Static ARP and ARP protocol diagram 1th/3 Page _ Networking Tutorials

WIN2000 when the arp-s command set static ARP entry or often by people ARP spoofing, the recent experiment WIN2003 Arp-s finally can lock the ARP entry is not afraid of network law enforcement officers of these software.
The virus occurs when the characteristics of the machine will counterfeit a computer MAC address, such as the fake address for the gateway server address, then the entire Internet café will have an impact, users performance for the Internet often instantaneous.

First, enter the command prompt (or MS-DOS mode) on any client, and use the Arp–a command to view:
C:\winnt\system32>arp-a

interface:192.168.0.193 on Interface 0x1000003
Internet Address Physical Address Type
192.168.0.1 00-50-da-8a-62-2c Dynamic
192.168.0.23 00-11-2f-43-81-8b Dynamic
192.168.0.24 00-50-da-8a-62-2c Dynamic
192.168.0.25 00-05-5d-ff-a8-87 Dynamic
192.168.0.200 00-50-ba-fa-59-fe Dynamic

You can see that there are two machines with the same MAC address, so the actual check result is
00-50- DA-8A-62-2C for 192.168.0.24 mac address, 192.168.0.1 's actual MAC address is 00-02-ba-0b-04-32, we can determine 192.168.0.24 is actually a virus machine, it forged the 192.168.0.1 MAC address.

Enter the command prompt (or MS-DOS mode) on the 192.168.0.24 and view with the Arp–a command:
C:\winnt\system32>arp-a
interface:192.168.0.24 on Interface 0x1000003
Internet Address Physical Address Type
192.168.0.1 00-02-ba-0b-04-32 Dynamic
192.168.0.23 00-11-2f-43-81-8b Dynamic
192.168.0.25 00-05-5d-ff-a8-87 Dynamic
192.168.0.193 00-11-2F-B2-9D-17 Dynamic
192.168.0.200 00-50-ba-fa-59-fe Dynamic


You can see the MAC address displayed on the virus-carrying machine is correct, and the speed of the machine is slow, should be for all traffic in the two-layer through the machine for forwarding and caused by the machine after the restart of the Internet café all computers are not available, only after the ARP refresh MAC address is normal, generally in 2, 3 minutes or so.

Third, if the host can enter the DOS window, with the Arp–a command can see similar to the following phenomenon:
C:\winnt\system32>arp-a
interface:192.168.0.1 on Interface 0x1000004
Internet Address Physical Address Type
192.168.0.23 00-50-da-8a-62-2c Dynamic
192.168.0.24 00-50-da-8a-62-2c Dynamic
192.168.0.25 00-50-da-8a-62-2c Dynamic
192.168.0.193 00-50-da-8a-62-2c Dynamic
192.168.0.200 00-50-da-8a-62-2c Dynamic

When the virus does not attack, the address you see on the proxy server is as follows:
C:\winnt\system32>arp-a
interface:192.168.0.1 on Interface 0x1000004
Internet Address Physical Address Type
192.168.0.23 00-11-2f-43-81-8b Dynamic
192.168.0.24 00-50-da-8a-62-2c Dynamic
192.168.0.25 00-05-5d-ff-a8-87 Dynamic
192.168.0.193 00-11-2F-B2-9D-17 Dynamic
192.168.0.200 00-50-ba-fa-59-fe Dynamic


Virus attack, you can see all the IP address of the MAC address was modified to 00-50-da-8a-62-2c, the normal time you can see the MAC address will not be the same.
Solution:
First, the use of client and gatewayServerOn the static ARP binding method to resolve.
1. Gateway on all client machinesServerThe ARP static binding.
First in the GatewayServerView the local MAC address on the computer (proxy host)
C:\winnt\system32>ipconfig/all
Ethernet Adapter Local Connection 2:
Connection-specific DNS Suffix. :
Description ........... : Intel? pro/100b PCI
Adapter (TX)
Physical Address ..... . : 00-02-ba-0b-04-32
Dhcp Enabled ...... : No
IP address. ...........:192.168.0.1
Subnet Mask ........... : 255.255.255.0
And then do the static binding of the ARP under the DOS command of the client machine.
C:\winnt\system32>arp–s 192.168.0.1 00-02-ba-0b-04-32
Note: The IP and MAC address bindings for all other clients are recommended on the client if conditions are available.

2. At the GatewayServer(proxy host) on the computer to do the client machine ARP static binding
First look at the IP and MAC addresses on all client machines, as above.
Then do all the clients on the proxy hostServerThe ARP static binding. Such as:
c:\winnt\system32> arp–s 192.168.0.23 00-11-2f-43-81-8b
c:\winnt\system32> arp–s 192.168.0.24 00-50-da-8a-62-2c
c:\winnt\system32> arp–s 192.168.0.25 00-05-5d-ff-a8-87
。。。。。。。。。

3. The above ARP static binding finally made a Windows self boot file, so that the computer to start on the above operation to ensure that the configuration is not lost.

Two, the conditional Internet café can be in the switch IP address and MAC address binding


Third, IP and Mac binding, replace the NIC needs to be rebind, so it is recommended to install anti-virus software in the client to solve such problems: The Internet café found the virus is a variable speed gear 2.04B belt, the virus program in
http://www.wgwang.com/list/3007.htmlCan be downloaded to:

1,KAV (Kaspersky),Can kill the virus, the virus is named: TROJANDROPPER.WIN32.JUNTADOR.C
Antivirus information: 07.02.2005 10:48:00 C:\Documents and
Settings\Administrator\Local Settings\Temporary Internet
Files\content.ie5\b005z0k9\gear_setup[1].exe infected
Trojandropper.win32.juntador.c

2, rising can be killed in addition to the virus, the virus named: TROJANDROPPER.WIN32.JUNTADOR.F

3,
Another: Other city report Jinshan poison PA and rising named: "Password Assistant"Trojan virus(WIN32.TROJ.MIR2) or win32.troj.zypsw.33952 viruses have a similar situation.

Attached: "Password Assistant" virus and TROJANDROPPER.WIN32.JUNTADOR.C virus introduction address:
http://db.kingsoft.com/c/2004/11/22/152800.shtml

http://www.pestpatrol.com/pest_info/zh/t/t..._juntador_c.asp

Current 1/3 page 123 Next read the full text