How to locate intranet ARP attack

Data center room has a large number of customers of the server due to the long time no maintenance, was invaded and implanted ARP virus attacks on the network, the server is more, it is difficult to accurately locate the machine to send an ARP attack.

ARP protocol to make use of the principle of the ARP virus, generally do gateway spoofing or IP repeat attacks, we from these two forms to explain how the data center in accordance with the environment of the room to explain how to grasp the ARP attack really fierce. 1. IP conflict

Use HyperTerminal to connect to the console console of the gateway and enter enble mode

Switcher>enable
switcher#show Logging alarme A alarm 19712 level

6 occurred in 20:22:48 04/16/2012 UTC sent by NPC 2%arp% The hardware address of IP addresses 192.168.100.15 is changed from Aa13.731e.fa23 to 001a.bb24.47b0 a
ala  RM 19712 Level 6 occurred at 20:18:54 04/16/2012 UTC sent by NPCs 2%arp% the hardware address of IP address 192.168.100.15 is changed from Aa13.731e.fa23 to 001a.bb24.47b0

From the above log warning information can be seen 192.168.100.15 this IP address is configured to 001a.bb24.47b0 this MAC address of the server, if the AA13.731E.FA23 network card configured on the IP is still 192.168.100.15, then two IP address conflict 。 If the MAC address of the 192.168.100.15 server is aa13.731e.fa23 and the log information is repeatedly appearing on the internet, it is likely that 001a.bb24.47b0 is the source of the ARP attack. Information about the MAC address of the IP conflict can also be found in the 192.168.100.15 system log.

Having identified the problematic MAC address, the next step is to locate which server's MAC address is 001a.bb24.47b0.

There are two scenarios:

Situation One:

Switcher#show ARP Dynamic | Include 001a.bb24.47b0 ### "|" Before and after the space
192.168.100.15 0 001a.bb24.47b0 vlan20 fei_2/16

This situation cannot see 001a.bb24.47b0 this MAC address of another IP (may be deleted), but you can see the number of ports on the (FEI_2/16 interface), from the intranet topology map can be learned that the interface below the link is another core exchange.

Log on to the switch connected to the FEI_2/16 interface to see which interface the MAC address is on:

<switch>display mac-address 001a.bb24.47b0
mac ADDR VLAN ID State PORT INDEX AGI NG time (s)
001a.bb24.47b0 1 learned ETHERNET0/7 Aging

You can see that the MAC address is ETHERNET0/7 this interface, and the two-tier switch that ETHERNET0/7 is connected to is in which cabinet. Look at the other MAC addresses that the ETHERNET0/7 interface learns

<switch>display mac-address  interface Ethernet0/7
mac ADDR VLAN ID State PORT INDEX Aging time (s)
EE0F-EA06-37CB 1 learned ETHERNET0/7 Aging

And then to the gateway to find 000F-E206-37BB corresponding IP, find the IP cabinet (general machine number is IP), and then landed on the cabinet of the two-tier switch, And look for MAC address 001a.bb24.47b0 interface, the corresponding network cable unplug, within 5 minutes of legal 192.168.100.15 will return to normal. 2. Gateway Deception

The gateway spoofing is the most common in the ARP attack form, the position ARP source is comparatively simple.

The main phenomenon of ARP spoofing is that the spoofed server is unable to get the correct gateway Mac, resulting in inability to network, or slow down, serious loss of packets, etc.

View the ARP table on the machine of the Recruit

C:\Documents and settings\administrator>arp-a
Internet address Physical address Type
192.168.100.1 cc-ee-8c-16-08-35 Dynamic

However, we know that the correct gateway should be 00-ee-8c-16-08-35, so look for the actual IP corresponding to the MAC address cc-ee-8c-16-08-35

In the net closes:

Switcher#show ARP Dynamic |     Include ccee.8c16.0835
192.168.100.102 0 ccee.8c16.0835 vlan20 fei_2/16
192.168.100.1 0 ccee.8c16.0835 Vlan20 FEI_2/16

The MAC address ccee.8c16.0835 is also displayed in the warning log that conflicts with the MAC address of this computer.

Locate the cabinet where the 192.168.100.102 is located, and confirm that the interface with its MAC address is unplugged to restore the network. 3. Simplifying the program

In order to simplify and quickly locate the ARP source, we can make a Mac and IP corresponding ARP table in advance to query, using NMAP can be implemented (in Windows recommended to try the next software MAC address Scan or Windows version of the Nmap).

Nmap Command and Parameters:

[Root@test ~]# nmap-sp-pi-pt-on ipmac.txt 192.168.100.0/24

In Ipmac.txt, you can view the IP address of the server's status and MAC address information, such as the shell script experience friends can try to edit the file to make it easier to view.

Other suggestions:

Users who have problems and are not maintained for a long time can be punished;

Labeling the interface of the switch can speed up the MAC address location;

Maintain a IP-MAC corresponding table and update it regularly;

Good network architecture;

Set static ARP.

1. To configure the aging Time command format for ARP table entries in the ARP buffer the Command mode command feature ARP timeout <timeout> interfaces Configure the ARP buffer's aging time in the ARP cache, the range 1~4294967, and the switch defaults to 300 seconds. Router defaults to 600 seconds

2. Binding IP address and MAC address command Format Command mode command function set ARP {static | permanent} <ip-address>

L Static: Statically binding, which is currently in effect, does not take effect after reboot

L Permanent: Permanent binding, which is currently in effect, still in effect after reboot

3. Configure ARP Dynamic entry automatic binding command format Command mode command function ARP to-static interface, global configuration ARP dynamic entry automatic binding

When the command is executed, only the current dynamic entry is bound, and then the dynamic entry is still learned. The related configuration is not shown in show run.

4. Configure ARP Security command Format Command mode command feature ARP protect {interface | mac | Whole}limit-num <number> interface, global configuration ARP security, default does not enable ARP any protection mode

L Interface: an interface based ARP protection mode

L Mac: ARP protection mode based on MAC address, only switch support

L Whole: A holistic approach to ARP protection

Protection mode and thresholds are enabled, and if the ARP protection threshold is exceeded, the message is discarded and the warning message is printed.

5. Delete dynamic ARP table entry command Format Command mode command feature clear Arp-cache [<interface-name>] Privilege Delete all dynamic ARP entries, or specify dynamic ARP table entries for interfaces

6. Delete the ARP table entry specified in the interface ARP cache command format Command mode command function clear ARP [interface <interface-name>][dynamic | static | permanent | <ip-addre Ss>] privilege deletes the ARP table entries specified in the interface ARP cache

Dynamic: Delete The ARP entry of the animated property

L Staic: Removes the ARP entry of the statically bound Static,to-static property

L Permanent: Removes the ARP entry of the statically bound permanent property

7. Configure the ARP proxy feature command format command mode command function IP proxy-arp interface Configure ARP proxy function

8. Configure ARP Source address filter command Format Command mode command function ARP source-filtered interface Configure ARP source address filtering

Source Address filtering principle: According to the source IP address lookup route (longest match), if the route belongs to this interface, then receive, otherwise think the wrong interface, discard the message.

9. Enable ARP Learning command Format Command mode command feature ARP Learn interface enable ARP Learning

10. Configure dynamic ARP Check command format command mode command function ip arp inspection port configure dynamic ARP check

Only switch support, configured under two-tier ports.