At present, there are some softwares with ARP spoofing function, such as QQ Sixth Sense, Network Law Enforcement Officer, P2P Terminator, Internet Cafe Legend Black Boy, etc. Some of these softwares are artificially operated to destroy the network, and some of them appear in the form of viruses or Trojans, which users may not know at all, which further expands the lethality of ARP attacks.
From the way of affecting the smooth network connection, there may be two kinds of ARP spoofing attacks, one is to spoof the router ARP table; The other is to cheat the ARP table of the intranet computer. Of course, both attacks may be carried out at the same time. How about without management? After spoofing, the data sent between the computer and the router may be sent to the wrong MAC address. On the surface, it means "unable to access the network", "unable to access the router" and "router crash", because once the router is restarted, the ARP table will be rebuilt. If ARP attacks don't always exist, it means that the network is normal, so Internet cafe owners will be more sure that the router is "dead" and won't. For this reason, the broadband router has taken a lot of blame, but in fact it should be the ARP protocol itself.
If this problem occurs, it usually has the following characteristics:
1. All (or most) PCs in the LAN can't ping the gateway address and get online; However, the connection indicators of the network card and the switch are normal.
2. Because the default ARP timeout of Windows system is long, even if we immediately find out which PC is making trouble behind the scenes, we can't solve the problem immediately by turning off the PC. We need to clear the ARP table on the client PC [execute ARP/D in CMD mode] to learn again or simply restart the PC.
3. Although these ARP spoofs copy the MAC address of the router's network port, they don't really need to set the ip/ mac of their network card to be the same as the router, so there is generally no alarm prompt for address conflict on the router.
The way to confirm this problem is also very simple. Under the condition of ensuring the normal work of lan switches and the normal connection of network cable, randomly find a PC without Internet access, open the CMD command line interface, and execute arp /a to see if the mac corresponding to the gateway ip address is the mac address of the router network port. If not, ARP cheating can be basically determined. For example:
This is an ARP table entry on the PC side:
C:\ arp /a
Interface:192.168.19.180-0x2.
Internet address physical address type
192.168.0.3 00-90-27-a7-ad-00 dynamic
192.168.0.100-E0-0f-58-cc-1c (router Ethernet port MAC address information) dynamic.
192. 168.0. 10
Look at the MAC address information of the router Ethernet port: 00-E0-0f-58-CC-1c192.168.0.1. If it is not the MAC of the router, it means that someone is deliberately interfering with it.
If it is an ARP problem, it will generally lead to the disconnection of the whole network, which has a great impact and it is easy to find the location. The method of first aid is not difficult, as I have said before. As for the prevention method, you can use the CMD command: ARP-S192.168.1.600-E0-0f-62-C6-09 on each PC to bind the static ARP portal, but it is troublesome to configure, implement and maintain. Static ARP entry will be bounced every time it is started, which is very troublesome. You can create a new batch file, such as static_arp.bat Note that the suffix is bat. Edit it, you can double-click it to execute this command later, or you can put it in the startup directory of the system and execute it yourself at startup. Open the computer Start-> Program, double-click Start to open the startup folder directory, and copy the newly created static_arp.bat into it. In the future, every time the computer is turned on, it will execute the ARP–s command by itself.
There is also an ARP static binding command on the router, but ARP cheats the identity of the fake gateway to deceive the PCs in the LAN, so it is of little significance to bind the mac address of each PC on the router. However, this method can prevent the LAN PC from changing the ip address.
Principle and solution of arp virus
Principle and solution of arp virus
Arp virus invades the network, which makes most Internet cafes and families suffer greatly! ! Caught phenomenon: disconnected ~ ~ ~ ~ `.
Here I got the relevant information online, and the network experts studied it ~ ~
The solution of arp attack
Cause of failure
Someone in the local area network uses arp to cheat Trojan horse programs (such as legendary software that steals numbers, and this program has been maliciously loaded in some legendary plug-ins).
Fault principle
To understand the fault principle, let's first understand the arp protocol.
In local area network, ip address is converted into the second layer physical address (that is, mac address) by arp protocol. Arp protocol is of great significance to network security. By forging ip addresses and mac addresses to achieve arp spoofing, a large amount of arp traffic can be generated in the network to block the network.
Arp is the abbreviation of "Address Resolution Protocol". In a local area network, what is actually transmitted in the network is a "frame", which contains the mac address of the target host. In Ethernet, if a host wants to communicate directly with another host, it must know the mac address of the target host. But how did you get this target mac address? It is obtained through the address resolution protocol. The so-called "address resolution" is the process that the host converts the destination ip address into the destination mac address before sending the frame. The basic function of arp protocol is to query the mac address of the target device through the ip address of the target device to ensure the smooth communication.
