC Address Table port n <-> Mac Records each port under the existence of those MAC address, the table began to be empty, The switch learns from the data frame. Because the Mac-port cache table is dynamically updated, so that the entire switch's port table is changed, the switch for MAC address spoofing Flood, and constantly send a large number of fake MAC address packets, switch on the update mac-port cache, If you can do this to the previous normal Mac and port corresponding relationship damage, then switch will be a pan-hong FA to each port, so that switch basically into a HUB, to all the ports to send packets, to carry out the purpose of sniffing attacks can be achieved. will also cause the switch Mac-port cache to crash, as shown in the log in the following switch:

Internet 192.168.1.4 0000b.cd85.a193 ARPAVlan256

Internet 192.168.1.5 0000b.cd85.a193 ARPAVlan256

Internet 192.168.1.6 0000b.cd85.a193 ARPAVlan256

Internet 192.168.1.7 0000b.cd85.a193 ARPAVlan256

Internet 192.168.1.8 0000b.cd85.a193 ARPAVlan256

Internet 192.168.1.9 0000b.cd85.a193 ARPAVlan256

The main phenomenon of ARP attack

The frequent loss of online banking and confidential data. When a host in the LAN running ARP spoofing trojan program, will deceive all the local area network hosts and routers, so that all the Internet traffic must go through the virus host. Other users used to go directly to the Internet through the router now to the Internet through the virus host, switching time users will break a line. Switch to the virus host after the Internet, if the user has logged on to the server, then the virus host will often forge the false line, then the user will have to log on to the server, so that the virus host can steal all the information of the machine.

Speed fast when slow, extremely unstable, but the single machine for optical data testing all normal. Frequent area or whole drop in LAN, reboot computer or network device and return to normal

Due to ARP spoofing Trojan program occurs when a large number of packets caused by the LAN traffic congestion and its own processing capacity restrictions, users will feel the speed of the Internet more and more slowly. When ARP cheat trojan program stops running, the user will restore the Internet from the router, the user will be disconnected again during the switching process.

ARP Solution:

At present, the general solution is to use double binding, specific methods:

First locate the correct Gateway IP Gateway Physical Address and then do the ARP binding to the gateway on the client.

Step One:

To find the gateway address for this segment, such as 192.168.1.1, take this gateway as an example. In the normal internet, "Start → run →cmd→ ok", input: Arp-a, point return, view the gateway corresponding physical address.

For example: Gateway 192.168.1.1 corresponds to 0a-0b-0c-0d-0e-0f.

Step Two:

Write a batch file Rarp.bat, as follows:

@echo off

Arp-d

Arp-s 192.168.1.1 0a-0b-0c-0d-0e-0f

Save as: Rarp.bat.

Step Three:

Run the batch file to drag the batch file to the "windows→ start → program → boot" process.

But the double bind cannot solve the ARP problem completely, IP conflict and some ARP variant cannot deal with.

Then there is the use of anti-ARP hardware routing, but the price is very high, and can not guarantee a large number of attacks in the case of stable work. So now there is no, effective and able to complete the solution? Yes, it is the use of software that can work in the bottom-driven way, and the whole network is deployed to guard against ARP problem.

This kind of software is driven by the core of the system, with the service and the process coexist form with the system to start and run, do not occupy computer system resources. This way is different from double binding. Because it is to analyze and judge the data packet in the communication, only the legal package can be released. The illegal bag was discarded. Nor do you worry that the computer will create a new ARP cache list after restarting because it exists in the computer in a combination of services and processes, and the software's protection functions automatically start and work with the operating system when the computer restarts.

Currently meet this requirement and excellent work of the software recommended that you choose ARP Guardian, this software not only solves the ARP problem, but also has the network Flood protection function and peer-to-peer speed-limiting function.

Arp Guardian at the bottom of the system network installed a core driver, through this core driver to filter all ARP packets, to each ARP response to judge, only the rules of the ARP packet, will be further processing. In this way, the implementation of the defense of the computer is deceived. At the same time, the ARP Guardian to each send out the ARP response is detected, only the rules of the ARP packet will be sent out, so that the attack to send the interception ...

Flood interception: This setting allows for the punishment of a SYN flood attack, a UDP flood attack, and an ICMP flood attack machine in the list of rules. When a computer in a local area network sends SYN packets, UDP packets, and ICMP messages beyond the limit set in this setting, the ARP defender client will punish them according to the preset values. During the penalty period, the computer will no longer send the corresponding message to the network. However, the penalty does not affect the established connection.

Flow control: This setting allows all computers in the rules list to limit the upload and download traffic of the WAN and LAN (that is, the so-called network speed limit). Right-click the Exclude Machine List window to modify and edit the contents. IP addresses that exist in the Exclude machine list will not be subject to traffic control.

ARP Guard (ARP defender) can indeed fundamentally and completely solve all the problems caused by ARP spoofing attacks. It not only protects the computer from ARP spoofing attacks, but also controls the virus source machine that infects the ARP attack virus or deceives the Trojan, making it unable to deceive other computers in the LAN. Maintain the network normal communication, prevent the machine with ARP spoofing attack on the computer in the network, so that browsing the Web page, data transmission is not limited by ARP spoofing.

Overall I think this software is the best in the market now. At the same time, online customer service work is also very responsible. But sometimes for network management is still not very convenient. For example, management end changed IP. The following clients can only point back to the new IP. There is no software that can support all diskless systems. Also not supported for Linux operating systems. Hope that these can be as soon as possible by software developers attention and timely update. Well, said so much, hope to be able to solve the ARP drop line problem, to provide help.