Source: People's Network
In the internal networks of many schools and companies, some immoral people often use ARP to spoof software and attack others, dropping many people or even paralyzing the entire network. To address this issue, you can take the following measures.
Describes a Firewall: Outpost Firewall. It can protect LAN software such as "P2P Terminator", with superb performance. It can also find out which machines are in use on the LAN. It is powerful and consumes less resources and can score 5 stars.
Click here to download Outpost Firewall
In fact, software similar to network management uses arp spoofing to achieve the goal. The principle is that the computer cannot find the MAC address of the gateway. So what is ARP spoofing?
First, let's talk about ARP. Address Resolution Protocol (ARP) is an Address Resolution Protocol that converts an IP Address into a physical Address. There are two ways to map IP addresses to physical addresses: Table and non-table.
ARP is to resolve the network layer (IP layer, that is, the third layer of OSI) Address to the MAC address of the Data Connection layer (MAC layer, that is, the second layer of OSI.
ARP principle: when A machine A sends A packet to host B, It queries the local ARP cache table and finds the MAC address corresponding to the IP address of host B, and then transmits data. If not, an ARP request packet (carrying the IP address Ia of host A-physical address Pa) is broadcasted, and host B with the IP address Ib replies to the physical address Pb. All hosts on the Internet, including B, receive ARP requests, but only host B recognizes its own IP address, so it sends an ARP response packet to host. It contains the MAC address of B. After receiving the response from B, A updates the local ARP cache. Then use the MAC address to send data (the MAC address is appended to the NIC ). Therefore, the local high-speed cache ARP table is the basis for local network circulation, and the cache is dynamic.
ARP does not receive ARP responses only when an ARP request is sent. When a computer receives an ARP response packet, it updates the local ARP cache and stores the IP and MAC addresses in the response in the ARP cache. Therefore, when A machine B in the lan sends A self-built ARP response to A, and if the response is forged by B impersonating C, that is, the IP address is the IP address of C, while the MAC address is forged, when A receives B's forged ARP response, it will update the local ARP cache. In this case, the IP address of C does not change in A's opinion, and its MAC address is no longer the original one. Because the lan network flow is not carried out by IP address, but by MAC address. Therefore, the forged MAC address is changed to A non-existent MAC address on A, which will cause network failure and A cannot Ping C! This is a simple ARP spoofing.
The solution can be summarized as follows:
1. Use VLAN
As long as your PC and P2P Terminator are not in the same VLAN, you can't help it.
2. Bind a two-way IP address or MAC address
Bind the MAC address of your egress router on the PC. the P2P Terminator cannot spoof you, and naturally it cannot worry about you. However, the MAC address bound to a route on the PC is not secure yet, because the P2P Terminator software can fool routing, the best solution is to use PC and bind two-way IP/MAC on the routing, that is, bind the MAC address of the outbound route on the PC, bind the IP address and MAC address of the PC on the route. In this way, the route must support IP/MAC binding, such as the HIPER router.
3. Use IP/MAC address theft + IP/MAC binding
Simply change your MAC address and IP address to the same IP address and MAC address as those running the P2P Terminator software, and check how it is managed. This is a two-pronged approach. There must be some tips in the change, otherwise, an IP conflict is reported. you need to change the MAC address first, and then the IP address, so that WINDOWS will not report IP conflicts (windows silly). This step is not complete yet, it is recommended that you bind the MAC address of the route on the PC, so that P2P Terminator spoofing routing is also in vain.
How to block cyber law enforcement officers
Use the Look N Stop firewall to prevent arp Spoofing
1. prevent cyber law enforcement officers from controlling
Cyber law enforcement officers use ARp spoofing to achieve control purposes.
