Router ARP virus prevention Solution

Recently, many Internet cafes in China have been disconnected for a short period of time (full or partial), but will be automatically restored in a short period of time. This is caused by a MAC address conflict. When the MAC address of a computer with a virus maps to a NAT device such as a host or vro, the whole network is disconnected. If it is mapped to only other machines in the network, then there is only a problem with this part of the machine. It is often used in legend games, especially private server plug-ins. This is an obvious manifestation of ARP attacks on the network. The purpose is to crack the game encryption and decryption algorithm by intercepting packets in the LAN, then we analyze the methods of game communication protocols to intercept user information. By running this virus, you can obtain detailed information about game players in the entire LAN and steal user account information. Next we will talk about how to prevent such attacks.
First, let's take a look at what ARP attacks are. These attacks attack the Intranet PC and disrupt the ARP table of the Intranet PC. In the LAN, through ARP, the IP address is converted to the second physical address (MAC address. ARP is of great significance to network security. ARP spoofing is achieved by forging IP addresses and MAC addresses, which can generate a large amount of ARP traffic in the network to block the network. Performs ARP redirection and sniffing attacks. Sends ARP response packets with spoofed source MAC addresses to attack the ARP high-speed cache mechanism. These problems mainly occur in Internet cafe users, which may cause some or all machines in the internet cafe to be temporarily disconnected or unable to access the Internet. After restarting, the problem can be solved, but it may not be long before, when the internet cafe administrator checks the arp table by running the ARP-a command on each machine, the IP address and MAC address of the router are modified. This is a typical symptom of ARP attacks.
Programs with this virus, such as PWSteal. lemir or its variants are Trojans/worms. Windows 95/98/Me/NT/2000/XP/2003 will be affected, there are two ways of virus attacks that affect the smooth connection of the network. The ARP table of the router is spoofed and the PC gateway on the Intranet is spoofed. The former is to first intercept the gateway data, then, a series of incorrect Intranet MAC messages are repeatedly sent to the vro, causing the vro to send a wrong MAC address and the normal PC cannot receive the message. The latter ARP attack is a counterfeit gateway. It first sets up a fake gateway to send data to the spoofed PC, instead of accessing the Internet through a normal router. In the PC's view, the network cannot be connected, and the network is disconnected ".
In both cases, if ARP attacks are prevented, we must set the router and client to ensure the final solution. Therefore, if we select a vro, we 'd better check whether the vro has the function of Preventing ARP virus attacks. Qno's chivalrous product provides such a function, which is easier to learn than other products. Next, let's talk about how to set up the Qno no router product to prevent ARP attacks.

1. Activate to prevent ARP virus attacks:
Enter the vro IP address to log on to the Web management page of The vro and go to the "Basic page" of "firewall configuration ", find "Prevent ARP virus attack" on the right and click "Activate" in this line, and then click "OK" at the bottom of the page, 1.

 

Figure 1 Chinese Router Web Management page

2. Bind the user IP Address/MAC address to the vro:
Go to "DHCP configuration" of "DHCP function", and you can see an "IP and MAC binding" in the lower right corner of this page. You can add IP and MAC binding here and enter relevant parameters, click "√" on "activation", select "add to corresponding list", repeat the operation to add other IP addresses in the Intranet to the MAC binding, and click "OK" at the bottom of the page ". 2

 

Figure 2
After the corresponding list is added, the corresponding information is displayed in the white box below. However, we recommend that you do not use this method. In this way, you need to query the IP addresses/MAC addresses of all hosts in the network. You can also bind an IP address to a MAC address, which is relatively easy to perform, this can reduce the workload and save a lot of time.
Go to "DHCP configuration" of "DHCP function" and find a "show new IP Address" on the right of binding the IP address to the MAC address. Click to enter. 3

 

Figure 3
After you click it, the IP and MAC binding List dialog box is displayed. This dialog box displays the correspondence between the IP addresses of the unbound PCs in the network and the MAC addresses, enter the computer "name" and "activation" and select "√", and click OK in the upper right corner. 4

 

Figure 4
In this case, the options you bind will appear in the IP and MAC binding list box, 5 and then click "OK/Apply" to complete the binding.

 

Figure 5
3. Bind the IP address of the gateway and its MAC address to each pc.
This operation mainly prevents ARP spoofing between the gateway IP address and its MAC address.
First, find the gateway IP address and MAC address on the vro side,

6

Then start/run cmd on each PC to Enter the dos operation, Enter arp-s 192.168.1.1 0-0e-2e-5b-42-03, and Enter to bind pc01. 7

Figure 7
For other hosts in the network, enter the corresponding host IP address and MAC address in the same way to bind the IP address to the MAC address. However, if the computer is restarted, the function will disappear. Therefore, you can make this command into a batch processing file and put it in the startup of the operating system. The batch processing file can be written as follows:
@ Echo off
Arp-d
Arp-sro lan ip router LAN MAC

Find the attack source for the Intranet that has an arp attack. Method: run the arp-a command in DOS to check whether the MAC address of the gateway is the same as that of the real MAC address of the vro. If not, search for the PC corresponding to the MAC address. This PC is the attack source.
Other router users' solutions also require two-way binding of IP addresses and MAC addresses on the vro and PC end to implement corresponding prevention, however, binding IP addresses and MAC addresses on vrouters and PCs is complicated. You need to find the IP addresses and MAC addresses of each PC, which increases the workload and is prone to errors during the operation.
The above methods can basically solve the problems related to the network caused by ARP attacks. The above methods have also been tested by multiple users and Internet cafes, achieving the expected results. The solution of QNO is easy to learn, and it is safe and reliable to bind the IP/MAC address of the entire network on the vro.