Crazy ARP painful router (1)

In the recent period, the national Internet cafe disconnection incident continued. This seemingly crazy incident was caused by ARP attacks. due to too many variants, the attack spread fast, anti-Virus vendors both at home and abroad did not take this offer.

In the past two months, Internet cafes in China have experienced typical network disconnection, in the form of network disconnection in a short time or partial network disconnection ). The network is unstable. Most problems are caused by viruses. Now that the school has started, Internet cafes in the vicinity of many schools will welcome traffic peaks again. The bosses of large and small Internet cafes are not very happy.

National Internet cafe Problems

Wangwang Internet cafe in Shijiazhuang has been suffering from disconnection, and Zhongshan kangjian Internet cafe in Guangdong has encountered the same problem. According to their introduction, this is a national event. This situation exists in Internet cafes in various regions, mainly caused by ARP attacks. due to too many variants and Fast Propagation Speed, domestic and foreign anti-virus vendors have not taken this offer.

In a short period of time, a small ARP program disrupted the network environment of Internet cafes nationwide. Over the past few days, Internet cafe owners nationwide, large and small, have been suffering from this kind of pain. The Internet is broken and the source of customers are gradually lost, and the business is not as good as one day.

Zhao Lei, Technical Manager of Shijiazhuang network Wang Internet cafe, said: We have investigated that the main cause of ARP virus attacks is the legend of the game, especially in private server plug-ins. The virus aims to crack the game encryption and decryption algorithm, intercept data packets in the LAN, and then analyze the game communication protocol to intercept user information. By running this virus, you can obtain detailed information about game players in the entire LAN and steal user account information.

According to Yang Xiaoyu, manager of Hongchang Network Technology Co., Ltd., ARP cache tables are provided for some devices in Internet cafes, such as routers and computers with TCP/IP protocols, to improve the communication speed.

Currently, many attack software with ARP spoofing uses ARP to attack network devices. Forged MAC addresses correspond to IP addresses in the LAN, modify the ARP cache table of the router or computer so that the computer with a valid MAC cannot correspond to the IP address, and thus cannot access the Internet through the router.

After the router is restarted, the ARP cache table is automatically refreshed and the network returns to normal within a short period of time. After the ARP attack is started, the network is disconnected again. It is easy to be disconnected by mistake as a "dead" router, which makes it impossible for Internet cafe administrators to take timely actions to quickly resume normal operation of Internet cafes.

ARP blocks dead routes

According to Zhao Lei, who has ten years of experience in LAN Management, another cause is MAC address conflicts. When the MAC of a computer with a virus maps to a NAT device such as a host or router, this will cause a disconnection across the network. If it is mapped to only other machines in the network, only these machines have problems.

Yang Xiaoyu said that in this case, if ARP attacks are prevented, we must set the router and client to ensure the final solution. Therefore, when selecting a vro, it is best to check whether the vro has the anti-ARP attack function.

For an intranet with ARP attacks, you need to find the attack source. Check whether the MAC address of the gateway is the same as the real MAC address of the router. If not, search for the PC corresponding to the MAC address. The PC is the attack source.

In fact, ARP allows the IP address to be responded to by the target machine on the network by maintaining a table saved in the memory. Therefore, a terminal in the LAN repeatedly sends fake ARP response packets to other machines, especially the gateway, which may cause serious network congestion.

Some users also use vro solutions to bind IP addresses and MAC addresses to the vro and PC to prevent attacks, however, binding IP addresses and MAC addresses on vrouters and PCs is complicated. You need to find the IP addresses and MAC addresses of each PC, which increases the workload and is prone to errors during the operation.

This method can basically solve the problems related to the network caused by ARP attacks. The above methods have also been tested by multiple users and Internet cafes, achieving satisfactory results.

Zhang Jianqing, marketing director of xiaonuo technology, believes that some excellent router products need to search for the IP/MAC address of the entire network, so that they can be bound on the router end. This method is more convenient, secure and reliable.

Difficult to manage Internet cafes

The management of Internet cafes has always been a problem. Due to the lack of a complete set of effective management solutions and corresponding equipment in Internet cafes, the technical director of Internet cafes is configuring the network, each time, it is necessary to rely on a variety of complex operations to restore the normal operation of the network, and so on to solve the problem, players have long been unable to bear.

Few players now have the patience to watch ongoing games or movies waiting for the network to be adjusted. In the case of network problems, it is even more troublesome to find errors, the Technical Director can only rely on the core switch to the access switch to determine where the problem is going-manual operations are not only easy to miss errors, it takes a long time, but also there are some security problems.