Every computer with tcp/ip protocol installed has an arp cache table, and the ip address and mac address in the table are in one-to-one correspondence, as shown in the following table.
Host ip address mac address
a 192. 168. 16. 1 aa-aa-aa-aa-aa-aa
b 192. 168. 16.2 bb-bb-bb-bb-bb-bb
c 192. 168. 16.3
d 192. 168. 16.4
Let's take the example that host A (192.168.16.1) sends data to host B (192./68.16.2). When sending data, Host A will look up the destination ip address in its arp cache table. If it is found, it will know the target mac address, and directly write the target mac address into the frame and send it; If the corresponding ip address cannot be found in the arp cache table, host A will send a broadcast on the network, and the target mac address is "ff.ff.ff.ff.ff.ff", which means asking all hosts in the same network segment: "192.168.16.2 what is the mac address? Other hosts on the network do not respond to arp queries, and only host B responds to host A when it receives this frame: "The mac address of192.168.16.2 is bb-bb-bb". In this way, host A knows the mac address of host B, and it can send information to host B. At the same time, it also updates its own arp cache table, and the next time it sends information to host B, it can directly look it up from the arp cache table. Arp cache table adopts aging mechanism. If it is in the table for a period of time,
ARP virus invades the network In recent days, ARP virus invades the network, causing most Internet cafes and families to appear: network disconnection ~ ~ ~ ~ Here, I got relevant information on the Internet, and network experts studied the solution of ARP attack. Someone in the LAN used a Trojan horse program cheated by ARP (such as maliciously loading the legendary hacker software in some legendary plug-ins). Fault principle To understand the fault principle, let's first understand the ARP protocol. In local area network, IP address is converted into the second layer physical address (that is, MAC address) through ARP protocol. ARP protocol is of great significance to network security. By forging IP addresses and MAC addresses to achieve ARP spoofing, a large amount of ARP traffic can be generated in the network to block the network. ARP is the abbreviation of "Address Resolution Protocol". In a local area network, what is actually transmitted in the network is a "frame", which contains the MAC address of the target host. In Ethernet, if a host wants to communicate directly with another host, it must know the MAC address of the target host. But how did you get this target MAC address? It is obtained through the address resolution protocol. The so-called "address resolution" is the process that the host converts the destination IP address into the destination MAC address before sending the frame. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure the smooth communication. Every computer with TCP/IP protocol installed has an ARP cache table, and the IP address and MAC address in the table are in one-to-one correspondence, as shown in the following table. Host IP address MAC address A192.168.16.1AA-AA-AAB192.168.16.2. 06.3 cc-cc-cc-cc-cc-cc-cc d 192. 168. 16.4 DD-DD-DD-DD-DD。 We use host A (192.5438+068.5438+06.5438). When sending data, Host A will look up the destination IP address in its ARP cache table. If it is found, it will know the target MAC address, and directly write the target MAC address into the frame and send it; If the corresponding IP address cannot be found in the ARP cache table, Host A will send a broadcast on the network with the target MAC address of "FF". FF.FF.FF.FF.FF ",which means asking all hosts in the same network segment:" What is the MAC address of192.168.16.2? " Other hosts on the network do not respond to ARP queries, and only host B responds to host A when it receives this frame: "The MAC address of192.168.16.2 is bb-bb-bb". In this way, host A knows the MAC address of host B, and it can send information to host B. At the same time, it also updates its own ARP cache table, and the next time it sends information to host B, it can directly look it up from the ARP cache table. ARP cache table adopts aging mechanism. If a row in the table is not used for a period of time, it will be deleted, which can greatly reduce the length of ARP cache table and speed up the query. As can be seen from the above, the basis of ARP protocol is to trust everyone in the LAN, so it is easy to realize ARP spoofing on Ethernet. Cheat target A, A Ping host C, but send it to address DD-DD-DD-DD-DD. If you cheat C's MAC address into DD-DD-DD-DD-DD, then all the packets sent by A to C will be sent to D. Isn't this that D can receive the packets sent by A? Sniffing succeeded. A didn't realize the change at all, but what happened next made people doubt it. Because a and c can't connect. D may not forward the received packets sent by A to C .. as a "middleman" and redirect ARP. Turn on the IP forwarding function of D, and the packets sent by A will be forwarded to C, just like a router. However, if D sends ICMP redirection, it will interrupt the whole plan. D directly modifies and forwards the whole packet, captures the data packets sent by A