Respond to network law enforcement officers and ARP spoofing attacks

Computer store news: In many schools and companies' internal networks, there are often some unethical people who use ARP spoofing software to attack others, causing many people to drop the line and even make the entire network embarrassing. In response to this problem, you can take the following approach. Introduce a firewall: Outpost Firewall. It can protect LAN software such as "P2P Terminator", and it is super good. It can also find out which machine is in use, powerful, and takes up less resources. It can score 5 stars. Click here to download Outpost Firewall. In fact, software like network management uses ARP to achieve its purpose. The principle is to make the computer unable to find the MAC address of the gateway. So what is ARP spoofing? Let me first tell you what ARP is. ARP (Address Resolution Protocol) is an address resolution protocol, which is a protocol for converting an IP address into a physical address. There are two ways to map from IP address to physical address: tabular and non-tabular. Specifically, ARP resolves the address of the network layer (IP layer, which is equivalent to the third layer of OSI) to the MAC address of the data connection layer (MAC layer, which is equivalent to the second layer of OSI). ARP principle: A machine A sends a message to host B. It queries the local ARP cache table and finds the MAC address corresponding to the IP address of B. If not found, broadcast A ARP request message (carrying host A's IP address Ia— — physical address Pa), and requesting host B with IP address Ib to answer physical address Pb. All hosts on the network, including B, receive an ARP request, but only host B identifies its own IP address, and then sends an ARP response packet to the host A. It contains the MAC address of B. After receiving the response from B, A will update the local ARP cache. This data is then sent using this MAC address (the MAC address is attached by the network card). Therefore, this ARP table of the local cache is the basis for local network circulation, and this cache is dynamic. The ARP protocol does not only receive an ARP reply when an ARP request is sent. When the computer receives the ARP reply packet, it updates the local ARP cache and stores the IP and MAC address in the response in the ARP cache. Therefore, when a machine B in the local area network sends a self-falsified ARP reply to A, and if the response is B falsified, that is, the IP address is C, and the MAC address is forged, then A After receiving the B-forged ARP reply, the local ARP cache is updated, so that A's IP address has not changed, and its MAC address is not the original one. Since the network circulation of the local area network is not based on the IP address, it is transmitted according to the MAC address. Therefore, the fake MAC address is changed to a non-existing MAC address on A, which will cause the network to be unreachable, resulting in A not pinging C! This is a simple ARP spoof. The solution can be summarized as follows: 1. Using VLANs As long as your PC and P2P Terminator software are not in the same VLAN, he can't take you. 2. Use two-way IP/MAC binding. Bind yours on the PC. The MAC address of the egress router, the P2P Terminator software can't spoof ARP for you, and naturally it can't control you, but the MAC of the PC tied route is not safe, because the P2P Terminator software can spoof the route, so the best solution It is a PC that uses bidirectional IP/MAC binding on the route. That is, the MAC address of the outgoing route is bound to the PC, and the IP and MAC address of the PC are bound to the route. This requires routing to support IP/MAC binding. For example, HIPER router. 3. Use IP/MAC address to steal +IP/MAC binding. Simply change your MAC address and IP address to the same IP and MAC as the P2P Terminator software. See how he manages. This is A method of losing both sides, there must be some tricks in the change, otherwise IP conflict will be reported. You must first change the MAC address, then change the IP, so WINDOWS will not report IP conflicts (windows silly))), do this Not yet one step Finish, it is best that you also bind the MAC address of the router on the PC, so that the P2P Terminator spoofs the route is also in vain. Blocking the network law enforcement solution Using the Look N Stop firewall to prevent arp spoofing 1. Block the network Law enforcement officer control Network law enforcement officers use ARp fraud to achieve control purposes. The ARP protocol is used to resolve the correspondence between IP and MAC, so the following methods can be used to resist the control of the network law enforcement officer. If your machine is not ready to communicate with machines on the LAN, you can use the following methods:

