I helped Internet cafe friends catch hackers

The articles many years ago seem to be of reference significance.

I helped an internet cafe solve frequent disconnection faults in the past few weeks. Now I have written my troubleshooting experience, which may be helpful to you.

The fault that the Internet cafe described to me is that the Internet cafe is out of line without regularity, which means that all clients below cannot access the Internet, and the internet server can still access the Internet, that is, the ISP line of the other party is no problem, after the disconnection, restart the Internet Access Server and restore the normal network. Therefore, the problem is located inside the internet cafe. The Internet cafe Network Structure 1.

650) This. width = 650; "Title =" clip_image002 "style =" border-top: 0px; border-Right: 0px; border-bottom: 0px; border-left: 0px; display: inline "border =" 0 "alt =" clip_image002 "src =" http://img1.51cto.com/attachment/201411/1/9437529_14148552540iXx.jpg "" 411 "Height =" 325 "/>

After analysis, it is thought that Internet cafes may be dropped due to the following reasons:

1. The problem that the Intranet of the internet server is stuck to the primary switch. For example, the NIC of the internet server is faulty, or the internet server itself is faulty (for example, the power fan or CPU fan is broken ), or the connection between the primary switch and the NIC on the internet server is faulty, or the primary switch is faulty;

2. The Internet cafe client has a virus that sends a large number of data packets, leading to network congestion;

3. The NIC of the Internet cafe client or the port of the switch is damaged;

4. There are attacks in Internet cafes, such as common ARP attacks.

But what exactly is the reason? One by one, so we should first exclude the 1st possibilities described above. In order to eliminate the 1st possibilities, the boss re-tested a primary switch, I also replaced the network cable between the primary switch and the NIC on the internet server, and I also re-installed and configured an internet server. That is to say, if the number is 1st, it may cause a disconnection, then the problem should be solved. One day passes, but when it takes a week, the Internet cafe boss calls again to say that the network has dropped again, which is not unexpected, when I checked the internet server and so on, I did not find any serious suspicion of network disconnection on the server. Although it installed some useless protocols, this is not enough to affect internal network disconnection, it affects network performance at most.

As a result, I began to doubt the internal client problems, but I immediately ruled out 2nd possibilities, because Internet cafes have installed recovery Genie and other things. After the restart, the computers have all been restored, therefore, the client should not have any viruses, and the disconnection of the time interval is not as bad as the client Nic or the switch port, so I thought of 4th possibilities. Is it because someone is under attack, since it is possible that someone is under attack, only when the attacker is under attack can he determine the real cause. If the attacker is not at the scene, I cannot find the cause when I go there, so once the internet cafe boss called again and said that after the disconnection, I quickly arrived at the site. When I arrived at the Internet cafe, I entered the ARP-a command on the internet server, which surprised me, isn't that the ARP attack in the conjecture? (As shown below)

C: \ Documents ents and Settings \ Administrator> ARP-

Interface: 192.168.0.1 --- 0x10004

Internet address physical address type

192.168.0.12 00-11-09-d5-86-4a dynamic

192.168.0.13 00-11-09-d5-86-4a dynymic

192.168.0.15 00-11-09-d5-86-4a dynymic

...................................................

From the preceding ARP cache table, we can see that the MAC addresses corresponding to All Intranet IP addresses are modified to the same. The modified MAC address may be the attacker's MAC address, in this way, all the data sent to other IP addresses will be transmitted to this attacker to meet certain needs of attackers, such as stealing various passwords. Who is the real IP address corresponding to this MAC address? Because the original MAC address is not registered, only the corresponding Internet client can be found through the IP address. Therefore, only the sniffer software is installed on the internet server, check which IP address is sending an aggressive packet. 2 is all ARP communication that I have filtered out after listening with Ethereal. This is the first part I have seen, figure 2 shows ARP broadcast. In essence, an attacker is scanning to determine which machines are online, because the online machine will respond to the ARP broadcast, but it immediately exposes the attacker, as shown in figure 2, the current scanner is a client with IP address 192.168.0.56 (host 56). Of course, this does not fully prove that it is an attacker, let's take a look at the following data packet (Figure 3 ).

