Prevention and Handling of ARP attacks

If the network speed is getting slower and slower, and the network may recover after a period of time, or you can access the Internet after restarting the router. When a fault occurs, the gateway cannot be pinged or data is lost, which may be caused by ARP attacks. Next I will talk about some opinions on how to handle this situation.
I. First, diagnose ARP attacks
1. When we find that the Internet access is obviously slow or suddenly dropped, we can use the arp-command to check the ARP table: (click the start button-& gt; choose run-& gt; enter cmd and click OK. Enter the arp-a command in the window.) If the MAC address of the gateway is changed, or many IP addresses point to the same physical address, so it must be caused by ARP spoofing.
2. Use the Anti ARP Sniffer software for details ).
Ii. Identify the ARP virus host
1. The "arp-d" command can only temporarily solve the Internet access problem. To fundamentally solve the problem, you must find the virus host. Through the arp-a command above, you can determine the MAC address of the changed gateway or the physical address pointed by multiple IP addresses, that is, the MAC address of the virus machine. Which host corresponds to the MAC address? In windows, the ipconfig/all command is used to view the information of each host. However, if the number of computers is too large, it is not a way to query one host, therefore, you can download a software called "NBTSCAN", which can obtain the real IP address and MAC address of the PC.
Command: "nbtscan-r 192.168.80.0/24" (search for the entire 192.168.80.0/24 CIDR block, that is, 192.168.80.1-192.168.80.254); or "nbtscan 192.168.80.25-137, that is, 192.168.80.25-192.168.80.htm. The first column of the output result is the IP address, and the last column is the MAC address. In this way, you can find the IP address of the virus host.
2. What if I don't have the software? At this time, you can also run the route tracking command on the client, such as tracert-d www.163.com, and immediately find that the first one is not the Intranet ip address of the gateway machine, but the IP address of another machine in this segment, the next hop is the Intranet IP address of the gateway. Normally, the first output after route tracing is executed should be the default gateway IP address. Therefore, the host with the non-gateway IP address of the first hop is the culprit.
Of course, after finding the IP address, you need to find the machine corresponding to the IP address. If each computer has a serial number and uses a fixed IP address, if the IP address settings are also regular, it will be found soon. However, if this is not the case above, IP settings are not regular, or IP addresses are dynamically obtained, what should we do? Do I still need to check them one by one? None! You can set the IP address of a machine to be the same as the IP address of the machine where the machine is located. In this way, the IP address is conflicted, so that the infected host can report an alarm and find the host.
3. Virus host processing
1. Use anti-virus software to detect and eliminate viruses.
2. We recommend that you reinstall the system. (Of course, you should pay attention to whether there are viruses on other disks except the system disk)
4. How to Prevent ARP attacks
1. From the perspective of Affecting Network Connection smoothness, ARP spoofing can be divided into two types: spoofing on the ARP table of the vro and spoofing on the gateway of the Intranet PC. The first principle of ARP spoofing is to intercept gateway data. It notifies the vro of a series of incorrect Intranet MAC addresses and keeps running at a certain frequency, so that the real address information cannot be updated and saved in the vro, as a result, all the data of the router can only be sent to the wrong MAC address, so that the normal PC cannot receive the information. The second principle of ARP spoofing is to forge a gateway. The principle is to establish a false gateway to send data to a spoofed PC, rather than accessing the Internet through a normal router. In the PC's view, the network cannot be connected, and the network is disconnected ". Therefore, many users are recommended to adopt two-way binding to prevent ARP spoofing. This is indeed the best solution, but if the number of computers is large, it will take a lot of effort to bind a vro. In my opinion, you can bind the IP address and MAC address of the vro to the PC. You can bind a vro to the PC using the following method:
1) First, obtain the MAC address of the vro Intranet (for example, the MAC address of the gateway address 172.16.1.254 is 0022aa0022ee ).
2) Compile a batch file rarp. bat with the following content:
@ Echo off
Arp-d
Arp-s 172.16.1.254 00-22-aa-00-22-ee
Change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address. Drag the batch processing software to "windows -- start -- program -- start.
This reduces the trouble of setting a single server and avoids the need to redo the data because the computer restarts. Of course, it is recommended that the computer have a recovery card and a protection system so that the batch processing will not be deleted at will.
2. As a network administrator, I think we should make full use of some tools and software to prepare some common tools. For ARP, we recommend that you prepare the following software at hand:
① "Anti ARP Sniffer" (using Anti ARP Sniffer can prevent packet interception using ARP technology and prevent Sending address conflict packets using ARP technology, and can find the IP address and MAC address of the attack host ).
② "NBTSCAN" (NBTSCAN can obtain the real IP address and MAC address of the PC and use it to know the MAC address corresponding to each IP address in the LAN)
③ "Network law enforcement officer" (a LAN Management auxiliary software that uses the underlying network protocol to monitor each host, switch, and other network devices with IP addresses in the network through various client firewalls; the network card number (MAC) is used to identify users. The main function is to monitor the entire LAN in real time and automatically manage illegal users based on the permissions assigned to hosts by the Administrator, illegal users can be isolated from some hosts in the network or the entire network. Moreover, no matter what firewall the hosts in the LAN are running, they cannot evade monitoring and do not trigger firewall warnings, which improves network security)
3. Regularly check for LAN viruses, Scan Machines for viruses, and install patches for the system. It is best to ensure that each computer in the LAN has anti-virus software (which can be upgraded)
4. instruct users in the network not to click the link information sent by QQ, MSN and other chat tools, and do not open or run unfamiliar or suspicious files and programs, such as unfamiliar attachments and plug-ins in emails.
5. We recommend that you use a fixed IP address for each computer on the LAN as much as possible. The vrodhcp does not enable DHCP. Each computer in the LAN is assigned an ID, and each number corresponds to a unique IP address, in this way, future fault queries are also easy to manage. The "NBTSCAN" software is used to find the MAC address corresponding to each IP address and create a database with the "computer number-IP address-MAC address" one-to-one correspondence.
--------
How to Prevent ARP attacks!
Routes are shared with the internet, and 5 Users in 2 m! Set the static IP-----IP and MAC correspondence in the route! Set it to only a few!
I just got online after I started it today!
Four of them are suspected. The IP address can be changed, or the MAC address can be changed! Three of the MAC servers that have been attacked are displayed!
I also set up an AntiArp software protection, which is useless!
In the past, if an attack was attempted, a prompt will be displayed! --------------------- (That is to say, you cannot access the Internet using software such as network management.) Today, sometimes there are prompts that you cannot access the Internet. This software is no longer valid!
Route settings are my control ---------- can be excluded from route restrictions!
I can reconnect to the MAC of the network by myself. Sometimes I can't, even if I can!
I want someone to use the software to prohibit me from accessing the internet, and then use my MAC to access the Internet!
This software must be very powerful! If this software is used, it is equal to preemptive action! The data that the gateway and the gateway communicate with may be spoofed! So no matter how I do it, it's useless!
What I don't understand is that it's useless to activate an AntiArp! ------------- It's no wonder that something about the software must have been cracked. In the past, when the software was released, it was possible to limit the speed of other people's network. Later, it was a defense against ARP spoofing, now, my anti-ARP spoofing (AntiArp) does not work-it won't be because the version is too low! Depressed!
E-day experts are coming!
 
