Comprehensive Solution to ARP spoofing prevention

The problem of ARP virus has been discussed for a long time. We have also summarized a lot of experience in the prevention of ARP virus, and constantly update the prevention methods on the Internet. However, the variants of the new ARP virus are even more rampant. The flood of different corners of our network has not brought much problems to our management work, but also affected the normal operation of the network, therefore, protection against ARP viruses is still a hot issue.

Recently, I have heard many network administrators complain that traditional binding methods sometimes cannot be prevented or cannot solve problems at all. Some problems that often occur in daily processing are listed below:

1. Only the IP address and MAC address of the security gateway are bound on the PC or a batch file is used for binding. When a virus machine spoofs an IP address or MAC address, flooding the wrong data packets with the network may cause a large area of disconnection.

2. configuring MAC binding only on the vro does not fundamentally address ARP protection. In this case, the ARP virus machine spoofs the gateway so that other computers can send data to the forged gateway, which also causes disconnection and other problems.

3. Use some auxiliary tool software, such as some anti-ARP virus attack software, or install the IP/MAC binding software in the PC system, however, no practical anti-ARP attack software can effectively prevent attacks, and some software occupies a large amount of system resources, if an attack occurs, it will occupy a lot of CPU usage and memory, and cause network unavailability and other problems.

4. Using monitoring software, but the attack of ARP virus does not mean that it can be found regularly, and network management cannot always pay attention to such problems.

5. Some software performs a few fake DLL file spoofing detection software, but some new ARP variant viruses can launch ARP attacks without needing to be detected.

6. Insufficient input errors and other operations during client binding.

The above several common methods have limited functions, but there will always be one or more drawbacks. We must seek a better solution, next we will introduce several new and upgraded prevention methods.

Solving customer instances

An Internet cafe in Hefei has been bound with ARP and cannot resist ARP attacks. Engineers of Qno xiaonuo contacted the customer and checked his computer. The batch processing shown below, in addition, the PC side confirms that it is not bound through the Arp-a command. The reason is that the Chinese description behind the echo does not use "" for marking, resulting in the failure to execute the batch processing file, and the user does not have the corresponding binding work on the local machine, 1.

@ Echo OFF
Ping XXX. XXX (to ensure the security of the customer's network, replace X with the IP address number)
If % ~ N0 = arp exit
If % ~ N0 = Arp exit
If % ~ N0 = ARP exit
Echo is obtaining local information .....
: IP
FOR/f "skip = 13 tokens = 15 usebackq" % I in ('ipconfig/all') do Set IP =
% I & GOTO MAC
: MAC
Echo IP: % IP %
FOR/f "skip = 13 tokens = 12 usebackq" % I in ('ipconfig/all') do Set
MAC = % I & GOTO custom IP
: Elastic IP
Echo MAC: % MAC %
Arp-s % IP % MAC %
Echo is obtaining gateway information .....
FOR/f "skip = 17 tokens = 13 usebackq" % I in ('ipconfig/all') do Set
Your IP = % I & GOTO your Mac
: Running Mac
Echo IP: % GateIP %
FOR/f "skip = 3 tokens = 2 usebackq" % I in ('Arp-a % GateIP % ') do Set
Running MAC = % I & GOTO Start
: Start
Echo MAC: % running MAC %
Arp-d
Arp-s % GateIP % GateMAC %
Echo operation completed !!!
Exit

 

Figure 1

After modifying the batch file and checking the binding on the vro, the Internet cafe will not find any disconnection problem. So far, the network has been running normally, therefore, it can be seen that two-way binding can completely prevent ARP viruses. It is indeed an effective way to completely solve the network suspension and IP conflict caused by ARP viruses, make ARP virus powerless. At the same time, we recommend that you use the Arp-a command to check whether the binding is valid and whether there is an error with the binding on the vro, so as to further prevent ARP virus attacks, the following describes several precautions for prevention and control.

1. Run arp-a to check whether the type is static or dynamic.

2. Do not use complicated scripts. The simplest way is to prevent others from being affected. Generally, Internet cafes have recovery cards, and network administrators can use software to monitor and detect ARP attacks, remind the guest to prevent account and password theft.

3. Currently, anti-virus software has no good defense against this issue.

4. ARP is called a virus, but basically it is perfect and enhanced for ARP Protocol (just like a credit card needs to add a password in China and only need a signature in foreign countries, but it is not a problem with the credit mechanism ).

5. Do not expect to be able to broadcast packets, and ultimately the network is affected.

Specific ARP Solution

It is generally necessary to do a good job of Prevention and Control in advance, and at the same time, it is necessary to bind two-way binding on the client and the router, in this way, no matter whether the ARP virus is a forgery of the local IP/MAC or gateway address, there will be no problems such as online disconnection or large-area disconnection.

1. Activate to prevent ARP virus attacks:

Go to the "Basic page" of "firewall configuration" on the "Web management" page of Qno xiaonuo router, and activate "Prevent ARP virus attacks ".

2. Bind the IP address of the gateway and its MAC address to each pc.

Enter the Dos operation on the computer and use arp-s or batch processing to bind the pc (Command Format: arp-s [vro IP address] [vromac MAC address]).

Alternatively, you can enter the corresponding host IP address and MAC address in the same way for other hosts in the network to bind the IP address to the MAC address. However, if the computer is restarted, the function will disappear. Therefore, you can make this command into a batch file and put it in the startup of the operating system:

@ Echo off
Arp-d
Arp-sro lan ip router LAN MAC

After binding on the computer, the system will not receive ARP spoofing attacks and send messages to the IP address/MAC address of the forged gateway.

Find the attack source for the Intranet that has an ARP attack. Method: run the arp-a command in DOS to check whether the MAC address of the gateway is the same as that of the real MAC address of the vro. If not, search for the PC corresponding to the MAC address. This PC is the attack source.

3. Bind the user IP Address/MAC address to the vro

The Qno na router provides the IP/MAC binding function. You can bind the IP address of an Intranet computer to the corresponding MAC address so that the router can block the unbound IP/MAC address, when there is an ARP spoofing attack on the Intranet, the forged IP/MAC sends a message to the router. At this time, the forged IP/MAC is not in the IP/MAC binding list of the router, the router rejects such messages and blocks them.

4. Further prevention

Qno's technical engineers suggest using some measures to further control ARP attacks.

(1) virus source, which processes the machine at the virus source, antivirus, or re-installs the system.

(2) The Internet cafe administrator checks the LAN virus and installs anti-virus software.

(3) Install patches for the system.

(4) set a complex and strong password for the system administrator account.

(5) update anti-virus software frequently and install and use network firewall software.

(6) disable unnecessary services. If conditions permit, disable unnecessary sharing, such as C $ and D $. A single-host user can also directly disable the Server service.

(7) we recommend that you do not click the link information sent from QQ, MSN, or other chat tools to avoid virus spreading.

Summary

It is effective to solve ARP virus attacks through the above comprehensive methods. Although the version of ARP virus is constantly updated and upgraded, it brings new impacts and dangers to enterprise users and Internet cafes. However, if the version can be prevented in advance, I believe that the harm of ARP will be minimized.