Network encounters ARP Spoofing attack symptoms

At work, there are reports that email is not available, in the past, it is a notebook through Wi-Fi internet, the phenomenon is to open the Web login interface speed is very slow, because there are other things on hand, so directly open OE added an account number, said to use it first, I went to look for the reason.

Then began to have twos said the network is not normal, including web browsing, stock quotes, video live, there are problems, this is a big trouble. Ping on their own machine, external Web sites, DNS, are not normal, from 30ms to packet loss, irregular repeat appearance.

View the open page source file, the first line has an IFRAME, access to a direct digital IP vip.htm page, but the page can not open, this should be all the slow opening of the site is one of the reasons.

Call the ISP, let them reverse ping back, after a few minutes, feedback said everything normal, maintained between 1-2ms, ISP suspected exclusion, continue.

Ask the ISP whether to advertise for push, confirm No.

With notebook to the computer room, directly to the foritgate, all normal, fault location in the lower switch.

Suspected ARP spoofing (already encountered n times), notebook look at the gateway, to look at other places, sure enough different, determine the fault.

To the FortiGate DHCP log inside look for that problem Mac, incredibly not, think impassability.

First mass BQQ message, notify people with problems download Antiarp installation, continue to check.

Find a problem machine, do all the C-segment IP scan, and then arp–a, see the problem of the machine's Mac corresponding IP.

\ problem ipd$, appear login window, see problem machine name, find.

The problem machine break the net, antivirus, kill Trojan, fix.

The whole process is this: the problem machine Trojan, began ARP spoofing, other machines received ARP broadcast, that the problem machine is the gateway, so go this way, the problem machine will be the beginning of the HTTP request with the IFRAME, the purpose is for traffic or advertising or redistribution.

To sum up

Now the basic network, stability is still possible, the emergence of a large area of problems, first suspected ARP spoofing. Conditional, do two-way ip-mac binding, can solve most of these problems. Unconditionally, set up the machine-mac the corresponding table, the problem can be found quickly after the problem machine. Try to install anti-virus software on each machine and kill Trojan software, can reduce a lot of trouble.