Combination of hardware and software to combat ARP Spoofing

Every time I see arp, I need to say that the server is arp every day.

There are more and more Trojans that use ARP spoofing to spread viruses and steal online banking information. The amount of stolen Trojans is hundreds of millions. It is imperative to prevent ARP spoofing.

498) this. style. width = 498; "border = 0>

Since the second half of last year, many domestic Campus Networks, enterprise networks, and Internet cafes have experienced intermittent network interruptions. Computer installed with antivirus software to open any website will report a virus in the web page, view the web page source code will find a similar <script> http://xxxxx.xxx/xx.js </script> containing virus script code. It seems that the website webpage is hacked, but this is not the case. If you use the network management software for monitoring, you will find that, many IP addresses in the LAN correspond to the same MAC address, which is absolutely impossible under normal circumstances. There must be ARP attacks on the network.

In a LAN, two computers in the same subnet communicate with each other through a MAC address. Therefore, the IP address must be converted to a MAC address before the two computers communicate, this process is completed by the ARP protocol. There are two types of ARP spoofing attacks: one is spoofing the router (GATEWAY) and the other is spoofing the Intranet computer. Of course, two types of attacks may also be carried out at the same time. In any case, packets sent between the computer and the router may be sent to the wrong MAC address after the spoofing broadcast is sent. On the surface, the website cannot be accessed or has a virus. If a computer on the Internet does not promptly update the system patch, the computer will be vulnerable to viruses and the Security Information of network users will be easily stolen. It can be seen that ARP spoofing has a huge impact on LAN computer security and has become the main factor affecting normal network operation.

ARP spoofing is designed based on the principle of establishing network connections. Therefore, the fundamental solution is not estimated, but it is necessary to restore the normal internet access of computers in the LAN, there is still a way to block the impact of spoofing on the network. According to the principle of ARP spoofing, to prevent ARP spoofing, the ARP cache tables of computers and routers must be prevented from being tampered with illegally. Currently, two-way binding of MAC addresses is more effective. That is, binding the client IP-MAC address on the vro against information, binding the router IP-MAC address on the client against information. It is relatively easy to bind the MAC address on the client. You can use the following batch processing and add it to the startup Item of the computer.

ARP-d
ARP-s gateway IP Gateway MAC

However, this method can only be bound to a MAC address once when the computer is started, and the effect may be limited. There are also software dedicated to preventing ARP spoofing on the Internet, such as Ani ARP Sniffer and 360ARP firewall. The defense principle of such software is to automatically detect real-time anti-tampering MAC Address binding.

The MAC Address binding on a vro。 is relatively cumbersome. You need to know the IP address and MAC address information of the client in advance. The operation methods for binding vrouters of different brands are also different. This method is applicable to computer networks that are small in size and have little changes. After the MAC address of the vro。 is bound, the corresponding vro Binding data must be updated after the NIC of the client changes. Otherwise, the Internet cannot be accessed, so maintenance is complicated. Similarly, if you use the routing function of WIN2000/2003, you can use the following batch processing to bind the MAC address.

ARP-d
ARP-s Computer AIP address computer A gateway MAC address
ARP-s Computer BIP address computer B gateway MAC address
......

In view of the popularity of ARP spoofing, many network equipment vendors have known as a security gateway, router products to prevent ARP spoofing, its prevention principle is to regularly broadcast the correct gateway IP-MAC address information to the internal network. This kind of product should be said to have a certain protective effect, but it will also lose its role in many spoofing attacks, and such network devices and MAC Address Spoofing Trojans continuously send broadcast packets to the network together, it takes up a lot of network bandwidth and greatly reduces the network connection speed. Therefore, it is not recommended.

I believe that ARP spoofing is initiated by computers infected with the ARP spoofing virus. Using the methods described above, we can only solve client faults on the surface. The key to the problem is not solved. The key to maintaining the normal operation of the network is to promptly locate the computer that is poisoned, isolate it from the network, clear the ARP spoofing virus, and do a good job of anti-virus.