------
I think someone in the LAN should use ARP spoofing Trojans (such as World of Warcraft, audition and other hacking software, some plug-ins are also maliciously loaded with this program ).
1. Do not establish your network security trust relationship on the basis of IP or MAC (rarp also has the problem of spoofing). The ideal relationship should be on the basis of IP + MAC.
2. Set a static MAC --> IP address table. Do not refresh the conversion table you set on the host.
3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table.
4. Use the ARP Server. The server looks for its own ARP conversion table to respond to ARP broadcasts from other machines. Make sure that the ARP Server is not hacked.
5. Use the proxy IP address for transmission.
6. Use hardware to shield hosts. Set your route so that the IP address can reach a valid path. (Configure route ARP entries statically). Note that using the exchange hub and bridge cannot prevent ARP spoofing.
7. The Administrator periodically obtains an rarp request from the response IP packet and checks the authenticity of the ARP response.
8. The Administrator regularly polls and checks the ARP cache on the host.
9. Use the firewall to continuously monitor the network. Note that when SNMP is used, ARP spoofing may cause the loss of trap packets.
--
Each host has a temporary storage IP-MAC corresponding table ARP attacks by changing the cache to achieve the purpose of spoofing, using static ARP to bind the correct MAC is an effective method. run arp-a on the command line to view the current ARP cache table. the following is the local ARP table:
C: Events and Settingscnqing> arp-
Interface: 192.168.0.1 on Interface 0x1000003
Internet Address Physical Address Type
192.168.0.1 00-03-6b-7f-ed-02 dynamic
It indicates the dynamic cache, that is, it will be modified when a corresponding ARP packet is received. if it is an invalid ARP packet containing an incorrect gateway, this table will be changed automatically. in this way, we cannot find the correct gateway MAC, and we cannot communicate with other hosts normally. use ARP-s ip mac to create a static table.
Run arp-s 192.168.0.1 00-03-6b-7f-ed-02 to view the ARP cache table again.
C: Events and Settingscnqing> arp-
Interface: 192.168.0.1 on Interface 0x1000003
Internet Address Physical Address Type
192.168.0.1 00-03-6b-7f-ed-02 static
The "TYPE" item changes to "static" and static TYPE. in this status, the local cache is not changed when the ARP packet is received. this effectively prevents ARP attacks. static ARP entries disappear after each restart and need to be reset. in this case, you can write a batch file with the following content:
@ Echo off
Arp-d
Arp-s 192.168.0.1 00-03-6b-7f-ed-02
After writing it, we store it as rarp. bat, and then place the file in the Start Menu-Program-start bar. This will automatically execute this batch of files each time the machine is started. Menu-Program-start column default directory: C: Documents and SettingsAll Users "start" Menu \ Program start.
---
Arp modification and display of "Address Resolution Protocol"
 
 
 
Arp
Displays and modifies the items in the "Address Resolution Protocol (ARP)" cache. The ARP cache contains one or more tables, which are used to store IP addresses and Their resolved physical IP addresses over Ethernet or card rings. Network adaptation of each Ethernet or licensing ring installed on the computer