Experts interpret ARP virus (end)

"Editor's note: We talked about the killing method of ARP virus computer, this is the last article in this series, will tell you how to take measures to immune to ARP virus." 】

The network immunization measures of ARP virus

Because of the various network characteristics of ARP virus, some technical means can be used to cheat the ARP virus in the network. Even if the network has ARP poisoned computers, in the sending of spoofed ARP packets, other computers will not modify their own ARP cache table, packets are always sent to the correct gateway, using a more method is "two-way binding method."

Bidirectional binding method, as the name implies, is to bind the Ip-mac address at both ends, where one end is in the router, the Ip-mac of all PCs into a static table, which is called the router Ip-mac binding. The end is each client in the local area network, and the static ARP information of the gateway is set on the client, which is called PC Ip-mac binding. The setting method on the client is as follows:

Create a new Notepad and enter the following command:

arp -d
arp -s 192.168.0.1　00-e0-4c-8c-9a-47

Where the "arp–d" command empties the current ARP cache table, and the "Arp-s 192.168.0.1 00-e0-4c-8c-9a-47" command binds the IP address and MAC address of the correct gateway to the system's startup directory. Can be implemented every time, this step is called "curing arp table."

"Two-way binding method" in the Internet café in general application of the majority.

In addition, many switch and router manufacturers also launched their own defense of the ARP virus of soft and hard products, such as: Huawei's H3C AR 18-6x series all Gigabit Ethernet routers can be implemented in the LAN ARP virus immunization, the router provides Mac and IP address binding function, according to the user's configuration, Form an association between a particular IP address and a MAC address. For packets claiming to be sent from this IP address, if their MAC address is not an address in the specified relationship pair, the router will discard the IP address as a way to avoid spoofing attacks.

Eight, ARP virus kv solution

In response to the increasingly rampant ARP virus, Jiangmin technology launched the overall solution:

1.KV Antivirus software 7 days a week to upgrade the virus library, stand-alone version of the network version of the synchronous upgrade, real-time interception of various ARP virus from the network.

2. For local area network users, the proposed unified deployment of KV network version of antivirus software, KV network version has a unified network upgrade virus, unified network Antivirus powerful function, can completely kill the ARP virus from the local area network.

3. "KV unknown virus scanning" function can identify the vast majority of ARP virus, KV unknown virus scanning program using a unique behavior determination technology, can thoroughly detect the known and unknown ARP virus in this machine, to help network administrators quickly remove ARP virus.

4. Especially for enterprise users, providing "ARP Virus emergency response service", Jiangmin Technology Network security engineers can door-to-door enterprise users intranet ARP virus, to ensure rapid recovery of the enterprise network data Communications security.

5.KV New Firewall Special added ARP virus defense function, can intercept from the LAN ARP spoofing packets, protect the local network security. The Setup interface is shown in Figure 11.

Figure one KV new firewall added ARP attack protection function

KV New firewall added ARP attack protection function, the use of this function is also very simple, after installing the KV firewall, click the "Settings" button, and then check "Enable attack protection", and then click "Automatic detection of local network Settings", the program will automatically obtain the local and gateway IP address and MAC address, then click OK. The KV Firewall will detect the ARP packets from the network in real time, and find that there is an abnormal packet spoofing, it will intercept and guarantee the security of the local network communication.

Ix. The network security suggestion about ARP virus

1. In the network normal time to save the entire network of IP-MAC Address table, so in the search for ARP poisoning computer is very convenient.

2. All network computers are playing ms06-014 and ms07-017 these two patches, including all the clients and servers, so as not to infect the Web Trojan.

3. Deploy network traffic detection equipment, always monitor the entire network of ARP broadcast packet, check its MAC address is correct.

4. Do a good job of binding the Ip-mac address, for the message sent from this IP address, if its MAC address is not the specified relationship in the address, to be discarded.

5. Deploy the network version of antivirus software, regularly upgrade the virus library, regular full network antivirus.