Simple route adjustment to prevent malicious attacks on the network

For large and medium-sized enterprise networks, local network management has always been a very complicated and headache. A user may accidentally click a link to a malicious website, the virus will be infected within a few seconds, and then immediately affect the stability and security of the entire LAN. In addition, malicious websites are rampant and virus transmission methods are tricky, LAN security must be valued by network administrators. If it was four years ago, the LAN was still very secure, and many companies were used to directly sharing various common software and materials on the LAN, but now, in order to gain some illegitimate benefits, many virus developers have come up with the idea of local area networks: the ARP virus was first generated due to the heat of online games. This is a spoofing virus. Although it is not intended to damage the LAN, it seriously affects the normal internet access activities of other LAN users in order to achieve the purpose of account theft. ARP attacks disguise a host on the Intranet as a gateway, deceiving other hosts on the Intranet to send all the information sent to the gateway to this host. However, because the data processing and forwarding capabilities of this host are far lower than those of the Gateway, a large amount of information will be blocked, and the network speed will become slower and slower, and even cause network paralysis, in addition, ARP viruses are designed to intercept user information and steal user information such as online game accounts and QQ passwords. Therefore, ARP not only causes LAN congestion, it also threatens the information security of LAN users.

Then, many DDOS attacks against special servers or private online game servers began to use clients in the enterprise network as "zombie" computers to send a large number of packets to the specified server IP address, the more "zombie" computers there are, the more bandwidth the server consumes. Using this principle, the server bandwidth is exhausted, in this way, the target server can be dropped to blackmail the Server Operator. Although this attack is targeted at the internet server, it needs to send a large number of packets to the router during the attack process, which will directly cause the only 100 m lan port of the router to be "full ", therefore, requests from computers on other local networks cannot be submitted to routers for processing. As a result, all LAN computers are "dropped. You only need to adjust the vro correctly to prevent malicious attacks on the network.

1. Disable the DHCP service
DHCP is known as the Dynamic Host Configuration Protocol. The DHCP Service allows the workstation to connect to the network and automatically obtain an IP address. The DHCP service can provide each network customer with an IP address, subnet mask, default gateway, IP address of a WINS server, and IP address of a DNS server. At present, the DHCP service is enabled for routers in the LAN, and static IP addresses are set in the LAN, which is in the same CIDR block as the DHCP service. After a long time, IP address conflicts may occur frequently. The two cannot be used at the same time. The DHCP service is enabled because of the initialization status of the vro. When you set a static address in your LAN, do not enable the DHCP service. I

Ii. set IP address filtering
Plan the corresponding IP addresses based on the different services undertaken by the computer in the LAN. Then, set IP address filtering based on different services. II

IP address filtering Diagram

3. Enable traffic statistics
The purpose of enabling traffic statistics is to observe the data packets of each computer on the LAN through the router, so as to analyze whether the computer is infected with a virus, in a timely manner, it can be isolated from other computers in the LAN.

4. Binding IP addresses to mac addresses
In the face of the increasingly serious Intranet attacks and the whole network disconnection problem, many router developers also added related technology in the product, add IP-MAC binding function can prevent lan arp spoofing. First, you need to use the relevant software to learn the relationship between mac addresses and IP addresses in the LAN, and then gradually add. After the entry is added, it takes effect. It is recommended that the corresponding binding be performed on each client.) 3.

IP mac Address binding Diagram

Note: The network is constantly evolving. Do not mistakenly think that we have a security barrier, so we must be vigilant. In fact, the network security environment is also changing. The new security situation puts forward a new test for LAN security. network administrators also need to update technologies in a timely manner and take appropriate countermeasures, in order to prevent malicious attacks on the network and ensure the stability and smoothness of the network.

Related Articles]

• Technical Analysis on ensuring network layer reliability of man Routers
  

• Learn how to configure the security router for SMEs
  

• Practice of small office networking Based on Wireless routing and broadband