ARP attack prevention methods

0 × 001 static binding gateway MAC
0 × 002 arpfirewall
0 × 003 VLAN and switch port binding

1. statically bound gateway MAC
Method 1: manually BIND:

(1 ). determine the network segment of your computer (2 ). locate the IP address of the user's CIDR Block Gateway (3 ). identify the customer's network segment gateway Mac (4) based on the gateway IP address ). use the command arp-s gateway IP Gateway MAC

 

Static binding of the gateway IP address and MAC address

Example: arp-s 192.168.1.1 AA-AA-AA-AA-AA-AA ".

Binding IP addresses and MAC addresses in Linux

Create a static mac-> ip Address Table file: ip-mac. Write the IP address and MAC address to be bound to this file in the format of ip mac.

[root@localhost ~]# echo '192.168.1.1 00:01:B5:38:09:38 ' > /etc/ip-mac[root@localhost ~]# more /etc/ip-mac192.168.1.1 00:01:B5:38:09:38

3. Set automatic binding upon startup

[root@localhost ~]# echo 'arp -f /etc/ip-mac ' >> /etc/rc.d/rc.local

4. Manually perform the binding

[root@localhost ~]# arp -f /etc/ip-mac

5. Check whether the binding is successful.

[root@localhost ~]# arp -a

2. arpfirewall
There are a lot of free arpfirewall software, which can be found by Baidu. General server maintenance software has this function.

3. VLAN and switch port binding

A friend who understands route exchange should understand it and it looks easier.

It is also a common prevention method to prevent ARP by dividing VLANs and binding vswitch ports. VLAN division reduces the range of broadcast domains, and enables ARP to work in a small range without large-scale impact. Some Network Management switches have the MAC address learning function. After learning, disable this function to bind the corresponding MAC address and port.

Defects:

(1) There is no protection for the gateway. Once the gateway is attacked, it will still lead to disconnection and paralysis of the entire network. (2) It is not conducive to Mobile Terminal Access (3). Implementing switch port binding greatly increases the cost of the entire switching network.

Take the Cisco 2950 vswitch as an example. log on to the vswitch and enter the management password to enter the configuration mode. Then, run the following command:

Switch # c onfig terminal # enter the configuration mode Switch (config) # Interface fastethernet 0/1 # enter the specific port configuration mode Switch (config-if) # Switchport port-secruity # configure the port security mode Switch (config-if) switchport port-security mac-address MAC (MAC address of the host) # configure the MAC address of the host to which the port is bound Switch (config-if) no switchport port-security mac-address MAC (MAC address of the host) # Delete the MAC address of the bound host

Note:
The above command sets a port on the switch to bind a specific MAC address, so that only this host can use the network, if the NIC of the host is changed or another PC wants to use the network via this port, it will not be available unless the MAC address bound to the port is deleted or modified.
In fact, there is a dynamic ARP check technology to prevent ARP attacks. This method is very effective. It is based on the DHCP listening table generated by DHCP, and the content of static IP source binding table in IP source protection to detect ARP packets. If you are interested, you can refer to Baidu for more information.