ARP solution!

Source: Internet
Author: User
This year, ARP and logo1 are the most harmful to Internet cafes. In the early stage, we generally adopted a two-way solution.

However, the date for ARP variants is around October. You may still be worried about the failure of the gateway.

During the variant process, ARP virus-variant OK virus-variant trojandropper. win32.juntador. f or trojandropper. win32.juntador. c

The current ARP variant virus is even worse. I want to tell you what I have encountered. If you have any of these problems, I am sorry, "congratulations"

You won the grand prize ~~

Virus attack: the current ARP variant does not attack the client's MAC address to attack the Intranet gateway. It has changed its principle and I really admire it.

Do you know the address that directly attacks your route? Haha ~~ Guess it ~~ No sales closed ~~ The new variant ARP directly attacks the MAC address and Internet gateway of your route.

In addition, the batch files bound to IP addresses and MAC addresses are directly disabled. After a while, all the lines are dropped. After a while, several lines are dropped. And

A computer with arp in progress will convert the computer into an intranet proxy server for account theft and attack. If you find that ARP is not dropped, it means you

With the latest variants, you only need to restart the computer with the ARP virus on that platform, then all the hosts under ARP attacks will be dropped.

The Intranet gateway does not drop packets, but the Internet IP address and DNS are crazy. This is also the case of ARP variants. Please pay attention to it.

I will announce the solutions and related patches at the end. Please read the full text and it may be helpful to you. Don't rush down ~ Haha ~

This virus attack is characterized by the fact that a computer that is poisoned may forge the MAC address of a computer. If the counterfeit address is the address of the gateway server, it will affect the entire Internet cafe, users often experience transient disconnection when accessing the Internet.

1. Enter a command prompt (or MS-DOS mode) on any client and run the arp-a command to view:
C: \ WINNT \ system32> arp-

Interface: 192.168.0.193 on Interface 0x1000003
Internet Address Physical Address Type
192.168.0.1 00-50-00008a-62-2c dynamic
192.168.0.23 00-11-2f-43-81-8b dynamic
192.168.0.24 00-50-00008a-62-2c dynamic
192.168.0.25 00-05-5d-ff-a8-87 dynamic
192.168.0.200 00-50-ba-fa-59-fe dynamic

We can see that there are two machines with the same MAC address, so the actual check result is 00-50-00008a-62-2c is the MAC address of 192.168.0.24, and the actual MAC address of 192.168.0.1 is 00-02-ba-0b-04-32, we can determine that 192.168.0.24 is actually a virus-infected machine That spoofs the MAC address of 192.168.0.1.

2. Enter the command prompt (or MS-DOS mode) on 192.168.0.24 and run the ARP-a command to view:
C: \ winnt \ system32> ARP-
Interface: 192.168.0.24 on interface 0x1000003
Internet address physical address type
192.168.0.1 00-02-ba-0b-04-32 dynamic
192.168.0.23 00-11-2f-43-81-8b dynamic
192.168.0.25 00-05-5d-ff-a8-87 dynamic
192.168.0.193 00-11-2f-b2-9d-17 dynamic
192.168.0.200 00-50-ba-fa-59-fe dynamic

We can see that the MAC address displayed on the machine with viruses is correct, and the machine runs slowly. This should be caused by forwarding of all traffic on the second layer through the machine, after the machine is restarted, all computers in the internet cafe cannot access the Internet. It is normal only after ARP refreshes the MAC address, generally around 2 or 3 minutes.

