How to Use Anti ARP Sniffer to find ARP attackers

Recently, users often receive phone complaints, indicating that the connection is restricted and the IP address cannot be obtained at all. The Gateway Switch cannot be pinged, and the indicator is in normal status. After the vswitch is restarted, the client can access the Internet, but it is still refreshing soon! It seriously affects the normal use of the enterprise network and may cause economic losses.

According to the situation described by the user and the experience we have processed many times, it is certainly caused by ARP attacks. I understand the problem, but how can I solve it?

Although you can use the "Double binding" method to bind a MAC address and port to a vswitch, and bind a gateway IP address and a MAC address to a client, because the network management workload is too large, it is not guaranteed that all users are bound to the gateway IP address and MAC address on their computers. Therefore, we take the following measures to prevent and search for ARP attacks.

We recommend that you install the third-party tool software on your computer: arpfirewall developed by ColorSoft (formerly Anti ARP Sniffer ). The biggest feature of the software is that the system kernel layer intercepts false ARP packets and proactively notifies the gateway of the correct MAC address of the Local Machine. This ensures that the computer where the software is installed can access the Internet normally, it also intercepts external ARP attacks on the local machine.

If an internal ARP attack is detected, the attacker can directly process the local machine. If an external ARP attack is detected, the attacker's computer can be searched through the attacker's IP address and/or MAC address based on the actual situation. The following describes how to use the software as an example:

1. Download, install, and run the arpfirewall on a computer in the same network segment. On the first day, everything was normal and no attack was found. The next day, an ARP attack was discovered in less than half an hour after the instance was started.

 

Figure 1 External ARP Attack Detected by arpfirewall

2. Further identify the attacker's MAC address in order not to blame the good guys. Go to the core switch and view the MAC address table of the CIDR block. Our core switch is Huawei. type the command "Display arp vlan xx" (xx is the VLAN Number of the ARP attack CIDR block to be searched) and press Enter. 2 is displayed.

 
Figure 2 MAC Address Table displayed on the core switch

For ease of viewing, we copy the data to Word and sort it by MAC address. In Word, select the data and select "sort" from the "table" menu. The "Sort text" window is displayed, select "domain 3" as the "main keyword", that is, the MAC address, 3

 
Figure 3 sorting MAC Address Table

After sorting, you can easily see that four IP addresses correspond to the same MAC address (such as table 1 )! We know that the MAC address is the only one in the world, which is consistent with the results detected by the arpfirewall. Now the computer corresponding to the MAC address 0011-5b2d-5c03 must be faulty. Among these IP addresses, only xxx. xxx. xx.92 is authentic, and the rest are forged. As our computer has been monitoring, the attacker's computer has been detected as soon as it launched an external attack, so there are not many fake IP addresses, I have discovered that I have forged nearly 10 IP addresses, and this CIDR block has more than 20 computers.

Table 1 counterfeit IP addresses

Xxx. xxx. xx.178
0011-5b9d-7246
 
Xxx. xxx. xx.188
0011-5b9d-7246
 
Xxx. xxx. xx.197
0011-5b9d-7246
 
Xxx. xxx. xx.92
0011-5b9d-7246
 

3. Search for ARP attackers
If it is a static IP address, find the IP address registration form, and you can easily find the computer that sends ARP attacks. Because we use a dynamic IP address and do not have the MAC address of each computer, although we know the attacker's IP address and MAC address, the long journey has only taken the first step.

The DHCP server is based on Microsoft Windows 2003. Open the DHCP manager and view the computer name corresponding to the IP address xxx. xxx. xx.92 from the address lease. It is random and meaningless.

Log on to the access layer switch of the VLAN where you want to find the CIDR block, and view the MAC address table on the switch one by one. We use annett's switch. On the Web interface, we can query the MAC address table by VLAN to see if there is a record with the MAC address 0011-5b9d-7246. The cause of the error was found until 15th vswitches were found. Result 4 shows that the MAC address corresponds to port 16th of the vswitch. Network Management Switches of other manufacturers can also view MAC addresses.

 
Figure 4 MAC address table on the access layer switch

4. The rest of the work is simple. First, Disable the 16th port of the switch, and then find the user's online registration information to notify the user to process his computer.

Finally, we recommend the following measures to prevent ARP attacks:
1. VLAN assignment on a vswitch. In this way, even if an ARP attack exists in the network, only the users of this VLAN are affected, and the affected range and search scope are reduced.
2. You are required to install the arpfirewall. It can not only prevent external ARP attacks, but also prevent external ARP attacks from the local machine. Once an attack is detected, contact the network administrator.