How to Use routers in Internet cafes to prevent ARP attacks

ARP attack: the culprit that causes transient disconnection and large-scale network disconnection. In a LAN, IP addresses (Layer 3) and Layer 2 Physical addresses (MAC addresses) are converted through ARP. Some devices in Internet cafes, such as routers and computers with TCP/IP protocols, provide ARP cache tables to speed up communication. Currently, many attack software with ARP spoofing uses ARP to attack network devices. Forged MAC addresses correspond to IP addresses in the LAN, modify the ARP cache table of the router or computer so that the computer with a valid MAC cannot correspond to the IP address, and thus cannot access the Internet through the router. After the router is restarted, the ARP cache table is refreshed and the network returns to normal within a short period of time. After the ARP attack is started, the network is disconnected, it is easy to be disconnected by mistake as a "dead" router, which makes it impossible for Internet cafe administrators to take timely actions to quickly resume normal operation of Internet cafes.
In this paper, the new generation of TP-LINK TL-R4148 for the special Broadband Router is introduced as an example, how to prevent ARP attacks:
If the "IP and MAC Address binding" function is available on the vro, ARP attacks can be effectively prevented. Enable binding IP and MAC addresses when the internet cafe network is normal (1 ), you can create a one-to-one correspondence between MAC and Intranet IP addresses of each computer in the internet cafe and save them to the ARP cache table (2). After that, even if an internet cafe is attacked by ARP, it cannot modify the ARP cache table. This fundamentally eliminates the impact of ARP attacks on the router and ensures normal operation of the Internet cafe.

498) this. style. width = 498; "border = 0>

Figure 1

498) this. style. width = 498; "border = 0>

Figure 2
In addition, it is easy to bind IP addresses to MAC. You do not need to enter the IP addresses and MAC addresses of your computer one by one, regardless of the size of Internet cafes, you only need to click the "bind all" button in the ARP ing table on the router management interface when the internet cafe works normally (3) to bind the IP address to the MAC address; click "import all" to save the established IP and MAC binding relationship to the system. You do not need to re-bind the IP even if you restart the system.

498) this. style. width = 498; "border = 0>

Figure 3
In addition, there are generally only two types of devices in Internet cafes with ARP caches, one is a router, the other is an Internet computer, and only these two types of devices are most vulnerable to ARP attacks. Just as data packets cannot reach the computer when the router is under ARP attacks, when the Internet computer is under ARP attacks, the data packets will not be sent to the router, but to a wrong place, of course, you cannot access the Internet through the vro. Therefore, Internet cafes must deal with ARP attacks. In addition to binding IP addresses and MAC addresses To routers, binding IP addresses and MAC addresses on computers is also essential.
I have already introduced how to bind an IP address to a MAC address on a computer? In fact, Microsoft's operating system contains the ARP command line program, on the Windows command line interface of your computer, enter "arp-s + vro IP address such as 192.168.1.1 + MAC address of the router LAN port" to bind the router IP address and MAC address to the ARP table of your computer. If you enter the ARP command on the Windows command line interface to bind an IP address to a MAC address, you need to enter the ARP command every time the computer restarts. There is a simpler way to do this, this allows the computer to automatically bind the IP address of the router to the MAC address in the ARP table of the computer each time the computer starts up:
STEP 1 create a batch file such as static_arp.bat. Note that the suffix is bat. Edit it, add the ARP command to it, and save it.

498) this. style. width = 498; "border = 0>

To obtain the MAC address of the LAN port of the router, you can view the "LAN running status" on the router interface ".
STEP 2 copy the established batch processing file static_arp.bat to the startup directory of the system. The file is automatically run every time the computer starts, and the IP address and MAC are automatically bound.

498) this. style. width = 498; "border = 0>

STEP 3 copy the static_arp.bat file to the system startup directory of all computers in the Internet cafe.
At this point, all computers in the internet cafe have bound the IP address of the router to the MAC address in the ARP table, so there is no need to worry about the inability to access the Internet due to ARP attacks.
Note: After ARP protection (IP and MAC binding) is enabled, the computer should use a fixed IP address instead of a dynamic IP address (automatically obtain an IP address through DHCP ), if a dynamic IP address is used, the IP address obtained when the computer starts up may be different, which may cause inconsistency with the IP address saved in the router and the MAC binding entry, so that the computer will not be able to access the Internet.