ARP is used to resolve the correspondence between IP addresses and MAC addresses. Therefore, the following methods can be used to resist the control of cyber law enforcement officers. If your machine is not prepared to communicate with machines in the LAN, you can use the following methods:
A. There is an "ARP: Authorize all ARP packets" rule in "Internet filtering", which marks the prohibition before this rule;
B. however, this rule will disable gateway information by default. The solution is to place the gateway's MAC address (usually the gateway is fixed) in the "target" area of this rule, in "Ethernet: Address", select "not equal to" and fill in the MAC address of the gateway at that time. Put your MAC address in the "Source" area and in "Ethernet: select "not equal to" in "Address ".
C. in the last "All other packet", modify the "target" Area of the rule, select "not equal to" in "Ethernet: Address", and enter "FF: FF" in the MAC address: FF: FF; Put your MAC address in the "Source" area and select "not equal" in "Ethernet: Address ". Others are not modified.
In this way, cyber law enforcement officers will be powerless. This method is applicable when the gateway address is fixed and does not communicate with other machines in the LAN.
If your machine needs to communicate with the machine in the LAN, you only need to get rid of the control of the cyber law enforcement officer, then the following method is simpler and more practical (this method has nothing to do with the firewall ):
Go to the command line status and run "ARP-s gateway IP Gateway MAC". To get the gateway MAC, just Ping the gateway and run the Arp-a command to view it, the IP address of the gateway corresponds to the MAC address. This method should be more universal, and it also works well when the gateway address is variable. Just repeat "ARP-s gateway IP Gateway MAC. This command is used to create a static ARP resolution table.
In addition, I heard that the op firewall can also be blocked. I have not tried this.
Prevent P2P Terminator attacks
1: The first method is to modify your MAC address. The following is the modification method:
Enter regedit in "run" in the "Start" menu, open the Registry Editor, and expand the registry to the HKEY_LOCAL_MACHINESystem CurrentControlSetControlClass {4D36E9E} sub-key, at keys, find DriverDesc in branch 0002 (if you have more than one network card, there will be 0001,000 2 ...... the information about your Nic is saved here. The DriverDesc content is the NIC Information Description, for example, my Nic is Intel 210 41 based Ethernet Controller ), assume that your network card has a 0000 sub-key. Add a string named "NetworkAddress" under the 0000 subkey. The key value is the modified MAC address, which must be 12 consecutive hexadecimal numbers. Then, create a new sub-key named NetworkAddress in NDIparams under the "0000" sub-key and add a string named "default" under the sub-key, the key value is the modified MAC address.
Create a string named "ParamDesc" under the sub-Key of NetworkAddress. The function is to specify the Network Address description. The value can be "MAC Address ". In this way, enable the "attribute" of the network neighbor. Double-click the corresponding Nic and you will find a "advanced" setting under which the MACAddress option exists, it is the new "NetworkAddress" that you add to the Registry. You only need to modify the MAC address here. Disable registry and restart. Your NIC address has been changed. Open the properties of the network neighbor. Double-click the corresponding Nic item and you will find an advanced configuration item for MAC Address, which is used to directly modify the MAC Address.
2: The second method is to modify the IP-to-MAC ing so that the ARP spoofing of P2P attacks will become invalid and thus break through its limitations. In cmd, run the ARP-a command to obtain the MAC address of the gateway, finally, use the ARP-s IP Nic MAC address command to map the gateway IP address to its MAC address.
Vista and XP systems: you only need to use arp commands to bind your MAC and route MAC, for example:
Arp-s self-IP MAC
Arp-s Route IP Route MAC
It is best to bind all of them. If you only bind a route, you will not be able to go online after an IP conflict occurs. If you bind yourself to a route, you will be able to access the Internet after an IP conflict occurs.
Windows 9x/2000 requires software. Search for anti arp sniffer and set the IP address and mac address. However, XP and Vista systems can also install this software, so you can clearly see who wants to remove you or want to limit you. Of course, we recommend that you replace this system with Vista or XP. If you set it above, the p2p Terminator will be scrapped.
For Vista and XP systems, enter arp-a in the cmd status.
If the last status of the Route IP address and its own IP address is static, the binding is successful.
Arp-d
Before binding, it is recommended that you enter it to delete the illegal binding.
Everyone understands this. It's actually not hard.