Advanced ARP attack prevention

Some time ago, xiaonuo technology gave a brief introduction to the "ARP virus prevention solution", which attracted the attention and praise of many users and the industry. Recently, technical engineers of xiaonuo technology have gained new discoveries in their work. In order to further let everyone know and control

RP, which provides an advanced article on ARP attack prevention, which will be discussed and researched with users.

To understand ARP spoofing attacks, we must first understand the ARP protocol and its working principles to better prevent and eliminate the harm caused by ARP attacks. This article provides you with an advanced ARP attack prevention method.

Introduction to ARP

ARP "Address Resolution Protocol" (Address Resolution Protocol). In the LAN, the actual transmission is "frame", and the frame contains the MAC Address of the target host. The so-called "Address Resolution" refers to the process in which the host converts the target IP address to the target MAC address before sending the frame. The basic function of ARP is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication.
The working principle of ARP Protocol: each computer with TCP/IP protocol installed has an ARP cache table. The IP addresses in the table correspond to the MAC addresses one by one, as shown in the table.
IP address MAC address
192.168.1.1 00-0f-3d-83-74-28
192.168.1.2 00-aa-00-62-c5-03
192.168.1.3 03-aa-01-75-c3-06
...... ......

Let's take host A (192.168.1.5) as an example to send data to host B (192.168.1.1. When sending data, host A searches for the target IP address in its ARP cache table. If you find the target MAC address, you can directly write the target MAC address into the frame and send it. If the corresponding IP address is not found in the ARP cache table, host A sends A broadcast on the network. The target MAC address is "FF. FF. FF. FF. FF. FF ", which means to send such a question to all hosts in the same network segment:" What is the MAC address of 192.168.1.1?" Other hosts on the network do not respond to ARP requests. Only when host B receives the frame, it responds to host A as follows: "The MAC address of 192.168.1.1 is 00-aa-00-62-c6-09 ." In this way, host A knows the MAC address of host B and can send information to host B. It also updates its ARP cache table.

Basic ARP Virus Defense Method
 
According to the working principle of ARP, if the system's ARP cache table is constantly modified to notify the router of a series of incorrect Intranet IP addresses or simply spoofs a fake gateway, there will certainly be a large area of disconnection in the network. This is a typical ARP attack. It is easy to judge the ARP attack, find the problematic computer and start running the DOS operation into the system. Packet Loss of the lan ip address of the ping router. Enter ping 192.168.1.1 (gateway IP address), for example:

 
Image 1

Ping the lan ip address of the vro。 through the Intranet, and then connect it again. This is probably due to ARP attacks. For further confirmation, we can determine by looking for the ARP table. Enter the ARP-a command, as shown in:

Image 2

It can be seen that the MAC addresses of 192.168.1.1 and 192.168.252 are both 00-0f-3d-83-74-28. Obviously, this is caused by ARP spoofing.

After understanding ARP, ARP spoofing attacks and how to judge such attacks, we will briefly introduce how to find effective prevention measures to prevent the harm of such attacks on the network.

The general solution of Qno xiaonuo engineers is completed in three steps.
1. Activate to prevent ARP virus attacks
Go to the basic configuration bar of the router's fire prevention, and click "Activate" in this line to "Prevent ARP virus attacks", and then confirm.
2. Bind the IP address of the gateway and its MAC address to each pc.
Enter the dos operation on each PC, Enter arp-s 192.168.1.1 (gateway IP) 00-0f-3d-83-74-28 (Gateway MAC), and Enter to bind each PC.
For other hosts in the network, enter the corresponding host IP address and MAC address in the same way to bind the IP address to the MAC address. However, if the computer is restarted, the function will disappear. Therefore, you can make this command into a batch processing file and put it in the startup of the operating system. The batch processing file can be written as follows:
@ Echo off
Arp-d
Arp-sro lan ip router LAN MAC
3. Bind the user IP Address/MAC address to the vro:
The IP address/MAC address is bound to the DHCP function. The Qno router provides a function to display the newly added IP address, this function can be used to find the corresponding IP/MAC list of all PCs in the network at a time. We can choose to bind IP/MAC through the "√" function.

 Advanced ARP virus prevention

Such operations alone can basically solve the problem, but Qno's technical engineers suggest further using some means to further control ARP attacks.
1. Virus Source: process the machine at the virus source, and disinfect or reinstall the system. This operation is very important. It solves the problem of the source PC of ARP attacks and can protect the Intranet from attacks.
2. The Internet cafe administrator checks the LAN virus and installs anti-virus software (Kingsoft drug overlord/rising, you must update the virus code) to scan the machine for viruses.
3. Install patches for the system and install the system patches (key updates, security updates, and Service packs) through Windows Update)
4. Set a complex and strong password for the system administrator account, preferably a combination of 12 or more characters, letters, numbers, and symbols. You can also disable/delete unused accounts.
5. the antivirus software (virus database) is updated frequently. The settings that are allowed can be set to automatic updates on a daily basis. Install and use the network firewall software. The network firewall can also play a crucial role in the anti-virus process, effectively blocking attacks and viruses from the self-built network. Some Pirated Windows users cannot install patches normally. You may want to use network firewalls and other methods to protect them.
6. disable unnecessary services. If conditions permit, disable unnecessary sharing, such as C $ and D $. A single-host user can also directly disable the Server service.
7. Do not click the link information sent by QQ, MSN, or other chat tools. Do not open or run unfamiliar or suspicious files or programs, such as attachments or plug-ins in emails.

ARP attack prevention and control is a long and arduous process. We must pay great attention to this issue and cannot be careless. We can take the suggestions from above Qno technical engineers to be vigilant against ARP attacks at any time, to reduce the harm, improve work efficiency, and reduce economic losses.