How to locate ARP attacks?

1. Locate the source of ARP attack

Active locating: because all ARP attack sources have their own features-the NIC is in the hybrid mode. You can use tools like ARPKiller to scan which machine's Nic is in the hybrid mode, this machine may be the culprit ". After locating the machine, collect the virus information and submit it to Trend Micro for analysis.

Note: The NIC can be placed in promiscuous mode. In this mode, the NIC can receive all data through it, regardless of whether the target address of the data is actually the same. This is actually the basic principle of Sniffer: Let the network adapter receive all the data it can receive.

Passive Location: When an ARP attack occurs on the LAN, view the content in the dynamic ARP table of the switch to determine the MAC address of the attack source. You can also deploy the Sniffer tool on the LAN, locate the MAC address of the ARP attack source.

You can also directly Ping the gateway IP address. After completing the Ping, use ARP-a to view the MAC address corresponding to the gateway IP address. This MAC address should be spoofed, you can use NBTSCAN to obtain the real IP address, machine name, and MAC address of the PC. If there is an "ARP attack", you can find the IP address, machine name, and MAC address of the PC with the ARP attack.

Command: "nbtscan-r 192.168.16.0/24" (search for the entire 192.168.16.0/24 network segment, that is, 192.168.16.1-192.168.16.254); or "nbtscan 192.168.16.25-137" search for 192.168.16.25-137 network segment, that is, 192.168.16.25-192.168.16.133. The first column of the output result is the IP address, and the last column is the MAC address. Example of NBTSCAN:

Suppose you want to find a virus host with the MAC address "000d870d585f.

1. Decompress nbtscan.exe and cygwin1.dll In the compressed package to c.

2) Start-run-open in Windows, Enter cmd (enter "command" in windows98), and enter C: btscan-r 192.168.16.1/24 (enter according to the actual network segment), and press Enter.

3) by querying the corresponding table of the IP--MAC, find that the IP address of the virus host of "000d870d585f" is "192.168.16.223 ".

Through the above method, we can quickly find the virus source and confirm its MAC --> machine name and IP address.

2. Defense methods

A. use a three-layer switch that can defend against ARP attacks, bind port-MAC-IP, limit ARP traffic, timely detection and automatic blocking ARP attack Port, reasonable VLAN division, completely prevent the theft of IP, MAC address, eliminate ARP attacks.

B. Implement Internet access control for networks with frequent outbreaks of viruses, and restrict users' access to the network. This type of ARP attack program is generally downloaded from the Internet to the user terminal. If you can enhance the user's access control on the Internet, this problem can be greatly reduced.

C. when an ARP attack occurs, locate the virus attack source and collect the virus information. Use Trend Micro's SIC2.0 to collect suspicious virus sample files and submit them to Trend Micro's TrendLabs for analysis, trendLabs will provide virus pattern files as quickly as possible to defend against ARP viruses.