ARP spoofing attacks and Protection

Simply put, the ARP protocol searches for the corresponding MAC address through the IP address. The IP address is only a logical address, while the MAC address is the physical address of the network device. Only the real address (physical address) can be found ), before data transmission (ARP entry in Baidu encyclopedia ). ARP sends an ARP broadcast packet to notify other hosts of who they are (notifying others that an IP address corresponds to a MAC address ), if the sent information contains the correct IP address and MAC address, it will affect the receiver's correctness of network address recognition. This is ARP spoofing, to put it bluntly, the IP address is not associated with the correct MAC address, so that the data is sent to the wrong location. The consequence is that the data is eavesdropped or hijacked (Hijacking means it is not returned to you ), in other words, the Internet cannot be connected or connected to the wrong network, or the Internet can be connected together with others.

In general, when ARP spoofing fails to connect to the network, it will be temporarily normal after restarting the computer or using the command arp-d to clear the ARP cache table, but it will soon be restored to its original state (again under attack ), therefore, it can be used to determine whether ARP spoofing has been encountered, rather than the so-called ARP firewall clamoring for "ARP spoofing attacks ". In addition, if you are a home user and you only have to access the Internet by yourself, rather than accessing the Internet through a LAN like a company organization, there will generally be no ARP spoofing attacks, even if one million miles hits, if you want to solve the problem, you need to contact your broadband provider. Even if he does not admit it, please believe that only one of you will be affected at this time, which will be a considerable network fault. If you have several computers in your home to share the Internet (such as through a router), there is theoretically a possibility of ARP spoofing. However, if you only have a few computers, It is very convenient to check them, A big deal is a single disconnection network cable check, so the fewer computers that share the Internet, the less likely the trick, and the lower the difficulty of the check.

In addition to a large number of related anti-ARP firewalls and anti-virus tools, an easy way is to bind IP addresses and MAC addresses of NICs and gateways, if you use arp-s ip mac command binding (the italic characters must be replaced by actual values, the same below), note that this binding relationship will expire after the computer restarts, unless it is bound again, you can also write this command to process files in batches and add the startup items. The MAC address of the local machine can be found through the ipconfig/all command. For the gateway MAC address, you can ping the gateway before it is poisoned, then run the arp-a command to learn about it (if you can directly find it better ).

But arp-s does not work in vista and win7. Therefore, the netsh command is used in vista and win7 (this command is also available in 2000/xp, but different from that in win7, some of the following commands cannot be run in xp): run the netsh interface ipv4 show interface command (or netsh I show in for short. Note that before running this command in 2000/XP, the system will prompt you to start the Routing and Remote Access Services, but even if you can run the service, you cannot implement the same functions as those in Windows 7/vista. For details, refer ), check the index number (idx) of the local connection ), then you can bind netsh-c "interface ipv4" add neighbors idx "ip" "mac" (This command must be run as an administrator, that is, run cmd as the administrator and then run the command. Note: In XP, this binding command cannot be run.) Similarly, "interface ipv4" can be abbreviated as "I ", this binding is different from arp-s. Bind permanently, even if you restart your computer.

After binding, use arp-a to check that IP and MAC are static instead of dynamic. Generally, you only need to bind a gateway to your computer. If necessary, you can bind the nic ip address and MAC address of each host to the vro, it seems unnecessary to bind the IP address and MAC address of your network card to your computer. After all, we need the real IP address of the other party (such as the gateway.