【 Weak current College 】 on LAN ARP attack damage and preparedness tips

You can not have LAN frequently of regional or overall drop off, restart the computer or network device and restore normal? your network speed will not slow, when the fast is extremely unstable, but stand-alone implementation of optical fiber data test everything works? you can not always hear staff of Internet banking, games and QQ account frequently lost message? ...
The emergence of these questions have in large part thanks to ARP attack, my school LAN since last may ARP attack frequently appears, the current campus network has found that "ARP attack" series, the virus has got dozens of variants. According to detect data display, APR attack never stopped, effective protection against ARP forms of network attack has become necessary to ensure network and smooth.
First, the basics of ARP
1. What is ARP?
The ARP protocol is "AddressResolutionProtocol" (address of agreement). In the local area network, the network is the actual transmission of a "frame", frame there is the MAC address of the target host. In Ethernet, one host to another host and direct communication, you must know the MAC address of the target host. But the destination MAC address is how to achieve it? it is through the analysis of the agreements made with the address.
Analysis of the so-called "address" is the host to send the frame before the destination IP address is converted to the destination MAC address. The basic functionality of the ARP protocol is through the IP address of the target device, query the target device's MAC address, in order to ensure the smooth implementation of the communication.
In the local area network, the ARP protocol to complete the IP address to a physical address of the second layer (i.e. the MAC address) of the ARP protocol for network security has a major significance.
2, the working principle of the ARP protocol
Normally, each host will own ARP buffer a ARP list to represent the IP address and MAC address of the corresponding contact. When a source host to a packet to be sent to the destination host, first check your ARP list can not exist in the IP address of the corresponding MAC address, if any, will directly send the packet to the MAC address;
If not, the local network segment launched a broadcast ARP request packet, query the host corresponding MAC address. This ARP request packets with source IP address of the host, the hardware address, as well as the IP address of the destination host. All of the host receives the ARP request and checks the packet destination IP can not and its own IP address.
If you are not the same would ignore this packet, and if different, the host will first send-end MAC address and IP address to add to your ARP list, if the ARP table already exists in the IP information, it will be overwritten, and then to the source host sends an ARP response packet, tell someone he is it necessary to find the MAC address of the source host receives the ARP response packets to get to the host's IP address and MAC address to add to your ARP list, and use this information to start data transfer.
Figure:
1. to send a network packet to 192.168.1.1, but don't know the MAC address?
2. in the LAN send broadcast packets "MAC address 192.168.1.1?"
3. other machine does not respond, only the "192.168.1.1 in response to the MAC address is 192.168.1.1 00-aa-00-62-c6-09"
You can see from the above, the foundation of the ARP protocol is to trust all the people in local network, so it is easy to achieve in Ethernet ARP Spoofing. What's more, the ARP protocol is working in more than IP protocol a protocol layer, so its hazards are more subtle.
Second, the principle of ARP Spoofing
ARP type attack wall to steal passwords, network poisoning can masquerade as routers, computers, steal users ' passwords, and later developed into a contained in the software, the disruption of other network users the normal network traffic, here we briefly describe the principle of ARP Spoofing: the assumption that such a network, a switch to connect the 3 machines, followed by computer A, B, C
A IP address is:: 192.168.1.1MAC: AA-AA-AA-AA-AA-AA
B of the address is: IP: 192.168.1.2MAC: BB-BB-BB-BB-BB-BB
C the address is: IP: 192.168.1.3MAC: CC-CC-CC-CC-CC-CC
Step two: under normal circumstances in A computer running the ARP cache table ARP-A query should appear as follows.

