With the development of China's routing industry, it also promotes the wide application of broadband routers. Here we mainly analyze how to make the Broadband Router immune to ARP attacks. At present, ARP spoofing attacks have become the culprit in damaging Internet cafe operations, and are a big headache for Internet cafe owners and network administrators. Currently, two types of ARP spoofing are known: one is the ARP table spoofing of the Broadband Router, and the other is the gateway spoofing of the Intranet PC.
ARP (Address Resolution Protocol) is a low-level Protocol located in the TCP/IP Protocol stack. It is responsible for resolving an IP Address into a corresponding MAC Address. The first principle of ARP spoofing is to intercept gateway data. It notifies the Broadband Router of a series of incorrect Intranet MAC addresses and keeps running at a certain frequency, so that the real address information cannot be updated and saved in the Broadband Router, as a result, all data of the Broadband Router can only be sent to the wrong MAC address, so that the normal PC cannot receive the information. The second principle of ARP spoofing is to forge a gateway. The principle is to establish a false gateway to send data to a spoofed PC, rather than accessing the Internet through a normal Broadband Router. In the PC's view, the network cannot be connected, and the network is disconnected ".
In general, the consequences of ARP spoofing attacks are very serious. In most cases, large-scale disconnection may occur. Some network administrators do not know much about this. When a fault occurs, they think that the PC is okay and the switch is not capable of being dropped. China Telecom does not recognize the broadband fault. In addition, if the first ARP spoofing occurs, you only need to restart the Broadband Router, and the network will be completely restored, the problem must be in the Broadband Router. To this end, the Broadband Router carries a lot of "black pots ".
As a Broadband Router manufacturer in Internet cafes, it has to do a lot of work to prevent ARP spoofing. 1. In the Broadband Router, all the IP-MAC of the PC into a static table, this is called Broadband Router IP-MAC binding. 2. Advise the network manager to set the static ARP information of the gateway on all the PCs in the Intranet, which is called the PC IP-MAC binding. Generally, the manufacturer requires that both work be done and call it IP-MAC bidirectional binding.
The method is effective, but the work is complicated and the management is troublesome. Binding each PC is inherently laborious. It is even more miserable to add, maintain, and manage a long list in a Broadband Router. Once you resize or adjust the network card in the future, it is easy to cause confusion due to negligence. If you are worried, you may wish to use the IXP host that Xinxiang Internet cafe routes, which can make you more comfortable. Because Xin Xiang Broadband Router does not need IP-MAC binding at all, there is no long list of addresses. To deal with ARP, you only need to do one-way PC binding. This route can effectively reject ARP spoofing on the gateway. It is inherently immune! The ARP innate immunity of xinzhi route depends on its two powerful technical measures. One is the unique NAT processing mechanism, and the other is the active defense mechanism of the gateway.
The NAT processing method is different from the common protocol stack method. Based on the original network protocol, the NAT service is enhanced, protected, and expanded. Although NAT is a standard network protocol, its implementation methods can be used separately to ensure the same goal. ARP spoofing only works for public and general systems. It exploits vulnerabilities in the general system's working mode, but does not work on the NAT implementation mechanism, because NAT has designed powerful protection fields. This is the principle that Xin Xiang routes can be immune to ARP.
In addition, in order to combat ARP spoofing of counterfeit gateways, the product designs the ARP broadcast mechanism of the gateway, which declares the correct gateway address to the Intranet at a specified frequency, maintain the legitimate rights and interests of the gateway. At the moment can not timely clear ARP virus, network manager has not been bound to the IP-MAC on the PC, it can maintain the network to a certain extent, to avoid catastrophic consequences, win the system repair time. This is the Active ARP defense mechanism.
However, if you do not bind IP-MAC on the PC, although there is an active defense mechanism, but the network is still running with disease. Because such ARP is an intranet task, it does not pass through a Broadband Router. To allow a Broadband Router to intervene, you can only fight against it. When ARP is too rampant, it will lead to intermittent failures, which is an active defense mechanism in the fight against ARP spoofing. To this end, the product also provides a dedicated tool software for ARP spoofing detection, locating, and prevention, which is provided to all Internet cafes free of charge to help network administrators discover the existence of ARP spoofing, provides Work Assistance for clearing ARP spoofing sources, and adds the Xinxiang active defense mechanism to effectively deal with ARP spoofing.
Despite this, still remind the majority of Internet cafe Network Administrator, In order to once and for all, or charge points for each PC to do IP-MAC binding, this can completely eradicate the troubles of ARP spoofing. Besides, routing only requires one-way binding, which saves you the trouble of the other half and does not need to restart the Broadband Router to disconnect the network. The Broadband Router itself is not afraid of ARP. You can bind your PC, so that the PC is not afraid of ARP. With a two-pronged approach, you can rest assured that your internet cafe is secure.