3. If the host can enter the DOS window, run the ARP-a command to see a phenomenon similar to the following:
C: \ winnt \ system32> ARP-
Interface: 192.168.0.1 on interface 0x1000004
Internet address physical address type
192.168.0.23 00-50-00008a-62-2c dynamic
192.168.0.24 00-50-00008a-62-2c dynamic
192.168.0.25 00-50-00008a-62-2c dynamic
192.168.0.193 00-50-00008a-62-2c dynamic
192.168.0.200 00-50-00008a-62-2c dynamic

When the virus does not attack, the address displayed on the proxy server is as follows:
C: \ WINNT \ system32> arp-
Interface: 192.168.0.1 on Interface 0x1000004
Internet Address Physical Address Type
192.168.0.23 00-11-2f-43-81-8b dynamic
192.168.0.24 00-50-00008a-62-2c dynamic
192.168.0.25 00-05-5d-ff-a8-87 dynamic
192.168.0.193 00-11-2f-b2-9d-17 dynamic
192.168.0.200 00-50-ba-fa-59-fe dynamic

During the virus attack, we can see that the mac addresses of all IP addresses are changed to 00-50-00008a-62-2c. Normally, we can see that the MAC addresses are not the same.
 
Success is the subconscious waiting-there is no end to learning! To be weak, it is Xeon.

Step by step

Solution 1:
1. Use static ARP binding on the client and gateway server.
1. Perform ARP static binding on all client machines on the gateway server.
First, check the MAC address of the local machine on the computer of the gateway server (proxy host ).
C: \ WINNT \ system32> ipconfig/all
Ethernet adapter local connection 2:
Connection-specific DNS Suffix .:
Description...: Intel? Pro/100b PCI adapter (TX)
Physical address ......: 00-02-ba-0b-04-32
DHCP enabled...
IP address ......: 192.168.0.1
Subnet Mask ......: 255.255.255.0
Then, perform static ARP binding under the doscommand of the client machine.
C: \ winnt \ system32> ARP-s 192.168.0.1 00-02-ba-0b-04-32
Note: We recommend that you bind the IP address and MAC address of all other clients on the client.

2. Perform ARP static binding on the client's computer on the gateway server (proxy host)
First, view the IP address and MAC address on all client machines. The command is as follows.
Then, perform static ARP binding on all client servers on the proxy host. For example:
C: \ winnt \ system32> arp-s 192.168.0.23 00-11-2f-43-81-8b
C: \ winnt \ system32> arp-s 192.168.0.24 00-50-00008a-62-2c
C: \ winnt \ system32> arp-s 192.168.0.25 00-05-5d-ff-a8-87
.........

3. The static binding of ARP above is finally made into a windows self-starting file, so that the computer can perform the above operations as soon as it is started to ensure that the configuration is not lost.

2. Conditional Internet cafes can bind IP addresses to MAC addresses in vswitches.

3. After binding an IP address and a MAC address, you need to re-bind the network adapter. Therefore, we recommend that you install anti-virus software on the client to solve this problem: the virus detected in the internet cafe is carried in the speed shift gear 2.04b, virus programs can be downloaded in the http://www.wgwang.com/list/3007.html:

Solution 2:
1: use static Mac binding on the client on the gateway route. Users of Route OS soft routing can refer to the relevant tutorial, or select the corresponding project one by one in the IP ---> ARP list, right-click and select the "Make static" command to create a static corresponding item.
Use a firewall to block common virus ports: 134-139,445,500,667, 5900,593,102, 6129, and P2P downloads

2: perform static binding of the gateway IP address and its MAC address on the client, and modify and import the following registry:
(A) Prohibit ICMP redirection packets
ICMP redirection messages control whether Windows will change the route table to respond to ICMP redirection messages sent to it by network devices, however, it is sometimes used by others to conduct network attacks, which is very troublesome for a computer network administrator. By modifying the registry, you can disable the response to ICMP redirection packets, making the network more secure.
The modification method is as follows: Open the Registry Editor, locate or create the "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ paramters" branch, and set the subkey "enableicmpredirects" (REG_DWORD type) in the right window) to 0 (0 indicates that ICMP redirection packets are prohibited.

(B) disabling response to ICMP route notification packets
The "ICMP route announcement" function can cause network connection exceptions, data eavesdropping, and traffic attacks on others' computers. Therefore, it is recommended to disable the response to ICMP route notification packets.
The modification method is as follows: Open the Registry Editor and locate or create the "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ paramters \ Interfaces" branch, in the window on the right, change the value of the subkey "mmrouterdiscovery" REG_DWORD type to 0 (0 indicates that the response to ICMP route notification packets is forbidden, and 2 indicates that the response to ICMP route notification packets is allowed ). After the modification is complete, exit the Registry Editor and restart the computer.

