How to clear the ARP virus in the LAN

Now the local area network is infected with ARP virus more, cleaning and prevention are more difficult, to a lot of network administrators caused a lot of trouble. Here is a personal experience in dealing with this problem, but also online browsing a lot of reference materials.

Symptoms of ARP virus

Sometimes not normal access to the Internet, sometimes good, including access to the network of neighbors is also so, copy files can not be completed, there are errors; the ARP packet explosion in the LAN, the use of ARP query will find an abnormal MAC address, or the wrong MAC address corresponding, There is a MAC address corresponding to multiple IP situation will also appear.

The principle of ARP attack

ARP spoofing attack packets generally have the following two features, one can be considered to meet the attack packet alarm: The first Ethernet packet header source address, Destination address and ARP Packet protocol address does not match. Alternatively, the sending and destination address of the ARP packet is not in its own network card Mac database, or it does not match its own network Mac database MAC/IP. These are all the first time to call the police, check the data packets (Ethernet packets) Source address (also may be forged), it is generally known that the machine is launching an attack. Now there are network management tools such as network law enforcement officers, Peer-to-peer Terminator will also use the same way to disguise as a gateway, deceive the client access to the gateway, that is, will be sent to the gateway traffic, so as to achieve network traffic management and network monitoring functions, but also to network management brings potential harm, It is easy to access the user's password and other related information.

Treatment methods

Common processing process

1. Ensure that the network is functioning first

Method One: Edit a ***.bat file with the following contents:

Arp.exe s
**.**.**.** (Gateway IP) * * *
**
**
**
**（
Gateway MAC address)
End

Let the network users click on it!

Method Two: Edit a registry problem, the key values are as follows:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MAC" = "ARP S"
Gateway IP address Gateway MAC address "

Then, after saving it as a reg file, click on each client to import the registry.

2. Find the machine that infects the ARP virus

A, ping the IP address of the gateway on the computer, and then use the ARP-A command to see the corresponding MAC address of the gateway is consistent with the actual situation, if not, you can find the corresponding computer with the MAC address.

b, the use of grab kits, analysis of the resulting ARP datagram. Some ARP viruses will point to the path to the gateway to themselves, and some are to issue a false ARP response packet confusing network traffic. The first treatment is relatively easy, the second processing is more difficult, if the anti-virus software can not correctly identify the virus, often need to manually find infected computers and manual treatment of viruses, more difficult.

C, the use of MAC address Scanning Tool, Nbtscan scan the entire network segment IP address and MAC Address table, to help determine the corresponding MAC address infected ARP virus and IP address.

Preventive measures

1, in a timely manner to upgrade the client's operating system and application program patches;

2, install and update anti-virus software.

3, if the network size is small, try to use manually specify IP settings, rather than using DHCP to assign IP addresses.

4. If the switch is supported, bind the MAC address and IP address on the switch.