Solution to ARP spoofing attacks on LAN

Solution to ARP spoofing attacks on LAN

[Fault description] when a host in the LAN runs a trojan program of ARP spoofing, it deceives all hosts and security gateways in the LAN so that all Internet traffic must pass through the virus host. Other users used to directly access the Internet through the security gateway and now switch to access the Internet through the virus host. When switching, the user will disconnect the connection once.
　　
After you switch to the virus host to access the Internet, if you have logged on to the legendary server, the virus host will often forge broken line images, so you have to log on to the legendary server again, in this way, the virus host can steal the number.
　　
When a trojan program with ARP spoofing occurs, a large number of packets are sent, resulting in LAN communication congestion and restrictions on its processing capabilities. Users will feel that the Internet access speed is getting slower and slower. When the ARP spoofing Trojan program stops running, the user will resume accessing the Internet from the security gateway. During the switchover, the user will be disconnected again.
　　
Quick query: In the history of WebUIa system status system a system information system a, a large number of information is displayed as follows:
　　
Mac spoof 192.168.16.200
　　
MAC Old 00: 01: 6c: 36: d1: 7f
　　
MAC New 00: 05: 5d: 60: c7: 18
　　
This message indicates that the user's MAC address has changed. When the ARP spoofing Trojan starts running, the MAC addresses of all hosts in the LAN are updated to those of the virus host (that is, the MAC New addresses of all information are consistent with those of the virus host ).
　　
At the same time, in the WebUIa advanced configuration of the security gateway, user a manages read ARP tables, and the MAC address information of all users is the same, you can also see that the MAC address information of all users is the same in WebUIa system status a user statistics.
　　
If a large number of MAC Old addresses are consistent in the system history of WebUIa system status system a system information system, it indicates that ARP spoofing has occurred in the LAN (when the ARP spoofing Trojan program stops running, the host restores its real MAC address on the security net ).
　　
We already know the MAC address of the host that uses ARP spoofing Trojans, so we can use the NBTSCAN (: http://www.utt.com.cn/upload/nbtscan.rar) tool to quickly find it.
　　
NBTSCAN can obtain the real IP address and MAC address of the PC. If there is a "legend Trojan", you can find the IP address and MAC address of the PC where the trojan is installed.
　　
Command: "nbtscan-r 192.168.16.0/24" (search for the entire 192.168.16.0/24 network segment, that is, 192.168.16.1-192.168.16.254); or "nbtscan 192.168.16.25-137" search for 192.168.16.25-137 network segment, that is, 192.168.16.25-192.168.16.133. The first column of the output result is the IP address, and the last column is the MAC address.
　　
Example of NBTSCAN:
　　
Suppose you want to find a virus host with the MAC address "000d870d585f.
　　
1. Decompress nbtscan.exe and cygwin1.dll In the compressed package to c.
　　
2) run a in Windows. Open it. Enter cmd (enter "command" in windows98) and enter C: btscan-r 192.168.16.1/24 (enter according to the actual network segment), and press Enter.
　　
　

3) by querying the corresponding table of the IP--MAC, find that the IP address of the virus host of "000d870d585f" is "192.168.16.223 ".
　　
[Solution]
　　
Two-way binding is adopted to prevent ARP spoofing.
　　
1. Bind the IP address and MAC address of the security gateway to the PC:
　　
1) First, obtain the Intranet MAC address of the Security Gateway (for example, the MAC address of the HiPER gateway address 192.168.16.254 is 0022aa0022aa ).
　　
2) Compile a batch file rarp. bat with the following content:
　　
@ Echo off
　　
Arp-d
　　
Arp-s 192.168.16.254 00-22-aa-00-22-aa
　　
Change the gateway IP address and MAC address in the file to the actually used gateway IP address and MAC address.
　　
Drag the batch processing software to "windowsa starts program a startup.
　　
3) if it is an Internet cafe, you can use the paid software server program (pubwin or Vientiane can both) to send the batch processing file rarp. bat to the startup directory of all clients. The default startup directory of Windows2000 is "C: Documents and SettingsAll Users" start "menu program ".
　　
2. Bind the IP address and MAC address of the user host to the security net:
　　
In WebUIa advanced configuration a user management, bind each LAN host.