How to prevent ARP attacks

The following is the OMG small series for everyone to collect and organize the article, hope to help everyone.

ARP Spoofing Trojan Horse program (virus) attack (ARP is "Address resolution Protocol" "addresses Resolution Protocol" abbreviation), the virus occurs when the symptoms of the computer network connection is normal, but open the Web page when the break-through; or due to ARP spoofing trojan program (virus) The outbreak of a large number of packets, resulting in user access to the Internet is not stable, greatly affecting the normal use of users, to the network security brings serious hidden dangers.

Virus principle

When a host computer in the LAN running ARP spoofing trojan program, will deceive all the local area network host and switch, so that all the traffic must go through the virus host. Other users used to go directly to the Internet through the switch now to the Internet through the virus host, switching time users will break a line. Due to ARP spoofing Trojan program occurs when a large number of packets caused by the LAN traffic congestion and its own processing capacity restrictions, users will feel the speed of the Internet more and more slowly. When the ARP cheat Trojan program stops running, the user restores the Internet from the switch (at this point the Switch MAC Address Table is normal) and the user will break the line again during the handover. When the virus occurs, it only affects the normal access to the machine in the same network segment.

The measures taken

First, the user should enhance the network security consciousness, do not easily download, use pirated and security-hidden software, or browse some websites that lack credibility; do not casually open unknown sources of e-mail, especially mail attachments; Do not share files and folders, even if you want to share, you have to set the right, The general designation of specific accounts or specific machines to access, and do not recommend the setting can be written or controlled, so as to prevent the PC by Trojan virus intrusion to the security of the network to bring hidden dangers.

Second, the computer users to timely download and update the operating system patches, install genuine anti-virus software, enhance the ability of PC defense computer virus.

Third, the user examines and handles "ARP deceives" the Trojan Horse method.

1, check whether the machine is "ARP deception" Trojan dye poison

While holding down the CTRL + ALT +del key on the keyboard, select Task Manager and click the Processes tab. See if there is a process named "MIR0.dat". If so, it is poisoned, right click on the process and select "End Process".

2, in the ARP Spoofing Trojan Horse program (virus) attack, users can choose the following methods of processing.

Method One:

Download the anti ARP sniffer software to protect the local computer from running properly. At the same time, the software is set to start automatically, step: first Antiarp.exe to generate desktop shortcuts-> select "Start"-> "program"-> Double-click "Start"-> and then the desktop Antiarp.exe shortcut keys to "boot" to ensure that the next boot automatically run , which plays a protective role.

Method Two:

In the start-Program-Attachment menu, drop the command prompt. Enter and execute the following command: ipconfig

Record the Gateway IP address, the value corresponding to the "default gateway", such as "10.1.4.1". Then enter and execute the following command:

Arp? Ca

Locate the Gateway IP address for the step record below "Internet address", and record its corresponding physical location, that is, the "physical addresses" value, such as "00-e0-fc-0f-8f-4d". When the network is normal, this is the correct physical address of the gateway, in the network by the "ARP spoofing" Trojan impact and not normal, it is the Trojan computer network card Physical address. You can also scan the entire IP address in the Web, and then check the ARP table. If there is an IP corresponding physical address and the same gateway, then this IP address and physical address is poisoned the computer's IP address and network card physical address. This method can reduce the influence of the other computers in the Trojan to some extent. Use the method described above to determine the correct gateway IP address and the physical address of the gateway, and then enter and execute the following command in the command Prompt window:

Arp? Cs Gateway IP Gateway Physical address.

Method III: (Temporary solution only when there is a failure when applicable)

In the start-Program-Attachment menu, drop the command prompt. Enter and execute the following command:

Arp-d

Method Four:

Lan ARP attacks the immune device, there is a network. (1) Copy the 3 DLL files inside the windowssystem32, and copy NPF this file into Windowssystem32drivers. (2) Change the 4 files to read-only in the security attribute. That is, no one is allowed to modify.

Four, the following procedures with this type of ARP virus (legendary killer, etc.), please do not use:

Legend 2 Ice Orange 1.44 Edition

Legend 2 Timely PK version

"Internet café legendary killer" Trojan Horse software for legendary account number and password scan

Network law enforcement officer and other similar procedures

V. Trend technology provides ARP virus removal tool