to C, and forwards them to C after all modifications, while the data packets received by C are completely thought to be sent by A ... but the data packets sent by C are directly transmitted to A to prevent ARP from deceiving C again. Now that D has completely become a bridge between A and C, you can know the communication between A and C like the back of your hand. Fault phenomenon When the host in the local area network runs the Trojan horse program cheated by ARP, it will cheat all the hosts and routers in the local area network, so that all internet traffic must pass through the virus host. Other users used to surf the Internet directly through routers, but now they switch to surfing the Internet through virus hosts. When switching, the user will disconnect once. After switching to the virus host, if the user has logged into the legendary server, then the virus host will often fake the illusion of disconnection, and then the user will log into the legendary server again, so that the virus host can steal the number. Due to the attack of ARP spoofing Trojan horse, a large number of data packets will be sent out, which will lead to the congestion of local area network communication and the limitation of its own processing capacity, and users will feel that the internet speed is getting slower and slower. When the Trojan horse program cheated by ARP stops running, the user will resume surfing the Internet from the router, and the user will be disconnected again during the switching process. HiPER users soon found that ARP spoofing Trojan saw a lot of the following information in the router's "system history" (only in the router software version after 440): macchged10.128.103.438+024 macold00: 01 : 6c: 36: D. The message f MAC new 00: 05: 5d: 60: C7:18 indicates that when ARP spoofs Trojan, the MAC addresses of all hosts in the LAN are updated to those of virus hosts (that is, the new MAC addresses of all information are the same as those of virus hosts), and we can see the MAC address information of all users in the "user statistics" of the router. If a large number of old MAC addresses are consistent in the "system history" of the router, it means that ARP spoofing has occurred in the LAN (when the Trojan horse program cheated by ARP stops running, the host recovers its real MAC address on the router). Looking for Virus Host in LAN We already know the MAC address of the host that used ARP to cheat Trojan horse, so we can use NBTSCAN (download address:) tool to find it quickly. NBTSCAN can get the real IP address and MAC address of PC. If there is a "legendary Trojan horse" doing something strange, you can use the Trojan horse to find the IP/ and MAC address of the PC. Command: "nbtscan-r192.168.16.0/24" (search the whole192./68.16.0/24 network segment. Or "nbtscan192.168.16.25-137" search192.16.25-137 network segment. The first column of the output result is the IP address and the last column is the MAC address. Example of using NBTSCAN: suppose a virus host with MAC address "000d870d585f" is found. 1) Decompress the nbtscan.exe and cygwin 1.dll in the compressed package to C: 2) Start-Run-Open in Windows, enter cmd (enter "command" in Windows 98), and enter: C: BTS can-r192./kloc-in the DOS window that appears. C: documents and settings Alan c: btscan -r192.168.16.124 warning:-r option is not supported under Windows. You can run without it. NBT name the address of NetBIOS name server user MAC address-1 92.168.16.192.168.6 5438+06.0 sendto from IP address. Don't build your network security trust relationship on ip or MAC (rarp also has the problem of cheating). The ideal relationship should be based on IP+MAC. 2. Set a static MAC-IP correspondence table, and don't let the host refresh your translation table. 3. Stop using ARP unless necessary, and save ARP as a permanent entry in the corresponding table. 4. Use ARP server. Find your own ARP conversion table through this server to respond to ARP broadcasts from other machines. Make sure this ARP server is not hacked. 5. Use "proxy" to proxy IP transmission. 6. Shield the host with hardware. Set your route and ensure that the IP address can reach the legal path. (Static configuration of routing ARP entries), note that using switching hubs and bridges cannot prevent ARP spoofing. 7. The administrator regularly obtains the rarp request from the responding IP packet, and then checks the authenticity of the arp response. 8. The administrator polls regularly to check the ARP cache on the host. 9. Use a firewall to continuously monitor the network. Please note that ARP spoofing may cause trap packets to be lost when using SNMP. HiPER users' solution suggests that users adopt two-way binding to solve problems and prevent ARP spoofing. 1. Bind the IP and MAC addresses of the router on the PC: 1) First get the MAC address of the router's intranet (for example, the HiPER gateway address192.168.16.254 has a MAC address of 0022aa0022aa LAN port). 2) Write a batch file rarp.bat with the following contents: @ echooffarp-daprp-s192.168.16.25400-22-aa. Just change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address. Drag this batch software to "windows-Start-Program-Start"