ARP network attack solution: how to find attackers

ARP attacks often occur. What should I do if I encounter these problems? Please refer to the solution provided by the author below!

Some time ago, some users often complained that the Internet was interrupted and sometimes even prompted that the connection was limited, and the IP address could not be obtained at all (our Organization uses a dynamic IP address ). The switch cannot be pinged, but the indicator is normal. After the vswitch is restarted, the client can access the Internet, but it is still refreshing soon! This has seriously affected user usage and even caused direct economic losses to users. (many of our companies are stock-selling and stock-selling funds. We are unable to grasp the market conditions in a timely manner .)

According to the situation described by the user and the experience we have processed many times, it is certainly caused by ARP attacks in the network. As for what ARP attacks are, I don't have to talk about them any more. I understand the problem, but how can I solve it?

Although you can use the "Double binding" method to bind a MAC address and port to a vswitch, and bind a gateway IP address and a MAC address to a client, because the network management workload is too large, it is not guaranteed that all users are bound to the gateway IP address and MAC address on their computers. Therefore, we take the following measures to prevent and search for ARP attacks.

We recommend that you install the arpfirewall (formerly Anti ARP Sniffer) developed by ColorSoft on your computer ), the software blocks false ARP packets at the system kernel layer and proactively notifies the gateway of the correct MAC address of the Local Machine. This ensures that the computer where the software is installed can access the Internet normally; intercept external ARP attacks on the local machine and external ARP attacks on the local machine.

If an internal ARP attack is detected, the attacker can directly process the local machine. If an external ARP attack is detected, the attacker's computer can be searched through the attacker's IP address and/or MAC address based on the actual situation.

Let's take action together.

1. Download, install, and run the arpfirewall on a computer in the same network segment. On the first day, everything was normal and no attack was found. The next day, an ARP attack was discovered in less than half an hour after the instance was started.

Figure 1 External ARP Attack Detected by arpfirewall

2. Further identify the attacker's MAC address in order not to blame the good guys. Go to the core switch and view the MAC address table of the CIDR block. Our core switch is Huawei. type the command "Display arp vlan xx" (xx is the VLAN Number of the ARP attack CIDR block to be searched) and press Enter. 2 is displayed.

Figure 2 MAC Address Table displayed on the core switch

For ease of viewing, we copy the data to Word and sort it by MAC address. In Word, select the data and select "sort" from the "table" menu. The "Sort text" window is displayed, select "domain 3" as the "main keyword", that is, the MAC address, and 3.

Figure 3 sorting MAC Address Table

After sorting, you can easily see that four IP addresses correspond to the same MAC address (such as table 1 )! We know that the MAC address is the only one in the world, which is consistent with the results detected by the arpfirewall. Now the computer corresponding to the MAC address 0011-5b2d-5c03 must be faulty. Among these IP addresses, only xxx. xxx. xx.92 is authentic, and the rest are forged. As our computer has been monitoring, the attacker's computer has been detected as soon as it launched an external attack, so there are not many fake IP addresses, I have discovered that I have forged nearly 10 IP addresses, and this CIDR block has more than 20 computers.

Table 1 counterfeit IP addresses

Xxx. xxx. xx.178	0011-5b9d-7246
Xxx. xxx. xx.188	0011-5b9d-7246
Xxx. xxx. xx.197	0011-5b9d-7246
Xxx. xxx. xx.92	0011-5b9d-7246

3. Search for ARP attackers.

If it is a static IP address, find the IP address registration form, and you can easily find the computer that sends ARP attacks. Because we use a dynamic IP address and do not have the MAC address of each computer, although we know the attacker's IP address and MAC address, the long journey has only taken the first step.

The DHCP server is based on Microsoft Windows 2003. Open the DHCP manager and view the computer name corresponding to the IP address xxx. xxx. xx.92 from the address lease. It is random and meaningless. (Sometimes the host of the computer can be inferred based on the computer name .)

Log on to the access layer switch of the VLAN where you want to find the CIDR block, and view the MAC address table on the switch one by one.

We use annett's switch. On the Web interface, we can query the MAC address table by VLAN to see if there is a record with the MAC address 0011-5b9d-7246. The cause of the error was found until 15th vswitches were found. Result 4 shows that the MAC address corresponds to port 16th of the vswitch. Network Management Switches of other manufacturers can also view MAC addresses.

Figure 4 MAC address table on the access layer switch

4. The rest of the work is simple. First, Disable the 16th port of the switch, and then find the user's online registration information to notify the user to process his computer.

I wonder if this article is helpful to you. Finally, we recommend the following measures to prevent ARP attacks:

1. VLAN assignment on a vswitch. In this way, even if an ARP attack exists in the network, only the users of this VLAN are affected, and the affected range and search scope are reduced.

2. You are required to install the arpfirewall. It can not only prevent external ARP attacks, but also prevent external ARP attacks from the local machine. Once an attack is discovered, contact the network administrator in a timely manner.