Principles to applications: solutions to ARP attacks

ARP has become synonymous with dropped connections. Many Internet cafes and enterprise networks are unstable, and the Internet is disconnected for no reason, causing great economic losses. It can be seen from the situation that this is a common problem in the network. The main cause of this problem is ARP attacks.

Due to the large number of versions of ARP attacks and the Fast Propagation Speed, many technical staff and enterprises are helpless. Let's talk about this topic from the principle to the application. We hope to help you solve such problems and purify the network environment.

In a LAN, ARP is used to convert an IP address to a physical address on the second layer to implement communication between machines on the LAN. ARP is of great significance to network security. This is based on mutual trust. If ARP spoofing is implemented by forging IP addresses and MAC addresses, a large amount of ARP traffic will be generated in the network to cause network congestion, disconnection, redirection, and sniffing attacks.

We know that each host uses an ARP high-speed cache to store the ing records between the nearest IP address and the MAC hardware address. The survival time of each record in the Windows cache is generally 60 seconds, and the start time starts from the time when the record is created. By default, ARP reads IP-MAC entries from the cache, And the IP-MAC entries in the cache dynamically Change Based on ARP response packets.

Therefore, as long as there is an ARP response packet sent to the local machine on the network, the IP-MAC entries in the ARP cache are updated. For example, X sends a self-built ARP response to Y, and the data sender IP address in the response is 192.168.1.3 (IP address of Z ), the MAC address is a DD-DD-DD-DD-DD-DD (the real MAC address of Z is a CC-CC-CC-CC-CC-CC, Which is forged here ). When Y receives an X-forwarded ARP response, it updates the local ARP cache (Y does not know it is forged ). What if it is forged into a gateway?

The Switch also maintains a dynamic MAC cache. This is generally the case. First, the Switch has a corresponding list, the MAC Address Table Port n corresponding to the Port of the switch <-> Mac records the MAC addresses under each Port. This table is empty at first, and the switch learns from the incoming and outgoing data frames.

Because the MAC-PORT cache table is dynamically updated, the entire Switch PORT table is changed, and the Flood of MAC Address Spoofing on the Switch is constantly sent to a large number of packets with fake mac addresses, the Switch updates the MAC-PORT cache. If the previously normal relationship between MAC and Port is broken through this method, the Switch will send a flood to each PORT, the purpose of making the Switch basically a HUB and sending data packets to all ports is the same as that of sniffing attacks. The Switch MAC-PORT cache will also crash, as shown in the following Switch log:

Internet 192.168.1.4 255. B. cd85.a193 ARPAVlan256 Internet 192.168.1.5 255. B. cd85.a193 ARPAVlan256 Internet 192.168.1.6 then B. cd85.a193 ARPAVlan256 Internet 192.168.1.7 then B. cd85.a193 ARPAVlan256 Internet 192.168.1.8 then B. cd85.a193 ARPAVlan256 Internet 192.168.1.9 then B. main phenomena in cd85.a193 ARPAVlan256 ARP attacks

Frequent loss of online banking and confidential data. When a host in the LAN runs the ARP spoofing Trojan program, it deceives all hosts and routers in the LAN so that all Internet traffic must pass through the virus host. Other users directly access the Internet through the vro and now access the Internet through the virus host. When switching, the user will be disconnected once. After you switch to a virus host to access the Internet, if the user has logged on to the server, the virus host will often forge a broken line image, and the user has to log on to the server again, in this way, the virus host can steal information from all machines.

The network speed is fast, slow, and extremely unstable. However, it is normal for a single machine to test the optical fiber data. Frequent areas or overall disconnection within the lan. After the computer or network device is restarted, the system returns to normal.

ARP spoofing Trojans cause LAN communication congestion and restrictions on their processing capabilities because a large number of packets are sent during the attack. Users will feel that the Internet access speed is getting slower and slower. When the ARP spoofing Trojan program stops running, the user will resume accessing the Internet from the vro. During the switchover, the user will be disconnected again.

ARP solution:

Currently, the common solution is double binding. The specific method is as follows:

First, find the correct physical IP address of the gateway IP address and then bind it to the arp Address of the gateway on the client.

Step 1:

Find the gateway address of this segment, for example, 192.168.1.1. The following uses this gateway as an example. When you access the Internet normally, click "Start> RUN> cmd> OK", enter arp-a, and press enter to view the Physical Address of the gateway.

For example, the gateway 192.168.1.1 corresponds to 0A-0B-0C-0D-0E-0F.

Step 2:

Compile a batch file rarp. bat with the following content:

@ Echo off arp-d arp-s 192.168.1.1 0A-0B-0C-0D-0E-0F save as: rarp. bat.

Step 3:

Run the batch file and drag the batch file to "Windows → start → program → start.

However, double binding does not completely solve the ARP problem. IP conflicts and some ARP variants cannot be solved.

There is also the use of ARP-proof hardware routing, but the price is very high, and it cannot guarantee stable operation in the case of a large number of attacks. so now there is no effective and thorough solution? Some, that is, using software that can work in the form of underlying drivers, and deploying the whole network to prevent ARP problems.

Such software is driven by the underlying core of the system and starts and runs as services and processes coexist with the system without occupying computer system resources. This method is different from double binding. Because it analyzes and judges data packets in communication, only valid packets can be released. The invalid package is discarded. You don't have to worry that the computer will create an ARP cache list after restarting, because it exists in the computer in the form of a combination of services and processes, after the computer is restarted, the software protection function automatically starts and works with the operating system.

Currently, arpguard is recommended for software that meets this requirement and can work well. This software not only solves ARP problems, but also provides Intranet flood protection and P2P speed limiting functions.

Arpguard installs a core driver on the underlying layer of the system network. This core driver filters all ARP packets and judges each ARP response. Only the ARP packets that comply with the Rules are available, to be further processed. in this way, the computer is prevented from being cheated. at the same time, arpguard detects each sent ARP response, and only ARP packets that comply with the rules will be sent out, so as to intercept sending attacks...

Flood interception: This setting can be used to punish machines with SYN flood attacks, UDP flood attacks, and ICMP flood attacks in the rule list. When the SYN, UDP, and ICMP packets sent by a computer in the LAN exceed the upper limit specified in this setting, the "arpguard" client will punish it based on the preset values. During the penalty time, the computer will no longer send packets to the network. However, the penalty does not affect the established connections.

Traffic control: You can use this setting to restrict the traffic (so-called network speed limit) for uploading and downloading over the WAN and LAN on all computers in the rule list ). Right-click the exclude machine List window to modify and edit the content. IP addresses in the "excluded servers" list will not be restricted by traffic control.

ARP Guard can solve all problems caused by ARP spoofing. It not only protects computers from ARP spoofing attacks, but also controls the source machines infected with the ARP attack virus or spoofing Trojans, this prevents spoofing attacks on other computers in the LAN. Maintain normal network communication, and prevent servers with ARP spoofing attacks from listening to the on-network computer. This prevents ARP attackers from Browsing webpages and transmitting data.

In general, I think this software is currently the best on the market. At the same time, online customer service is also responsible. However, sometimes it is not convenient for network administrators. For example, the management end has changed the IP address. The following client can only point to a new IP address. In addition, software cannot be supported for all diskless systems. It is not supported for LINUX. It is hoped that these will be noticed and updated by software developers as soon as possible.

I have said so much about ARP and hope to help you solve the ARP disconnection problem.