Nowadays, there are many cases of ARP Virus Infection in Lan, which make it difficult to clean up and prevent it, causing a lot of troubles for many network administrators. The following is my personal experience in solving this problem, and I have also read a lot of references online.
ARP virus symptoms
Sometimes the Internet cannot be accessed normally, and sometimes there is good, including access to the network neighbors, the copy of files cannot be completed, and an error occurs; ARP packets in the LAN burst, when ARP is used for query, an abnormal MAC address or an incorrect MAC address is found, and a MAC address corresponds to multiple IP addresses.
Principles of ARP attacks
Packets of ARP spoofing attacks generally have the following two features: one of them can be regarded as an attack packet alarm: the source address, target address, and Protocol address of the first Ethernet data packet header do not match. Alternatively, the ARP packet Sending address and target address are not in the MAC database of the network adapter, or do not match the MAC/IP address of the MAC database of the network. All of these will trigger an alarm immediately. Check the source address (which may also be forged) of these data packets (Ethernet data packets) to find out that the machine is launching an attack. Now there are network management tools, such as network law enforcement officers and P2P Terminators, which will also pretend to be gateways in the same way, deceiving clients to access the gateway, that is, they will obtain the traffic sent to the gateway, in this way, network traffic management, network monitoring, and other functions can bring potential harm to network management, that is, it can easily obtain user password and other related information.
Solution
General Process
1. ensure the normal operation of the Network
Method 1: edit a ***. bat file as follows:
Arp.exe s
**. ** (Gateway ip address )****
**
**
**
**(
Gateway MAC address)
End
Let the network user click it!
Method 2: edit a registry. The key value is as follows:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"MAC" = "arp s
Gateway IP address gateway MAC address"
Save it as the Reg file and click Import Registry on each client.
2. Find the machine infected with ARP Virus
A. ping the IP address of the gateway on the computer and run the ARP-a command to check whether the MAC address of the gateway is consistent with the actual situation. If not, you can find the computer corresponding to the MAC address.
B. Use the packet capture tool to analyze the obtained ARP datagram. Some ARP viruses direct the path to the gateway to themselves, and some send fake ARP response packets to confuse network communication. The first type of processing is relatively easy, and the second type of processing is relatively difficult. If the antivirus software cannot correctly identify the virus, it is often difficult to manually find the computer infected with the virus and manually process the virus.
C. Using the MAC address scanning tool, Nbtscan scans the table corresponding to the IP address and MAC address of the entire network segment to help determine the MAC address and IP address of the ARP virus.
Preventive actions
1. promptly upgrade the client's operating system and application patches;
2. Install and update anti-virus software.
3. If the network size is small, try to manually specify IP settings instead of DHCP.
4. If the vswitch supports this function, bind the MAC address and IP address to the vswitch. (But this is not a good idea)