ARP spoofing leads to network paralysis. This is the biggest security risk in LAN. Now there are a lot of anti-ARP software, but some necessary defense knowledge is still necessary. The article describes how to prevent ARP spoofing in Vista.
Many schools and companies' internal networks often have some unethical people using ARP spoofing software to attack others, causing many people to drop the line and even make the entire network paralyzed. In response to this problem, you can take the following approach.
Introducing a firewall: Outpost Firewall. It can protect LAN software such as "P2P Terminator", the effect is super good, and it can also find out which machine is in use, powerful, and takes up less resources, can score 5 stars.
In fact, similar software such as network management uses arp deception to achieve the purpose. The principle is to make the computer unable to find the Mac address of the gateway. So what is ARP spoofing?
First of all, let's talk about what is ARP. ARP (Address Resolution Protocol) is an address resolution protocol, which is a protocol for converting an IP address into a physical address. There are two ways to map from IP address to physical address: tabular and non-tabular.
ARP specifically refers to the network layer (IP layer, which is equivalent to the third layer of OSI) address is resolved to the data connection layer (MAC layer, which is equivalent to the second layer of OSI) Mac address.
ARP principle: A machine A sends a message to host B, it will query the local ARP cache table, and after finding the MAC address corresponding to the IP address of B, it will perform data transmission. If not found, broadcast A ARP request message (carrying host A's IP address Ia - physical address Pa), and requesting host B with IP address Ib to answer physical address Pb. All hosts on the network, including B, receive an ARP request, but only host B identifies its own IP address, and then sends an ARP response packet to the host A. It contains the MAC address of B. After receiving the response from B, A will update the local ARP cache. Then use this MAC address to send data (the Mac address is attached by the network card). Therefore, this ARP table of the local cache is the basis for local network circulation, and this cache is dynamic.
The ARP protocol does not only receive ARP responses when an ARP request is sent. When the computer receives the ARP reply packet, it updates the local ARP cache and stores the IP and Mac addresses in the reply in the ARP cache. Therefore, when a machine B in the local area network sends a self-falsified ARP reply to A, and if the response is B falsified, that is, the IP address is C, and the MAC address is forged, then A After receiving the B-forged ARP reply, it will update the local ARP cache, so that A's IP address has not changed, and its Mac address is not the original one. Since the network circulation of the local area network is not based on the IP address, it is transmitted according to the MAC address. Therefore, the fake MAC address is changed to a non-existing Mac address on A, which will cause the network to be unreachable, resulting in A not pinging C! This is a simple ARP spoof.
The solution is summarized as follows:
1. Use VLAN
As long as your PC and P2P Terminator software are not in the same VLAN, he can't take you.
2. Use two-way IP/Mac Binding
Bind the MAC address of your egress router on the PC. The P2P Terminator software can't spoof ARP for you. Naturally, you can't control you, but it's just that the MAC of the PC is not secure. Because the P2P Terminator software can spoof routing, the best solution is to use a PC, bidirectional IP/MAC binding on the route, that is, bind the MAC address of the outgoing route on the PC, and bind the IP of the PC to the route. And MAC address, this requires routing to support IP/Mac binding, such as HIPER router.
3. Use IP/MAC address to steal +IP/Mac binding
Simply change your MAC address and IP address The IP and MAC are the same as those running P2P Terminator software. See how he manages. This is a two-pronged approach. There are some tricks in the changes. Otherwise, IP conflicts will be reported. You must change the Mac address first, then change the IP. In this way, WINDOWS will not report IP conflicts (Windows stupid))), do The step is not finished yet. It is best that you also bind the Mac address of the route on the PC, so that the P2P Terminator spoofing the route is also in vain.
Blocking the network law enforcement solution
Using Look N Stop Firewall, prevent arp spoofing
1. Prevent network law enforcement control
Network law enforcement officers use ARp spoofing to achieve control purposes.
