ARP spoofing principle and innate immunity of routers

ARPAddress Resolution Protocol (Address Resolution Protocol) is a low-level Protocol located in the TCP/IP Protocol stack. It is responsible for parsing an IP address into a corresponding MAC address.
"Why is the network management disconnected ?!" Every time I hear the client's question, the network manager has a big head. As a matter of fact, the sudden disconnection or wide-area network disconnection is mostly caused by ARP spoofing. ARP spoofing attacks have become the culprit in damaging Internet cafe operations, and are the heart of Internet cafe owners and network administrators.
From the perspective of Affecting Network Connection smoothness, there are two types of ARP spoofing: one is spoofing on the ARP table of the router, and the other is spoofing on the gateway of the Intranet PC.
The first principle of ARP spoofing is to intercept gateway data. It notifies the vro of a series of incorrect Intranet MAC addresses and keeps running at a certain frequency, so that the real address information cannot be updated and saved in the vro, as a result, all the data of the router can only be sent to the wrong MAC address, so that the normal PC cannot receive the information. The second principle of ARP spoofing is to forge a gateway. The principle is to establish a false gateway to send data to a spoofed PC, rather than accessing the Internet through a normal router. In the PC's view, the network cannot be connected, and the network is disconnected ".
In general, the consequences of ARP spoofing attacks are very serious. In most cases, large-scale disconnection may occur. Some network administrators do not know much about this. When a fault occurs, they think that the PC is okay and the switch is not capable of being dropped. China Telecom does not recognize the broadband fault. In addition, if the first ARP spoofing occurs, you only need to restart the vro and the network can be fully restored, the problem must be on the vro. To this end, the Broadband Router carries a lot of "black pots ".
As a router manufacturer for Internet cafes, it has to do a lot of work to prevent ARP spoofing. 1. In the Broadband Router, all the IP-MAC of the PC into a static table, this is called the router IP-MAC binding. 2. Advise the network manager to set the static ARP information of the gateway on all the PCs in the Intranet, which is called the PC IP-MAC binding. The general manufacturer requires two jobs to do, called IP-MAC two-way binding.
The method is effective, but the work is complicated and the management is troublesome. Binding each PC is inherently laborious. It is even more miserable to add, maintain, and manage a long list of vrouters. Once you resize or adjust the network card in the future, it is easy to cause confusion due to negligence. If you are worried, you may wish to use the IXP host that Xinxiang Internet cafe routes, which can make you more comfortable. Because Xin to the router does not need to be bound to the IP-MAC, there is no long string of address table. To deal with ARP, you only need to do one-way PC binding. This route can effectively reject ARP spoofing on the gateway. It is inherently immune!
The ARP innate immunity of xinzhi route depends on its two powerful technical measures. One is the unique NAT processing mechanism, and the other is the active defense mechanism of the gateway.
The NAT processing method is different from the common protocol stack method. Based on the original network protocol, the NAT service is enhanced, protected, and expanded. Although NAT is a standard network protocol, its implementation methods can be used separately to ensure the same goal. ARP spoofing only works for public and general systems. It exploits vulnerabilities in the general system's working mode, but does not work on the NAT implementation mechanism, because NAT has designed powerful protection fields. This is the principle that Xin Xiang routes can be immune to ARP.
In addition, in order to combat ARP spoofing of counterfeit gateways, the product designs the ARP broadcast mechanism of the gateway, which declares the correct gateway address to the Intranet at a specified frequency, maintain the legitimate rights and interests of the gateway. At the moment can not timely clear ARP virus, network manager has not been bound to the IP-MAC on the PC, it can maintain the network to a certain extent, to avoid catastrophic consequences, win the system repair time. This is the Active ARP defense mechanism.
However, if you do not bind IP-MAC on the PC, although there is an active defense mechanism, but the network is still running with disease. Because such ARP is an intranet task and does not pass through a router. A vro can only defend against attacks. When ARP is too rampant, it will lead to intermittent failures, which is an active defense mechanism in the fight against ARP spoofing. To this end, the product also provides a dedicated tool software for ARP spoofing detection, locating, and prevention, which is provided to all Internet cafes free of charge to help network administrators discover the existence of ARP spoofing, provides Work Assistance for clearing ARP spoofing sources, and adds the Xinxiang active defense mechanism to effectively deal with ARP spoofing.
Despite this, still remind the majority of Internet cafe Network Administrator, In order to once and for all, or charge points for each PC to do IP-MAC binding, this can completely eradicate the troubles of ARP spoofing. Besides, routing only requires one-way binding, which saves you the trouble of the other half and does not need to restart the router to disconnect the network. Vro itself is not afraid of ARP. You can bind your PC, so that the PC is not afraid of ARP. With a two-pronged approach, you can rest assured that your internet cafe is secure.(