A. In "Internet filtering", there is an "ARP: Authorize all ARP packets" rule. This rule is preceded by a prohibition flag; B. But this rule will also disable the gateway information by default. The solution is to put the gateway's MAC address (usually the gateway is fixed) in the "target" area of ​​this rule. In the "Ethernet: Address" option, select "Do not equal" " and fill in the MAC address of the gateway at that time; put your own MAC address in the "Source" area, in "Ethernet: In the address & rdquo; select “ not equal to & rdquo;. C. In the last <;All other packet", modify the "target” area of ​​this rule, in the "Ethernet: Address"; select “not equal to ”, fill the FF:FF in the MAC address :FF:FF:FF:FF; put your own MAC address in the "Source" area, and select "<;Not equal to" in "<;Ethernet: Address". Others do not change. This kind of network law enforcement officer can do nothing. This method is suitable when you are not communicating with other machines on the LAN and the gateway address is fixed. If your machine needs to communicate with the machines on the LAN, you only need to get rid of the network law enforcement officer's control, then the following method is simpler and more practical (this method is independent of the firewall): Enter the command line state, run "ARP-s gateway IP gateway" MAC” Just fine, if you want to get the MAC of the gateway, just Ping the gateway, and then use the Arp -a command to view, you can get the IP and MAC correspondence of the gateway. This method should be more versatile, and it works well when the gateway address is variable, repeating “ARP -s Gateway IP Gateway MAC”. This command is used to establish a static ARP resolution table. In addition, I heard that the op firewall can also be blocked, this has not been tried. Prevent P2P Terminator's Attack 1: The first method is to modify your own MAC address. Here is the modification method: Enter regedit in the "Start" menu"Run", open the Registry Editor, expand the registry To: HKEY_LOCAL_MACHINE\\System \\CurrentControlSet\\Control\\Class\\{4D36E9E} subkey, look for DriverDesc in the 0000, 0001, 0002 branches under the subkey (if you have more than one network card, there are 0001, 0002... ...here information about your network card is saved here, the DriverDesc content is the description of the network card, for example, my network card is Intel 210 41 based Ethernet Controller), here assume that your network card is in the 0000 subkey. Add a string under the 0000 subkey, named ""NetworkAddress", and the key value is the modified MAC address, which is required to be 12 consecutive hexadecimal numbers. Then create a new subkey named NetworkAddress in NDI\\params under the "0000" subkey. Add a string named "default" under the subkey, and the key value is the modified MAC address. Under the subkey of NetworkAddress, continue to create a string named "ParamDesc", which acts as a description of the specified Network Address, which can be a value of "MAC Address". In this way, open the network neighbor's "property" and double-click the corresponding network card to find a "advanced" setting, under which there is a MACAddress option, which is the new item you added in the registry "NetworkAddress" In the future, you only need to modify the MAC address here. Close the registry, reboot, and your network card address has been changed. Open the properties of the network neighbor and double-click the corresponding NIC item to find that there is a MAC Address advanced setting item for directly modifying the MAC address. 2: The second method is to modify the IP to MAC mapping to invalidate the ARP spoofing of the P2P attack, and break the limit. The method is to use the ARP-a command to get the MAC address of the gateway under cmd, and finally use the ARP-s IP network card MAC address command to map the IP address of the gateway and its MAC address. Vista and XP systems: Just use the arp command to bind your own MAC and route MAC, such as: arp -s own IP own MAC arp -s routing IP routing MAC is best bound, only bound routing, out IP conflicts can't go up, others can still get you off the assembly line. If you bind yourself, IP conflicts can also go online. Windows 9x/2000 requires software, search for anti arp sniffer, set up routing IP, mac. However, XP and Vista systems can also install this software, you can clearly see who wants you to go offline or want to limit you. Of course, such a system is also recommended to be replaced with Vista or XP, as long as the above settings, p2p Terminator will be scrapped. Vista and XP system input in the cmd state: arp -a If the routing IP has its own IP and the last state is static, then the binding is successful. Arp -d is also best to input before binding, delete the illegal binding. Seeing this, everyone understands it, it is not difficult.