In the article "Principles and harms of ARP spoofing in Internet cafes", I introduced the principles and harms of ARP spoofing. I believe that all network administrators hate ARP spoofing, we hope that this phenomenon will be completely prohibited. Although I am not an internet cafe administrator, I am also responsible for 200 computers in five data centers. The following describes how to prevent ARP Spoofing Based on my experience. These methods are applicable to Internet cafes or common LAN.
Enterprises can release a network management system to prohibit ARP spoofing and find that there are benefits such as bonuses linked to the beneficiaries. However, unlike enterprises, Internet cafes use computers and networks as customers, that is, "God". We cannot impose too many constraints on their behaviors, so the only thing that can be done is to constrain and check the source of ARP spoofing as much as possible technically.
I. sniffer detection method:
Sniffer is a good tool for network management. All data packets transmitted in the network can be detected through sniffer. Likewise, arp spoofing packets cannot escape the monitoring range of sniffer.
Generally, ARP spoofing packets do not leave the host address that sends false information, but the ethernet frame carrying the ARP packet contains its source address. In addition, in the ethernet data frame, the MAC Source Address/target address in the frame header should be matched with the ARP information in the frame data packet, so that the ARP packet is correct. If it is incorrect, it must be a fake package. Of course, if it matches, we cannot relax too much. The same does not mean it is correct, in addition, the detected packets are combined with all the MAC address Nic databases in the network segment of the gateway to check which database does not match the data in the Mac database. In this way, the counterfeit ARP packets can be found, and further find the murderer.
You can record the MAC address Nic database when installing the system for the first time, and create a table for the information such as the internet cafe seat number and MAC address. To view the MAC address, go to "start-> Run", enter the Command Prompt window, and then enter ipconfig/all. On the Right of physical address is the MAC address of the corresponding Nic.
2. DHCP combined with static binding:
To completely avoid ARP spoofing, we need to make the MAC address of each computer unique and corresponding to the IP address. Although we can manage the network by setting IP addresses for each computer, users who use ARP spoofing to perform illegal attacks can manually change the IP address in advance, this makes the check more complicated. Therefore, ensuring the MAC address and IP address of each computer is the only prerequisite for avoiding ARP spoofing.
(1) Establish a DHCP server to ensure the uniqueness of the MAC address and IP Address:
First, we can enable the DHCP service on the windows 2000 server or other server version operating systems to create a DHCP server for Internet cafes. Generally, we recommend setting up a DHCP server on the gateway. DHCP does not occupy much CPU, and ARP spoofing attacks always attack the gateway first.
(2) create a MAC address database:
Record the MAC addresses of all NICs in the Internet cafe, and load each MAC address, IP address, and geographic location into the database for timely query of ICP filings. It can be saved as a database file in the form of an EXCEL table.
(3) Disable dynamic ARP update:
In order to prevent the gateway from being attacked at will, we also need to disable the ARP Dynamic Refresh function on the gateway machine. In this way, even if an illegal user uses ARP to attack the gateway, the gateway is invalid, this ensures host security. The following describes how to bind a static IP address or MAC address to a gateway.
Step 1: Create the/etc/ethers file, which contains the correct IP/MAC correspondence, in the format of 192.168.2.32 08: 00: 4E: B0: 24: 47.
Step 2: Add arp-f at the end of/etc/rc. d/rc. local to take effect.
The above method to disable dynamic ARP update is for Linux systems.
(4) gateway monitoring:
Use the TCPDUMP program on the gateway to intercept each ARP package and obtain a script analysis software to analyze the ARP protocol. Packets of ARP spoofing attacks generally have the following two features: one of them can be regarded as an attack packet alarm. The first is that the source address, target address, and Protocol address of the Ethernet data packet header do not match. The second is that the ARP packet is sent and the target address is not in the MAC database of the network adapter, or does not match the MAC/IP address of the MAC database of the network. We can also use the script analysis software to implement the automatic alarm function. Finally, we can check the source address of these packets (Ethernet packets) to find out that the machine is launching an attack.
Iii. Summary:
ARP spoofing is currently the most troublesome attack in network management, especially in LAN management. It has a low technical level. Anyone can use the attack software to complete ARP spoofing attacks. At the same time, there is no particularly effective way to prevent ARP spoofing. Currently, only passive measures can be taken. The two methods described in this article are aimed at preventing ARP spoofing and hope to help readers. Of course, many network management software development companies have launched their own products to prevent ARP spoofing. These products are not bad, so you should be careful when selecting them.
There is a monitoring program here, so you can immediately discover attack behavior. Of course, to reduce the probability of attacks, we can also set the gateway address to the second address of the network segment, for example, 192.168.1.2.
In addition, the IP addresses of all clients and their related host information can only be obtained from the gateway. The Gateway activates the DHCP service but binds a fixed and unique IP address to each Nic. Make sure that the IP address and MAC address of the machines in the network correspond one to one. In this way, although the IP address of the client is obtained through DHCP, the IP address of the client is the same each time it is started on. The above binding relationship can be solved through the DHCP address pool, or the lease for the client to obtain IP and other network parameter information is set to a very long time, such as one year or unlimited time, in this way, the IP address obtained by the client remains unchanged as long as the MAC address remains unchanged during this period.