Instructions on ARP virus handling:
Fault description: if the machine was previously able to access the Internet normally, it suddenly experienced authentication and no Internet access (unable to ping the gateway). After restarting the machine or running the command ARP-D in the msdos window, it can be restored to the Internet for a period of time.
Fault Cause: This is caused by the APR virus spoofing attack.
The cause is generally the ARP Trojan attack carried by legend plug-ins. When the plug-in is used in the LAN, the virus carried by the plug-in maps the MAC address of the machine to the IP address of the gateway, and sends a large number of ARP packets to the LAN, as a result, other machines in the same CIDR Block mistakenly use it as the gateway. This is why computers cannot access the Internet while the Intranet is interconnected.
Temporary countermeasures:
Step 1. When you are able to access the Internet, go to the MS-DOS window and enter the command: ARP-a to view the correct MAC address corresponding to the gateway IP address and record it.
Note: if you cannot access the Internet, run the command ARP-D to delete the content in the ARP cache. The computer can temporarily restore the Internet (if the attack is not stopped ), once you can access the Internet, immediately disconnect the network (disable the network adapter or unplug the network adapter), and then run ARP-.
Step 2. If the correct MAC address of the gateway already exists, manually bind the gateway IP address to the correct MAC address when you cannot access the Internet to ensure that the computer is no longer affected by attacks. Manual binding run the following command in the MS-DOS window: ARP-s gateway IP Gateway Mac
For example, if the gateway of the computer's network segment is 218.197.192.254 and the local address is 218.197.192.1, run ARP-A on the computer and the output is as follows:
C: \ Documents ents and Settings> ARP-
Interface: 218.197.192.1 --- 0x2
Internet address physical address type
218.197.192.254 00-01-02-03-04-05 dynamic
Among them, 00-01-02-04-05 is the MAC address corresponding to the gateway 218.197.192.254. The type is dynamic, so it can be changed.
After the attack, you can use this command to check whether the Mac has been replaced with the MAC of the target machine. If you want to find the target machine and completely eradicate the attack, you can record the MAC at this time to prepare for future search.
Manually bound commands are as follows:
ARP-s 218.197.192.254 00-01-02-03-04-05
After binding, you can use ARP-a to view the ARP cache,
C: \ Documents ents and Settings> ARP-
Interface: 218.197.192.1 --- 0x2
Internet address physical address type
218.197.192.254 00-01-02-03-04-05 static
In this case, the type changes to static and will no longer be affected by the attack. However, it should be noted that the manual binding will expire after the computer is shut down and restarted, and you need to bind it again. Therefore, to completely eradicate the attack, only computers infected with viruses in the CIDR block should be found to prevent viruses. How to find a computer with viruses:
If the MAC address of a virus computer already exists, you can use the nbtscan software to find the IP address corresponding to the MAC address in the network segment, that is, the IP address of the virus computer, and then report it to the school network center to seal it up.
Nbtscan usage:
Download nbtscan.rarto the hard drive and decompress it. Then copy the cygwin1.dlland nbtscan.exe files to c: \ windows \ system32 (or system). Enter the msdos window and enter the command:
Nbtscan-r 218.197.192.0/24 (assume that the local network segment is 218.197.192 and the mask is 255.255.255.0. When using this command, you should change the Italic part to the correct network segment ).
Note: When nbtscan is used, sometimes the output of nbtscan is incomplete because some computers Install firewall software, but it can be reflected in the computer's ARP cache. Therefore, when nbtscan is used, you can also view the ARP cache at the same time to obtain the full correspondence between the computer ip address and the MAC address in the network segment.
Add:
Anti ARP sniffer instructions
I. Function Description:
Anti ARP sniffer can be used to prevent packet interception by ARP technology and prevent IP address conflict packets from being sent by ARP technology.
Ii. Instructions for use:
1. ARP spoofing:
Enter the gateway IP address and click [get gateway MAC address] to display the gateway MAC address. Click [automatic protection] to protect the communication between the current Nic and the gateway from being monitored by a third party.
NOTE: If an ARP spoofing prompt appears, the attacker sends an ARP spoofing packet to obtain the NIC packet. If you want to track the attack source, remember the attacker's MAC address, the MAC address scanner can be used to find the MAC address corresponding to the IP address.
2. IP address conflict
First click "Restore Default" and then click "protection address conflict ".
If IP address conflicts occur frequently, it means that the attacker sends ARP spoofing packets frequently to warn of IP address conflicts. Anti ARP sniffer can be used to prevent such attacks.
First, you need to know the conflicting MAC address. Windows will record these errors. The specific method is as follows:
Right-click [my computer] --> [manage] --> click [Event Viewer] --> click [system] --> View Source: [TCPIP] ---> double-click the event to view the display address conflict, the MAC address is recorded. Copy the MAC address and enter it in the local MAC address input box of anti ARP sniffer (convert -), after entering the information, click [protection address conflict]. To make the MAC address take effect, disable the local Nic and enable the NIC. In the CMD command line, enter ipconfig/All, check whether the current MAC address matches the MAC address in the local MAC address input box. If the change fails, contact me. If it succeeds, the address conflict will no longer be displayed.
Note: If you want to restore the default MAC address, click [Restore Default]. To make the MAC address take effect, disable the local Nic and then enable the NIC.