What do I do if the OA system in the LAN caused by an ARP attack cannot be used normally?

Your network architecture is a medium-sized network, don't use class C IP, change to class B, divide several VLANs, divide the office building into a VLAN, each office is divided into VLAN, and then put the OA and business system server separately into a VLAN, the default VLAN can be, easy to manage, but also can prevent ARP attacks, and then there are ARP attacks can only attack in this VLAN, will not affect the server, you can enable the routing function on the main switch, Support cross-VLAN data exchange, control the direction of data exchange through ACL, how do you usually manage the external network, you can see if you need to change it again, as for ARP detection, your VLAN should be attacked in a certain VLAN after it is divided, you can know which switch under the computer issued the ARP attack, you can then go to the corresponding switch web page through the MAC detection function to detect the attacker's MAC and IP, Even if someone manually changes the MAC and IP, the above will also be recorded, as for what you said can not find the attacker's MAC, it may be manually modified, you can find the attacker's real MAC address and IP through the MAC detection function on the web page, you can easily find out which computer is attacking, in this way, the network is safe, viruses, and human aspects are all eliminated After reading your information above, I feel that your network is a little messy, and you can apply to move the network once, Let's make a rectification and re-plan.

Macs are like camouflage sources, and the solution is to find the faulty machine.

It's easy to identify the problem with the router in the arp table + mac table + pc arp table.

If it's a camouflage source, go to the swap and take a look at the Mac table to see at a glance.

It is not easy to find the source of the attack, in order to completely solve the problem, the source of the attack is not easy, one is to look at the switch, the probability of the light flashing is the fastest, after unplugging it, see if the network returns to normal, if you really can't see it, you have to pull it out one by one, try to see, if there is a unplugging, the network returns to normal, this is the source of the attack, and then slowly do it, in the early stage of this virus, I have encountered this attack many times, all solved, and software can be used, you can quickly find out the source of the attack, now they are all variants, so the previous software is not good either.

Bind the MAC address to the port of the switch. Even if you set up MAC-based authentication, you must also bind it to the MAC address.

Either detect the virus in the computer, or, bind all the computer IP mac on the switch

Perhaps, you need an intranet management system to help you solve this problem.

Elimination method, directly use the computer to connect to C, see if it is intermittent, and there is a way to bind IP and MAC on the switch!

ARP (Address Interpretation Protocol) is an indispensable key protocol in network communication protocols, which is responsible for translating IP addresses into corresponding MAC addresses. In this process, if there is a fake IP-MAC correspondence, ARP attacks and ARP spoofing occur.

ARP attacks are initiated from the data link layer, ARP is not a virus, but a "protocol attack", because there is no obvious signature word and the important position of ARP in network communication, OfficeScan and firewall are helpless to deal with ARP viruses. Therefore, blocking the outflow of problematic data from the source and allowing legitimate ARP data packets at the same time is the ultimate solution to completely get rid of ARP trouble. This is caused by the vulnerability of the Ethernet protocol, which is why ARP firewall, anti-virus software, IP-MAC binding and other traditional methods have appeared for so long, ARP attacks have not been able to prevent ARP attacks, ARP firewalls, antivirus software, IP-MAC binding, etc.

To sum up, if you want to completely solve ARP attacks, the only way to completely get rid of ARP troubles is to fill the Ethernet vulnerabilities and strengthen the underlying security of the network. It is recommended that you go online to find products that can protect the security of the intranet and the underlying security of the network. The better solution I used was the "immunity wall technology", which works well and is the only solution to solve the root cause of ARP attacks, you can try.

In this case, you can do batch binding to the gateway or install an ARP firewall.

If you want to solve the problem completely, upgrade your network to become an immune network.

Under the immune network, if someone uses the ARP tool, it will directly intercept and alarm, so that you can directly monitor and accurately locate it, and there will be no accidental killing. It's easy for you to track. And under the immune network, the DOS DDoS generated by viruses and other viruses will be effectively intercepted.

Fundamentally ensure the stability of your network security.

I still recommend upgrading your network to become an immune network.