650) This. width = 650; "Title =" clip_image004 "style =" border-top: 0px; border-Right: 0px; border-bottom: 0px; border-left: 0px; display: inline "border =" 0 "alt =" clip_image004 "src =" http://img1.51cto.com/attachment/201411/1/9437529_1414855255sUP0.jpg "" 557 "Height =" 133 "/>

650) This. width = 650; "Title =" clip_image006 "style =" border-top: 0px; border-Right: 0px; border-bottom: 0px; border-left: 0px; display: inline "border =" 0 "alt =" clip_image006 "src =" http://img1.51cto.com/attachment/201411/1/9437529_1414855256TWcg.jpg "" 558 "Height =" 93 "/>

Note the lines highlighted in Figure 3. The source MAC is the attacker and the target Mac is the internal Nic of the internet server, here, the attacker impersonates 192.168.0.86. This machine tells the gateway that the MAC address of machine 86 is 00-11-09-d5-83-2d (this is the MAC address of the attacker ), the result is that the data sent by the gateway to machine 86 will be sent to the attacker, followed by the next line above. The attacker will send the data to another machine (which is found to be machine 85) the MAC address of the gateway is the attacker's MAC address, so here the attack will become, because the attacker told the client that the gateway address is its MAC address, I also told the gateway that the MAC address of the client is its MAC address, so all the communication data has reached the attacker's requirements to obtain other user accounts and passwords in the network, of course, it is very likely that this is only a pure attack. Therefore, the network speed will become slower and slower until the crash occurs. If the attacker shuts down at this time, the entire network will suddenly fail because the client cannot communicate with this fake "Gateway" at this time, of course, the client will not be able to access the Internet, as it shows that the network is offline. If the Internet access server restarts at this time, it will broadcast its own ARP at startup, this also causes the client to update the ARP entry of the gateway, and the network returns to normal again. However, if the attack continues, the network will crash as before.

So how can we prevent such ARP attacks? Of course, as long as attackers cannot change others' ARP cache table entries, we can create static ARP table items to achieve this, but this is troublesome, because not only must be created on the gateway, but also on the client, the ARP static items of all clients should be created on the gateway, so that the attacker cannot modify the ARP items on the gateway, to prevent attackers from modifying ARP entries on the client (usually the gateway entry), you must create at least the static ARP entries of the Gateway in the ARP cache table of the client. You can do this using the following method:

(1) create static ARP entries for all clients on the internet server (GATEWAY)
1. Use ARP-A> C: \ arp.txt to direct all dynamic ARP table entries to a text file c: \ arp.txt.

Open the text and delete the non-ARP entries on the top of the table. Result 4 is displayed:

650) This. width = 650; "Title =" clip_image008 "style =" border-top: 0px; border-Right: 0px; border-bottom: 0px; border-left: 0px; display: inline "border =" 0 "alt =" clip_image008 "src =" http://img1.51cto.com/attachment/201411/1/9437529_1414855257wCYM.jpg "" 507 "Height =" 188 "/>

It is best to execute this command during peak hours so that you can obtain the MAC addresses of all clients as much as possible. Of course, you can also manually add IP and MAC address pairs not included in the later part.

2. Create the script file c: \ bind. bat with the following content:

For/F "tokens = 1, 2" % I in (c: \ arp.txt) Do (ARP-S % I % J)

The corresponding table items are extracted from the arp.txt file and static table items are created.

3. To enable the online server to run the above script every time it starts up, you can send the shortcut of this script to the startup Item.

(2) client operations
Keep text in a shared folder and change it in steps 2 and 3.

I helped Internet cafe friends catch hackers