What are the symptoms of ARP network outage attack?
1. Frequent regional or overall disconnections and IP address conflicts within the LAN;
2. The Internet speed is sometimes fast and sometimes slow;
3. Extremely unstable, seriously affecting the normal communication of the network;
4. The security software will prompt you to be attacked by ARP network.
Any of the above problems will make people very angry when they appear on the user's computer. Is there any way to troubleshoot the source of ARP disconnection attacks?
1. First diagnose whether it is an ARP virus attack
1. When we find that the Internet access is significantly slower or is suddenly disconnected, we can use the arp -a command to check the ARP table:
Click the "Start" button - select "Run" - enter "cmd", click the "OK" button, and enter: arp -a command in the window.
Check ARP list
If you find that the MAC address of the gateway has changed, or you find that many IPs point to the same physical address, it must be caused by ARP spoofing. At this time, you can clear the arp list through arp -d and access it again.
2. Use ARP firewall software (such as: 360ARP firewall, Anti ARP Sniffer, etc...).
2. Find the ARP virus host
1. Using the arp -d command can only temporarily solve the Internet problem. To fundamentally solve the problem, you must find the virus host. Through the above arp -a command, you can determine that the changed gateway MAC address or the physical address pointed to by multiple IPs is the MAC address of the virus machine. Which host corresponds to this MAC address? There is an ipconfig /all command in Windows to check the information of each computer. However, if there are many computers, it is not possible to check one computer at a time. Therefore, you can download a program called "NBTSCAN". ” software, which can scan the real IP address and MAC address of the PC.
2. What should I do if I don’t have this software at hand? At this time, you can also run the route tracing command on the client computer, such as: tracert -d www.xitongjiazhi.net. You will immediately find that the first one is not the intranet IP of the gateway machine, but the IP of another machine in this network segment, and then The next hop is the intranet IP of the gateway; normally, the first output after the route trace is executed should be the default gateway address. From this, it is determined that the host with the non-gateway IP address of the first hop is the culprit.
Find the path to access the external network
Of course, after finding the IP, the next step is to find the machine corresponding to the IP. If you number each computer, use a fixed IP, and the IP settings are regular, you can find it quickly. But what should we do if the above situation is not the case, the IP settings are irregular, or the IP is obtained dynamically? Do we still have to check them one by one? No! You can do this: set the IP address of a machine to be the same as the perpetrator machine, and then cause an IP address conflict, causing the poisoned host to alarm and then find this host.
3. Dealing with virus hosts
1. Use anti-virus software to check and eliminate viruses.
2. It is recommended to reinstall the system to solve the problem once and for all. (Of course you should pay attention to whether there are viruses in other disks except the system disk)
4. How to prevent ARP network disconnection attacks?
1. IP/MAC two-way binding
Due to various network characteristics of ARP viruses, some technical means can be used to immunize ARP virus spoofing packets in the network. Even if there is an ARP poisoned computer on the network and sends spoofed ARP packets, other computers will not modify their own ARP cache tables, and the packets will always be sent to the correct gateway. A commonly used method is the "two-way binding method" . The two-way binding method, as the name suggests, is to bind IP-MAC addresses at both ends. One end is in the router and binds the IP and MAC addresses of the computers inside the LAN below.
2. As a network administrator, you should make full use of some tool software and prepare some commonly used tools. As far as ARP is concerned, it is recommended to have the following software on hand:
(1) Feiyuxing gateway intelligent binding wizard, one-click binding.
(2) "Anti ARP Sniffer" (Using Anti ARP Sniffer can prevent the use of ARP technology to intercept data packets and prevent the use of ARP technology to send address conflict data packets, and can find the IP and MAC addresses of the attacking hosts).
(3) "NBTSCAN" (NBTSCAN can get the real IP address and MAC address of the PC, and use it to know the MAC address corresponding to each IP in the LAN)
(4) "Network Law Enforcement Officer" (a LAN management auxiliary software that uses the underlying network protocol and can penetrate each client's firewall to monitor every host, switch and other IP-equipped network equipment in the network; it uses a network card The main function is to monitor the entire local area network in real time based on the permissions defined by the administrator for each host, and automatically manage illegal users. It can isolate illegal users from certain hosts in the network or the entire network, and regardless of No matter what firewall the host in the LAN runs, it cannot escape monitoring and will not trigger firewall warnings, which improves network security)
3. Regularly check the LAN for viruses, conduct virus scans on the machine, and install patches on the system at ordinary times. It is best to ensure that each computer in the LAN has anti-virus software (can be upgraded)
4. Instruct users on the network not to click and open link messages sent by QQ, MSN and other chat tools, and not to open or run strange and suspicious files and programs, such as strange attachments in emails, plug-in programs, etc.
5. It is recommended to use a fixed IP for each computer in the LAN. Do not enable DHCP on the router. Give each computer in the network a number. Each number corresponds to a unique IP. This will help troubleshoot future failures. Easy to manage. And use "NBTSCAN" software to find out the MAC address corresponding to each IP, and establish a one-to-one correspondence database of "computer number-IP address-MAC address".
The best way to defend against ARP disconnection attacks is actually to exit the LAN and re-connect a network cable, once and for all. However, sometimes we rarely consider this condition. In this case, we need to use the above methods to catch the culprit and serve as a warning to others.