Solution to ARP spoofing attack in LAN-application techniques

The symptoms of this virus attack are:
1 Computer network connection is normal, but can not access the Internet or when the time is broken, often off line;
2 user private information (such as QQ, online games and other accounts) was stolen;
3 network congestion in the LAN, even caused some network equipment when machine;
Basic concepts:

In order to be able to explain the problem, it is necessary to first introduce some basic concepts, the knowledge skipped.
First of all, we should be familiar with IP address, we know, IP address is a 32-bit (binary) unsigned integer, such as: 192.168.110.1, its most basic function is in (IP) network uniquely identify a specific host. On the Internet, we are using IP addresses to locate other hosts or devices and communicate with each other. It should be noted that the IP protocol is located on the third layer of the OSI Reference Model, the network layer, where we normally refer to routers that work at this level.
And then say MAC address, also called the Physical address, which is typically obtained by the network equipment manufacturer to the IEEE application and burned into the EPROM chip of the device (such as the NIC), a 48-bit unsigned integer (binary), which is normally unique globally, for example: 00-e0- FC-28-AF-36, (note: In 2000/xp, by clicking "Start", select "Run", enter "cmd" to bring up the command prompt, and then enter "Ipconfig/all" return, you can view your MAC address). It should be noted that the MAC implementation is on the second layer of the OSI Reference Model, the data link layer, where traditional (two-tier) switches work on this layer.
In Ethernet (Ethernet), a host to communicate directly with another host, in addition to know the target host's IP address, but also must know the target host's MAC address. Because at the bottom of the network transmission process, it is through the physical address to identify the host or device. Therefore, it is necessary to convert the destination IP address into the destination MAC address in order to ensure the smooth communication.
So how does the target MAC address get? This will be achieved through ARP, "ARP" is the full name of "Address resolution Protocol", that is, "Addressing resolution protocol." Specifically, the basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device.
How the ARP protocol works

In each computer installed with the TCP/IP protocol, there is an ARP cache table, and the IP address is one by one corresponding to the MAC address. (Note: When the network adapter is installed correctly from Windows 98, the system automatically installs the TCP/IP protocol for it)
1. After starting the computer normally, each host establishes an ARP list in its own ARP buffer to represent the correspondence between the IP address and the MAC address (note: The current list information can be seen through the command Arp–a).
2. When the source host needs to send a packet to the destination host, will first check their own ARP list of the IP address of the corresponding MAC address, if so, the packet sent directly to the MAC address, if not, to the local network segment to initiate an ARP request broadcast packet, Query the MAC address for this destination host. This ARP Request packet includes the IP address of the source host, the hardware address, and the IP address of the destination host.
3. When all hosts on the network receive this ARP request, they check that the destination IP in the packet is consistent with their IP address. Ignore this packet if it is not the same; if the same, the host first adds the sender's MAC address and IP address to its own ARP list, overwriting it if the IP information already exists in the ARP table, and then the destination host sends an ARP response packet to the source host with its own MAC address , telling each other that it is the host it is looking for.
4. When the source host receives this ARP response packet, it adds the IP address and MAC address of the destination host to its own ARP list, and uses this information to encapsulate the data frame and start the data transmission. If the source host has not received an ARP response packet, the ARP query failed.
The principle of ARP spoofing:

External cause: Usually by the legend of plug-in and other procedures, carry and spread the virus into the intranet;
Internal cause: In the enterprise LAN, is generally used through the gateway to achieve access to the Internet; the so-called ARP deception is roughly divided into two kinds: one is to deceive the gateway-the principle is to inform the gateway a series of wrong intranet MAC address, and at a certain frequency to enable the gateway to continue to learn and update, This causes the true address information to not be saved in the ARP list of the gateway. The result gateway sends all the data to the wrong non-existent address. Causes the normal client cannot receive the information, therefore intranet's PC cannot surf the net, another kind is the internal network PC deception--The principle is by publishes the false ARP information to forge the gateway, misleads other PCs to send the data to the false gateway, Instead of using normal routing for extranet Access, all PCs at the same gateway are not able to access the extranet. It seems to be more of the case now.
How to prevent and respond to:

First, on the prevention must fall to implement.
1. Enhance security awareness, and do not browse some sites that lack credibility;
2. Do not easily download and install pirated, untrusted software or programs;
3. Do not open the unknown origin of e-mail, especially the mail attachment;
4. Do not casually click on open QQ, MSN and other chat tools sent on the link information;
5. Do not casually share files, if you do need to set the best permissions, specify access, the recommendation is not writable;
6. Timely repair of system vulnerabilities (for example, the ARP patch KB842168, etc.);

7. Fix unsafe settings (for example, set a strong password for the system, that is, no less than seven digits in length, using uppercase letters,
lowercase letters, Arabic numerals and special symbols more than three combinations);
8. Shut down unnecessary system services;
9. Install genuine anti-virus software network version, often update the virus library
Second, the provisional treatment of countermeasures:

Step one. When you can access the Internet, enter the MS-DOS window, enter the command: Arp–a the correct MAC address IP corresponding to the gateway, record it. Note: If you are already unable to access the Internet, run a command arp–d the contents of the ARP cache, the computer can temporarily restore the Internet (if the attack is not stopped), once you can access the Internet will immediately disconnect (disable network card or unplug network cable), and then run Arp–a.

