A New Method to cope with ARP attacks: Use VLAN to optimize the network

Recently, the ARP virus has plagued almost all local networks, where network faults occur frequently and the network speed suddenly slows down. Moreover, when network connections are interrupted, the normal working order is affected, heavy traffic can paralyze the entire local area network and even cause irreparable losses. Therefore, how to take effective measures to prevent ARP viruses has become the top priority of network security work in the near future.

Here, I take the local area network transformation of a business building as an example to introduce how to use VLAN Technology to optimize the local area network, so as to effectively prevent ARP virus attacks.

Network status quo

The local area network of the official building is as follows: the official building is divided into nine floors. the Broadband Network of the building is uplinked to the China Merchants Department module of Netcom through M optical fiber. The module is the S6502 switch. The optical signals are converted into electrical signals through optical transceiver in the central data center on the first floor of the official building, and then connected to the firewall Internet port of H3C through the baoguang network. The network port in the firewall is transferred through a building switch to a switch on each floor. Each floor has a building switch in Tsinghua Bay as the broadband access for the corresponding floor office. The firewall Internet port is configured with the leased line IP Address Assigned by China Netcom. The intranet port is configured with a private IP address. The firewall is used as a NAT device and has two Internet ports and four Intranet ports. An Internet port (WAN0) and an Intranet port (LAN0) are used in the actual network environment. All building switches are in one VLAN, the terminal computers in each office of the official building are configured with the private IP address of the network port in the firewall for Internet access.

498) this. style. width = 498; ">

Currently, the number of terminals connected is close to 300. Because the building switches on each floor and the Intranet ports of the firewall are in the same VLAN, the Intranet IP Address has only one network segment, as a result, the number of nodes in the same VLAN is large, and a large number of broadcast packets exist. On the one hand, this slows down the user's network speed, and on the other hand, due to the ARP Virus Infection of some terminals, the whole network burst into a large area, this causes instability of the entire LAN. The network topology 1 before the transformation is shown.

ARP Virus

Recently, the broadband network of this official building has experienced frequent network interruptions, the terminal computer that has installed 360 security guard and enabled the LAN attack Interception Function suddenly displays a "interception prompt" dialog box-"360 has intercepted an ARP attack", and then drops the line. Restarting the operating system can be temporarily restored. In a short time, "360 has intercepted an ARP attack" and then dropped the line. The operating system needs to be restarted continuously, the computer Trojans and viruses that are annoying are all 0. A terminal computer that does not have a security officer of 360 installed or has not enabled the LAN attack Interception Function will suddenly interrupt the network. At first there were several computers with the above problem, and then there were more and more computers with this problem until the LAN was almost completely paralyzed. Although the network administrator can find the computer on the affected terminal based on the pre-Statistics Terminal IP address and the bound MAC address, and promptly handle the terminal, because there are too many terminals, all of them are in the same VLAN. Once a terminal is infected with the ARP virus, it will quickly spread to the entire network and bring great difficulties to completely remove ARP.

Upgrade and modify the network

To completely solve this problem, the network administrator decided to upgrade the network. Because the official building has many floors and many terminals, and the network wiring is complex, the network management system considers that physical network changes should be minimized on the basis of ensuring security and confidentiality. After analysis and research, determine to enable the H3C firewall's LAN0 ~ The LAN 3 network port adds a campus aggregation switch to the downlink of the firewall. VLAN division is done. Different VLANs are connected to the internal network port of the firewall, and different IP address segments are configured for each internal network port, ensure that each floor is allocated a separate IP address segment; enable VLAN division for the interconnection ports of the Community aggregation switch to the building switch on each floor (that is, VLAN technology is used to separate terminals on each floor) to ensure that VLANs on each floor are relatively independent, reduce the chain reaction caused by ARP to avoid network storms.

498) this. style. width = 498; ">

Specific Transformation Scheme

Based on the layout of the existing network and the number of terminals distributed between floors, the network administrator develops a specific scheme for dividing IP addresses based on floors, configure the IP address segment on the Intranet port of the H3C firewall (multiple IP address segments can be configured for one port), and define a NAT translation policy on the H3C firewall to ensure timely translation of Intranet IP addresses, ensure that the IP address segments corresponding to terminals on different floors are relatively independent and do not affect each other. The transformed network topology 2 is shown in.

498) this. style. width = 498; ">

After the transformation, it effectively prevented the large-scale outbreak of ARP virus. Occasionally, some computers were infected with the ARP virus, and the computer was quickly infected with viruses and blocked in time. This article mainly analyzes the optimization and Transformation Scheme of the official building as an example, and introduces how to use VLAN technology to achieve relative isolation between floors to reduce the occurrence of ARP broadcast storms, it can easily cope with ARP attacks, enhance network stability, and improve network operation efficiency.

Link: unveil the black gold ARP Virus

The objective of the black gold ARP spoofing attack is completely different from that of the previous pure ARP spoofing virus, which clearly shows its Trojan nature. Black gold ARP virus Backdoor. win32.ARP. g is used as an example. The special feature of this virus is to bundle the normal network analysis software WinPcap on the basis of the original ARP spoofing to try to spoof the traditional anti-virus software and use the network analysis function provided by WinPcap, hijack all HTTP Communication in the network and forcibly insert a webpage link with a virus program into the HTTP data packet, so that any user in the LAN will automatically download the trojan virus when accessing a normal webpage. That is to say, as long as a computer in the LAN is infected with the trojan, all the computers in the LAN may be infected with the Trojan. It can be seen that black gold ARP has a great harm to the LAN, and it can be said that it is a computer virus, and the whole network is "killed ". Theoretically, if only one computer in the network has black ARP, although the LAN is affected by ARP spoofing, it can still maintain communication. But in fact, the above assumptions are not true in reality, because as long as one computer is poisoned, the LAN will soon become infected by multiple computers, the direct consequence of multiple computers initiating ARP spoofing at the same time is that the computers in the network cheat each other, And the LAN is completely connected to Netcom.

The first thing to do is to completely clear the virus source. In other words, if the virus source is completely removed from the root, the Local Area Network will naturally return to normal. If the machine contains the black ARP virus and the general anti-virus software is used to solve this problem, the effect is basically minimal. It is estimated that no virus is reported for scanning the entire system. So how should we deal with the black gold ARP virus?

In fact, it is very simple. All the black gold ARP viruses must possess a behavior characteristic of sending ARP spoofing packets, therefore, the active defense software using behavior analysis technology has a good clearing capability. Based on Behavior Analysis, the active defense software immediately detects and removes ARP spoofing packets.