Five simple ways to help you quickly resolve an ARP attack on your network

Absrtact: In the LAN, ARP attacks still occupy a high proportion. As we all know, the basic function of the ARP protocol is to inquire the MAC address of the target device through the IP address of the target device to ensure the smooth communication. The ARP protocol is based on trusting all

In the LAN, ARP attacks still occupy a high proportion. As we all know, the basic function of the ARP protocol is to inquire the MAC address of the target device through the IP address of the target device to ensure the smooth communication. The ARP protocol is based on trusting all the people in the LAN, so it is easy to implement ARP spoofing on Ethernet. What's more, the ARP protocol is working in a protocol layer lower than the IP protocol, so its harm is more covert.

ARP type of attack was first used to steal passwords, the net poisoning computer can be disguised as a router, steal the user's password, and later developed into a hidden in the software, disrupting the normal network of other LAN users communication.

As a network administrator you may have this experience--the internet is often off the line, slow, you can not do it. This could be the manifestation of an ARP attack on your network, and here are five simple ways to help you solve it quickly.

First, the establishment of the MAC database, the Internet Café all the network card MAC address records, each Mac and IP, the location of all loaded into the database, in order to timely inquiries for the record.

Second, the establishment of a DHCP server (recommended to be built in the gateway, because the DHCP does not occupy the number of CPUs, and ARP spoofing attacks are always the first attack gateways, we just want him to attack the Gateway first, because the gateway here has the monitoring program, gateway address recommended to choose 192.168.10.2, Leave the 192.168.10.1 blank, if the criminal procedure stupid words let him attack the empty address bar, in addition all client's IP address and its related host information, only then obtains by the gateway, the gateway here opens the DHCP service, but wants to give each network card, binds the fixed unique IP address. Be sure to keep the machine in the net Ip/mac one by one corresponding relationship. This way, although the client is DHCP to address, but every time the IP address is the same.

Third, the Gateway monitoring network security. The gateway uses the TCPDUMP program to intercept each ARP package and get a script analysis software to analyze these ARP protocols. ARP spoofing attack packets generally have the following two features, one can be considered to meet the attack packet alarm: The first Ethernet packet header source address, Destination address and ARP Packet protocol address does not match. Alternatively, the sending and destination address of the ARP packet is not in its own network card Mac database, or it does not match its own network Mac database MAC/IP. These are all the first time to call the police, check the data packets (Ethernet packets) Source address (also may be forged), it is generally known that the machine is launching an attack.

The Gateway machine closes the ARP dynamic refreshing process, using static route, so that even if the suspect uses ARP spoofing attack Gateway, this is useless to the gateway, to ensure the host security.

The gateway establishes a static IP/MAC bundle by establishing the/etc/ethers file, which contains the correct IP/MAC correspondence, in the following format:

192.168.2.32 08:00:4e:b0:24:47

And then/etc/rc.d/rc.local.

Last added: arp-f

Effective

Five, sneak to the machine, to see whether the person intentionally, or was allowed to put what Trojan program framed. If the latter, quietly find an excuse to get rid of him, unplug the network cable (do not shut down, especially to see the Win98 in the planning task), to see the machine's current use of records and operation, determine whether it is in the attack.

Vi. use of protective software. The ARP firewall uses the System Kernel layer interception technology and the active defense technology, contains six big function modules to be able to solve most cheats, the ARP attack brings the question, thus guarantees the communication security (guarantees the communication data not to be the network management software/The Malicious software monitoring and the control), guarantees the net unimpeded.

Seven, has the ARP protection function network equipment. The network problem caused by the attack of ARP form is the current network management, in particular, LAN management, the most annoying attack, his attack technology is low, any one can attack the software to complete ARP spoofing attacks, while guarding against ARP forms of attack there is no particularly effective way. At present only through the passive form of remedial measures, the method introduced in this article hope to help everyone.

Original address: http://www.sousuo360.com/html/WangzhanSheji/200912/091222151539516.html