Eradicate ARP spoofing worms starting with local Filtering

The power of ARP spoofing viruses does not need to be discussed by the author. In particular, many similar ARP viruses have the worm feature, making it more difficult to cope with it. There are many articles on the Internet that show you how to deal with the ARP spoofing virus in the enterprise intranet. However, in most cases, we need to filter or bind MAC addresses on core switches, what if we do not have the vswitch management permission? Today, let's start with local filtering to eradicate ARP spoofing worms.

1. Install the 8 Signs Firewall filter software:

This article focuses on filtering out false ARP spoofing packets from the local machine. We can use the software named 8 Signs Firewall to implement this function. He is a simple and easy-to-use software network firewall that can help users restrict illegal network connections to access local resources. In addition, he can also help users restrict access by local computers to undesirable Resources in the network.

8 Signs Firewall archive:

Software Version: V3.01a Beta

Software size: 5351 KB

Software language: English

Software: foreign software/shared version/Network Security

Application Platform: Win9x/NT/2000/XP/2003

:

Html ">Http://cnc.skycn.com/soft/15172.html

Step 1: run the 8 Signs Firewall Installer. We use the V3.01a Beta version. Click "NEXT" to continue. (1)

498) this. style. width = 498; ">

Step 2: select the installation directory after agreeing to the installation protocol. The default path is c: program files8signs firewall. Click "NEXT" to continue. (2)

498) this. style. width = 498; ">

Step 3: After the configuration is complete, prepare to install the software and copy the required files to the local hard disk. (3)

498) this. style. width = 498; ">

Step 4: Write the registry and start the service and related processes. The pop-up dialog box initializes the 8 Signs Firewall. First, set the user of the Software. Select the first "Make my ruleset for me" (set rules for this account. (4)

498) this. style. width = 498; ">

Step 5: The software supports remote management. We can remotely control and monitor the software by setting the password and default Management port. Of course, in most cases, we do not need this function. Simply select "NO. (5)

498) this. style. width = 498; ">

Step 6: Set the start mode of the software firewall. YES is started with the system. (6)

498) this. style. width = 498; ">

Step 7: The last step is the key step. You cannot select an error. It is used to set whether to allow or block communication if the firewall is not enabled by default. This should be determined based on actual use. I suggest you choose ALLOW to ALLOW it. Otherwise, it will be difficult to find the root cause of the problem if the firewall is not enabled. (7)

498) this. style. width = 498; ">

Step 8: After the installation is complete, restart the computer to make the settings take effect. Click "Finish" to complete the installation. (8)

498) this. style. width = 498; ">

So far, we have completed the installation of the 8 Signs Firewall software Firewall, and then we will be able to help us eradicate ARP spoofing worm.

2. Eradicate ARP spoofing worms starting with local Filtering:

The key to ARP spoofing virus attacks lies in the spoofing ARP ing table, which directs the MAC information corresponding to the gateway address to the wrong address. When we run arp-a to view the local ARP cache, we can see that different IP addresses correspond to the same MAC address, especially the gateway address. (9)

498) this. style. width = 498; ">

To deal with this error binding relationship, we can use the regular rules in the 8 Signs Firewall.

Step 1: restart the computer after installation, and then start the 8 Signs Firewall program to disable or delete the default ARP rules of the original firewall, right-click the ARP tag and corresponding rule and select disable to disable it. (10)

498) this. style. width = 498; ">

Step 2: Create a trusted IP Address Group under the Rule menu and name it. (11)

498) this. style. width = 498; ">

Step 3: add an IP address to the created address group, that is, the IP address of the gateway. (12)

498) this. style. width = 498; ">

Step 4: Create a MAC address Group after creating an IP address Group. You can use the Rules menu to create a trusted MAC Group. (13)

498) this. style. width = 498; ">

Step 5: Set a name for the MAC address group and enter the real MAC address of the gateway device to create a default rule. (14)

498) this. style. width = 498; ">

Step 6: return to the main interface of the software and create a new ARP rule in the rules under network adapters. Remember to select the ARP tag on the right. (15)

498) this. style. width = 498; ">

Step 7: select the filtering filter label in the Add rule window, and select the group that has been set before to match the filter rule. (16)

498) this. style. width = 498; ">

Step 8: Select "ALLOW" in the actions action tag in the same window, so that only ARP packets meeting the matching rules will be sent and received, other data packets that do not meet the rules will be discarded. (17)

498) this. style. width = 498; ">

Step 9: if there is an ARP spoofing worm in the network, we will find the LOG record information after enabling 8 Signs Firewall.