Interface:192.168.1.1onInterface0x1000003
InternetAddressPhysicalAddressType
192.168.1.3CC-CC-CC-CC-CC-CCdynamic
Step 3: run on computer b, ARP Spoofing ARP Spoofing packets to be sent.
B to A send a spoofed ARP replies, but the data in the response to the sender IP address is 192.168.10.3 (C IP address), MAC address is DD-DD-DD-DD-DD-DD (C MAC address should be CC-CC-CC-CC-CC-CC, here was forged). When A receives the ARP reply B forged, updates local ARP cache (A may not know that was forged). But A knowledge is actually come from B send, A here only 192.168.10.3 (C IP address) and invalid DD-DD-DD-DD-DD-DDMAC address.
Step four: spoofing is complete we run on a computer in A ARP-A to query the ARP cache information. You will find that the correct information is incorrect.
Interface:192.168.1.1onInterface0x1000003
InternetAddressPhysicalAddressType
192.168.1.3DD-DD-DD-DD-DD-DDdynamic
The above example on computer a C on your computer's MAC address is not correct, so even if later from A computer to access C computer the 192.168.1.3 this address is incorrect for the ARP protocol analysis into Mac address as DD-DD-DD-DD-DD-DD.
When a machine in the local area network, to other machines over and over, especially to the gateway, send such invalid fake ARP reply packets, severe network congestion begins. As gateway MAC address is not correct, so the computer from the network sent data does to gateway, nature does not go online.
This created a do not have access to the extranet of doubt, because very often the gateway also control our LAN LAN Internet access, so now our LAN access or there is doubt. The following figure shows a more intuitive ARP spoofing attacks:
Third, ARP Spoofing Hazard
ARP type of attack in the campus first appeared in the last 5 months, current campus network of computers infected by the "ARP Spoofing" series, the virus has got dozens of variants. On the basis of these variants of working characteristics and the external characteristics perhaps it can be divided into three broad categories, including "ARP Spoofing" and "malicious eavesdropping" two types of school local network uptime and network user's information security at risk.
ARP attack as long as the first cause LAN computer cannot communicate with other computers and networks on the virus have no tolerance, as long as the LAN one infection "ARP Spoofing" virus computer will cause the entire LAN traffic outages.
"Malicious eavesdropping" virus "ARP Spoofing" series of viruses and harmful to the worst. It will not cause the interruption of local area network, the network have a greater delay, but poisoning host will intercept all the communications in local network and to specific external network users to send the captured data on LAN user network application resulted in very serious effects directly threaten the LAN user's own information security.
Fourth, an ARP attack of causes and characteristics
A normal operation of the LAN is not expected ARP attack, after a long period of observation, I found that the emergence of ARP attacks mainly consists of multiple reasons:
1, the sabotage
Mainly it was installed in the network monitoring software, such as P2P P2P terminator, network enforcement officer, QQ of has network management, sixth sense, malicious monitoring other machines, qualified traffic, or perform DDOS attacks within the network.
2. viruses
Legend, run karting, îèíåðâîè²½ëùóðîè²½ etc game hangs, such as: timely PK Edition, run the oxcart, dancing apprentice, he included some Trojans that will stir up ARP Spoofing.
In fact, real someone abusive is seldom, once two trouble, the number itself is also tired, not to mention later network management are sure to find the trouble of host, so the sabotage is the comparison of the advantages. The trouble is to use the game hangs with Trojans and read Web pages with malicious code.

When an ARP attack after the most obvious features is a network of frequent disconnects and slow, view the process you will find added down.exe1.execmd.exe9sy.exe any one or more, serious also automatically also download Viking logo_1.exe.rundl132.exe, infection, the virus executable file, the icon gets flowers also.
5. commonly used essentials of preparedness
Current ARP series forms of attack and a variety of means, not an absolute and complete the essentials of effective preparedness. From practical experience at the most effective preparedness tips that make the whole Windows patches, proper configuration and use of network firewalls, install antivirus software and update the virus database.
For Windows patch not only hit the SP2 (xp) or SP4 (2000), then all of the security update appears must also play full time in order to maximize the protection against viruses and Trojans attacks. In addition, correctly use u disk, removable storage devices, preventing the adoption of external computers deliver viruses and Trojans.
The following describes the preparedness ARP attack of several key points:
1, static binding
Static IP and MAC-bound, in the net to host and gateway is the IP and MAC-bound.
ARP Spoofing is through dynamic real-time criteria spoofing intranet machines, so we put the entire configuration for static ARP can handle intranet PC cheats, while at the gateway to perform static IP and MAC, so two-way binding is bound to compare insurance. The disadvantage is that each computer needs binding and restarted after you bind the workload is large, although the binding can be achieved through a batch file, but it is too much trouble.
2. use protection software
Current ARP classes of protection software out of many, our popular software applications is ARP artifact software firewall.
ARP firewall using system kernel layer blocking skills and active defensive skills, contains six powerCan module can handle most of the deception, ARP attack brings questions, thus ensuring communications security (guaranteed traffic data from network management software/malware monitoring and control), ensure that network flow.
3. have the ARP protection of network devices
Since ARP forms of attack caused by the network of doubt is the network management, particularly the most LAN management headache attacks, his attack skills content is low, a private can attack software to complete ARP spoofing attacks, while preparedness ARP forms of attack are nothing special valid points.