Binding Mac addresses in Linux to prevent arp attacks

 

Impact of arp attacks

 

 

Sometimes, everyone in the LAN suddenly cannot access the Internet. Using packet capture tools, we can find that some machines are constantly sending arp broadcast packets. In this case, an arp virus is detected on a machine on the Intranet, and then the machine continuously sends spoofing packets to all machines to impersonate the gateway, in this way, other machines will send data packets to this computer as a gateway, but it does not forward data packets to the real gateway after receiving data packets, therefore, no one can access the Internet.

 

Generally, arp viruses use spoofing to intercept all communication data in the Intranet for some purpose.

 

The general arp virus modifies its mac address when sending a spoofing packet, which makes it difficult for us to quickly troubleshoot the virus. However, this can be solved by binding mac to ip addresses, that is, the ip addresses of all Intranet machines are allocated by binding to mac, so that all unregistered illegal mac addresses cannot be connected to the Intranet.

 

If the Internet access fails due to Gateway spoofing in the LAN, we can also solve the spoofing problem by binding the mac address and ip address of the gateway to the local machine. However, this step requires you to know the real gateway ip address and mac address. The procedure is as follows:

 

Method 1: (this method applies to both linux and windows)

 

1. List the mac addresses of all machines in the LAN. If the gateway ip address and the gateway mac address in the route table listed in this step do not match the actual mac address, it also proves that you have been cheated by the gateway.

 

Arp-

 

2. Bind the mac address

 

Arp-s 192.168.1.1 00: 07: E9: xx

 

Note: Here 192.168.1.1 may be replaced by hostname, if your gateway has set hostname.

 

Method 2: (applicable to linux)

 

1. Create a/etc/ethers file. For example, if you want to bind a gateway, write the following in/etc/ethers:

 

192.168.1.1 00: 07: E9: xx

 

Then execute

 

Arp-f

 

After the operation is complete, you can use arp-a to view the current arp cache table. If the list is displayed correctly, your binding operation is successful. If there are other machines bound, such as ftp, then add the record.

 

Note: 192.168.1.1 here is your gateway address, 00: 07: E9: xx is your gateway mac address.

 

Note: The MAC address formats on Linux and Widows are different. Linux: AA, Windows: AA-AA.

 

Note: You need to re-bind the mac address after each machine restart. You can write an automatic script and add it to the self-starting project.

 

In addition, binding mac addresses requires two-way binding: machine a is bound to machine B, and machine B is also bound to machine a to prevent arp attacks.

 

There are many ways to prevent arp attacks. This article introduces two more practical methods, mainly for linux and windows, therefore, you must check the system and remedy the problem.