At present, there are many cases of ARP virus infection in the local area network, and it is difficult to clean up and prevent, which has caused a lot of trouble for many network administrators. The following is some personal experience in dealing with this problem, and also read a lot of reference materials online.

Symptoms of ARP virus

Sometimes the Internet cannot be accessed normally, sometimes it is better, including access to the Internet Neighborhood, the copy file cannot be completed, an error occurs; ARP packets in the local area network explode, when using ARP query will find abnormal MAC address The wrong MAC address corresponds, and there is also a case where one MAC address corresponds to multiple IPs.

The principle of ARP attack

An ARP spoofing attack packet generally has the following two characteristics, one of which can be regarded as an attack packet alarm: the source address and destination address of the first Ethernet packet header do not match the protocol address of the ARP packet. Or, the sending and destination addresses of ARP packets are not in the MAC database of your own network card, or do not match the MAC / IP of your own network MAC database. These are the first time to alarm, check the source address of these data packets (Ethernet data packets) (it may also be forged), you can roughly know that the machine is launching an attack. Now there are network management tools such as network law enforcement officers and P2P terminators that also use the same method to disguise as a gateway and deceive clients to access the gateway, that is, they will obtain the traffic sent to the gateway, thereby achieving network traffic management and network monitoring Other functions will also bring potential harm to the network management, that is, the user's password and other related information can be easily obtained.

Treatment

General processing flow

1. Make sure the network is up and running

Method 1: Edit the content of a ***. Bat file as follows:
arp.exe s
**. **. **. ** (gateway ip) ****
**
**
**
** (gateway MAC address)
end

Just let web users click!

Method 2: Edit a registry problem, the key values ​​are as follows:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE / SOFTWARE / Microsoft / Windows / CurrentVersion / Run]
"MAC" = "arp s
Gateway IP address Gateway MAC address "

Then save it as a Reg file and click Import Registry on each client.

2. Find the machine infected with ARP virus

a. Ping the IP address of the gateway on the computer, and then use the ARP -a command to see whether the MAC address corresponding to the gateway matches the actual situation. If it does not match, you can find the computer corresponding to the MAC address.

b. Use the packet capture tool to analyze the obtained ARP datagram. Some ARP viruses point the path to the gateway to themselves, and some send out false ARP response packets to confuse network communication. The first kind of treatment is easier, and the second kind of treatment is more difficult. If the antivirus software can not correctly identify the virus, it is often difficult to manually find the infected computer and deal with the virus manually.

c. Using the MAC address scanning tool, Nbtscan scans the IP address and MAC address correspondence table of the entire network segment, which is helpful to determine the corresponding MAC address and IP address of the infected ARP virus.

Precaution

1. Upgrade the client's operating system and application patch in time;

2. Install and update anti-virus software.

3. If the network size is small, try to manually specify the IP settings instead of using DHCP to assign IP addresses.

4. If the switch supports it, bind the MAC address and IP address to the switch. (But this is really not a good idea)