Wireshark discovery of ARP virus in LAN

wireshark discovery of ARP virus in LAN

ARP (Address Resolution Protocol) is the underlying protocol used in the TCP/IP protocol to resolve network node addresses. ARP viruses or malicious software circulating in the network use the ARP mechanism for address spoofing. The most common ARP problems can be categorized into the following three types:
1) gateway or server IP spoofing: Using the ARP mechanism, using the network gateway or other server IP address, the normal should be passed to the gateway or server traffic to the computer for ARP spoofing, resulting in the interruption or time-delay, or data loss.
2) Covert misappropriation of IP: the use of ARP mechanism, in the case of unauthorized misappropriation of other people's IP, malicious network activities, which can carry out a variety of infringement operations.
3) forcibly occupied IP: the use of ARP mechanism, attack other people's IP, eventually to occupy others IP, thereby carrying out a variety of malicious or infringement operations.

Network Fault Diagnosis:

Depending on the user response, the network is intermittent. The engineer uses Wireshark to catch the packet and discovers that 90% of the packets in the LAN are ARP packets.

There is a host with a MAC address of 001F-29DC-F4B1, which sends ARP messages to other computers in this segment as the source address, and tells them that the Gateway's MAC address is 001f-29dc-f4b1. But in fact the user's gateway is a big Jabil firewall, and the MAC address is not 001f-29dc-f4b1. This can be used to determine 001f-29dc-f4b1 this host in the sending ARP address spoofing, type is Gateway spoofing.

Note: x.31.74.254 (this is the default gateway for PC)

But so far, the network of intranet users is still a time-off. We continued to grab the bag with Wireshark and found the following question

After grasping the packet, we find that the IP address is x. Hosts with 31.74.37,MAC address 5cff.3501.9daf also send a large number of ARP packets within the LAN. It scans the IP and MAC addresses of all hosts in the network segment through the ARP broadcast packet. In general, there are a large number of ARP request broadcast packets in the network, almost all the hosts in the network segment are scanned. A large number of ARP request broadcasts may consume network bandwidth resources, and ARP scanning is generally a prelude to ARP attacks.

Workaround:

The solution is also very simple, that is, the two ports on the uplink shutdown

Wireshark discovery of ARP virus in LAN