ARP protocol is used to resolve the correspondence between IP and Mac, so the following methods can be used to resist the control of network law enforcement officers. If your machine is not ready to communicate with machines on the LAN, you can use the following method:
A. There is an "ARP: Authorize all ARP packets" rule in "Internet Filtering", and a prohibition flag is placed in front of this rule. ;
B. But this rule will by default disable the gateway information, the way to deal with it is to put the gateway's MAC address (usually the gateway is fixed) in the "target" area of this rule, in "Ethernet In the "Address", select "Not equal to" and fill in the MAC address of the gateway at that time; put your Mac address in the "Source" area and select "Not equal to" in "Ethernet: Address".
C. In the last "All other packet", modify the "target" area of this rule, select "not equal" in "Ethernet: Address", fill in FF: FF: FF: FF in the MAC address :FF:FF; put your Mac address in the "Source" area, and select "Not equal to" in "Ethernet: Address". Others do not change.
This kind of network law enforcement officer can't do anything about it. This method is suitable when you are not communicating with other machines on the LAN and the gateway address is fixed.
If your machine needs to communicate with the machines on the LAN, you only need to get rid of the network law enforcement officer's control, then the following method is more simple and practical (this method is independent of the firewall):
Enter the command line state, run "ARP -s Gateway IP gateway MAC" is OK. To get the MAC of the gateway, just Ping the gateway and then use the Arp -a command to view the IP and MAC of the gateway. This method should be more versatile, and it works well when the gateway address is variable. Repeat the "ARP -s Gateway IP Gateway Mac" once. This command is used to establish a static ARP resolution table.
In addition, I heard that the op firewall can also be blocked, this has not been tried.
Preventing P2P Terminator Attacks
1: The first method is to modify your Mac address. Here is the modification method:
Enter regedit in "Run" of the "Start" menu to open the registry editor. To expand the registry to: HKEY_LOCAL_MACHINE\\System \\CurrentControlSet\\Control\\Class\\{4D36E9E} subkey, look for DriverDesc in the 0000, 0001, 0002 branches under the subkey (if you have more than one network card, there is 0001 , 0002...... Here is the information about your network card, the DriverDesc content is the description of the network card, for example, my network card is Intel 210 41 based Ethernet Controller), here assume that your network card is at 0000 Subkey. Add a string under the 0000 subkey, named "NetworkAddress", and the key value is the modified MAC address, which is required to be 12 consecutive hexadecimal numbers. Then create a new subkey named NetworkAddress in NDI\\params under the "0000" subkey. Add a string named "default" under the subkey. The key value is the modified Mac address.
Continue to create a string named "ParamDesc" under the subkey of NetworkAddress, which is used to specify the description of Network Address, and its value can be "MAC Address". In this way, after opening the "Properties" of the network neighbor, double-click the corresponding network card and you will find an "Advanced" setting. There is an option for MACAddress under it. It is the new item "NetworkAddress" that you added in the registry. Modify the MAC address. Close the registry, reboot, and your network card address has been changed. Open the properties of Network Neighborhood, double-click the corresponding NIC item and you will find a MAC Address advanced setting item for directly modifying the Mac address.
2: The second method is to modify the IP to MAC mapping to invalidate the ARP spoofing of P2P attacks, and to break through its limitations. The method is to use the ARP-a command to get the MAC address of the gateway under cmd, and finally use the ARP-s IP NIC MAC address command to map the IP address of the gateway and its Mac address.
Vista and XP systems: Just use the arp command to bind your own MAC and route your Mac, such as:
arp -s own IP own Mac
arp -s routing IP routing Mac
Bind it, only bind the route, then the IP conflict will not go up, others can still T you down the line, if you bind yourself, IP conflict can also access the Internet.
Windows 9x/2000 requires software, search for anti arp sniffer, set up routing IP, Mac. However, XP and Vista systems can also install this software, you can clearly see who wants you to go offline or want to limit you. Of course, such a system is also recommended to be replaced with Vista or XP, as long as the above settings, p2p Terminator will be scrapped.
Vista and XP system input in cmd state: arp -a
If the routing IP has its own IP last state is static, then the binding is successful
arp -d
It is best to enter it and remove the illegal binding.
Seeing this, everyone understands it, it is not difficult.