Step two. If you already have the correct MAC address for the gateway, bind the gateway IP and the correct MAC manually when the Internet is not available to ensure that the computer is no longer affected by the attack.

Manual binding allows you to run the following command under the MS-DOS window: arp–s, gateway IP, Gateway Mac. For example, suppose the network segment of the computer is a gateway of 218.197.192.254, and the native address is 218.197.192.1 running Arp–a on the computer after the output is as follows: C:\Documents and settings>arp-a Interface: 218.197.192.1---0x2 Internet address Physical Address Type 218.197.192.254 00-01-02-03-04-05 dynamic 00-01-02-03-04-0 5 is the gateway 218.197.192.254 the corresponding MAC address type is dynamic and therefore can be changed. After being attacked, then using this command to view, it will be found that the MAC has been replaced by the attack machine Mac, if you want to find the attack machine, completely eradicate the attack, you can record the Mac at this time, to prepare for future lookups. The manually-bound command is Arp–s 218.197.192.254 00-01-02-03-04-05 and can be arp–a to view the ARP cache, C:\Documents and settings>arp-a interface:21 8.197.192.1---0x2 Internet address Physical Address type 218.197.192.254 00-01-02-03-04-05 static at this point, the type becomes static (static) and does not Again affected by the attack.

However, it is important to note that manual binding is invalidated after the computer shuts down and needs to be bound again. Therefore, to eradicate the attack, only to find the network segment of the virus infected computer, so that its anti-virus or from the system can be resolved.

How to find the virus computer:

If you already have a MAC address for a virus computer, you can use the Nbtscan or anti ARP sniffer software to find the IP address of the MAC address in the network segment, which is the IP of the virus computer, and then report it to the Campus Network Center for seizure. Nbtscan use: Download Nbtscan.rar to the hard drive and unzip, then copy cygwin1.dll and nbtscan.exe two files to C:\Windows\System32 (or system). Entering the Msdos window you can enter the command: Nbtscan-r 218.197.192.0/24 (assuming that the network segment is 218.197.192, the mask is 255.255 255.0; When you actually use the command, you should change the italic part to the correct network segment). Note: When using Nbtscan, sometimes because some computers install firewall software, Nbtscan output is not complete, but in the computer's ARP cache can react, so when using Nbtscan, you can also view the ARP cache, The corresponding relationship between computer IP and Mac in the network segment can be obtained comparatively completely.

Anti ARP Sniffer Usage Instructions

Function Description: Using anti ARP sniffer can prevent the use of ARP technology for packet interception and prevent the use of ARP technology to send address conflict packets.

Second, the use of instructions:

1, ARP spoofing: Fill in the access to the IP address, click [Get Gateway MAC address] will display the MAC address of the gateway. Click [Automatic protection] to protect the current network card communication with the gateway will not be monitored by third parties. Note: If an ARP spoofing prompt appears, this indicates that an attacker sent an ARP spoofing packet to obtain the NIC's packet, and if you want to trace the source of the attack, remember the attacker's MAC address, and use the MAC address scanner to find the IP's corresponding MAC address.

2, IP address conflict first click "Restore Defaults" and then click "Protection address conflict." such as frequent IP address conflicts, this means that attackers frequently send ARP spoofing packets, the IP conflict will appear warning, the use of anti ARP sniffer can prevent such attacks. First you need to know the conflicting MAC address, and Windows logs these errors. See the specific method as follows: Right-click [My Computer]-->[admin]--> Click [Event Viewer]--> Click [System]--> View source for [TcpIP]---> Double-click event to see the display address conflict and record the MAC address, Please copy the MAC address and fill in the anti ARP sniffer local MAC address input box (note: Convert to-), enter after completion click [Protection Address conflict], in order to make the MAC address effective, disable the local network card and then enable the network card, in the cmd command line, enter the Ipconfig /ALL, to see if the current MAC address matches the MAC address in the local MAC address entry box. If successful, the address conflict will no longer be displayed. Note: If you want to restore the default MAC address, click [Restore Defaults], disable the local network card and then enable the NIC for the MAC address to take effect.