(C) Set the ARP cache aging time
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services: \ Tcpip \ Parameters
ArpCacheLife REG_DWORD 0-0xffffff (seconds, default value: 120 seconds)
ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (seconds, default value: 600)
NOTE: If ArpCacheLife is greater than or equal to ArpCacheMinReferencedLife, the referenced or unreferenced ARP
The cache entry expires in seconds after ArpCacheLife. If ArpCacheLife is smaller than ArpCacheMinReferencedLife,
Unreferenced items expire after ArpCacheLife seconds, and the referenced items expire after ArpCacheMinReferencedLife seconds.
Each time an outbound packet is sent to the IP address of the entry, the entry in the ARP cache is referenced.

Once saw someone say that as long as the IP-MAC cache is not updated, you can keep the correct ARP protocol running. Can I modify the key value of the registry:

By default, the ARP cache timeout period is two minutes. You can modify it in the registry. Two key values that can be modified are located

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters

Modified key value:

Key value 1: ArpCacheLife; Type: Dword; Unit: Second; default value: 120

Key Value 2: ArpCacheMinReferencedLife; Type: Dword; Unit: seconds; default value: 600

Note: These key values do not exist by default. If you want to modify them, you must create them by yourself. The modification takes effect after you restart the computer.

If the value of ArpCacheLife is greater than that of ArpCacheMinReferencedLife, set the ARP cache timeout value to the value of ArpCacheLife. If the value of ArpCacheLife does not exist or is smaller than that of ArpCacheMinReferencedLife, for unused ARP caches, the timeout value is set to 120 seconds. For ARP caches in use, the timeout value is set to the value of ArpCacheMinReferencedLife.

We may be able to set the above key value to a very large value and will not be forced to update the ARP cache. To prevent viruses from modifying the registry, You can restrict the registry.

For small Internet cafes, as long as no ARP attack in advance, through any IP-MAC address to view the tool, record the correct IP-MAC address of all machines. When an attack occurs, you can check which machine has a problem and then solve it by brute force. The problem may not be very serious. But for the number of computers in the Intranet is too large, each machine to help set all the IP-MAC address, the workload is very huge, must be executed through specialized software.

Solution 3:

Delete system32 \ npptools. dll, the Internet cafe I maintained has been deleted for a month, and has never encountered the ARP virus, nor has it any adverse reaction. The ARP virus lacks npptools. the dll file cannot be run at all. The detected ARP virus prompts npptools. dll error, unable to run

No npptools can be automatically generated yet. dll virus, npptools. the dll itself is more than 40 K. If the virus needs to generate its own Runtime library, it can be done without the size of dozens of K, and the bigger one is not a virus.

Of course, we still need to bind ARP-S, and only bind the local machine with the route. This can reduce ARP program damage to a certain extent.

If you cannot delete the file, Please disable file protection first. The simplest way is to use XPLITE to close the file.

In addition, it was declared that this method only takes effect for ARP viruses and is only a small part of malware.

Note: Do not forget to set the Internet gateway and MAC. Let me give you an example.

IP: 10.10.10.10

Subnet Mask: 255.255.255.255

Gateway: 10.10.10.9 [Be sure to bind the gateway address and MAC address]

DNS: 222.222.222.222

Backup DNS: 222.222.221.221

Recommended security tools and patches for individuals:

I personally think that this TP-LINK480T routing is very good, please refer to the specific site for TP-LINK480T routing Introduction

Small Internet cafes use TP-LINK480T, please upgrade the latest version, this site has download

To use cisco and Huawei, bind the gateway address and MAC address

From http://hi.baidu.com/zhaofang/blog/item/9d684dc2ec9cca35e4dd3b52.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.