-
Anonymous users2024-02-06ARP can be divided into as many as 7 at the moment.
1. ARP spoofing (gateway, PC).
2. ARP attacks.
3. ARP is incomplete.
4. Massive ARP
5. Second-generation ARP (fake IP, fake MAC).
The most thorough way.
ARP is a "two-headed monster", and in order to completely solve it, it must be "both the beginning and the end", and there are two ways to achieve it.
First, the method of "caretaker binding" is used to monitor the ARP cache of the computer in real time to ensure that the MAC and IP of the gateway in the cache are positive.
Exactly corresponding. There will be a static binding in the ARP cache table, if it is attacked by ARP, or as long as there is a request from the Internet.
, the static binding will automatically pop out, so it does not affect the correct access to the network. This way is safe.
A manifestation of integration with the NIC function is also called "terminal suppression".
The second is to have "integration of security and network functions" in the network access architecture, that is, when the access gateway is NAT.
Instead of mapping data against the "MAC IP" table as with traditional routing, the data is based on their MAC in the NAT table
to determine (so that as long as the data can be out, it will definitely be able to come back) even if the ARP is a large-scale outbreak, ARP
The table is also messed up, but it doesn't have any impact on our network. (Don't look at the IP MAC mapping table) This method is present.
There is also the most thorough control of the ARP.
-
Anonymous users2024-02-05MAC address and port binding on the switch can completely solve ARP attacks.
-
Anonymous users2024-02-04A large number of ARP broadcasts. Whether it is an ARP attack or not depends on the content of the broadcast.
Is it a deception package.
If it's a spoofing packet, and it's broadcasted, then look at the source MAC address, note that the ARP package has two MAC source addresses, and you also need to see if it's the same. Then take a look at the source IP address of the package. Who is it?
If it is determined that it is a spoofing package, then it will cause 2 phenomena.
1. The whole network can't ping the gateway or the latency is large.
2. One host in the network loses contact with all hosts. Or maybe it's a huge delay.
If the delay is large, it means that the datagram has passed through the attacker's machine, and the attacker will capture the packet and limit the rate.
You can look at it in combination with the ARP cache table for the faulty PC, the ARP cache table for the router, and the CAM table for switching.
If your routing is also ARP bonding, then you can do two-way bonding.
Batch processing on PC is also possible.
echo off
if exist del
ipconfig /all >
if exist del
find "default gateway" >
for /f "skip=2 tokens=13" %%g in ( do set gateip=%%g
ping %gateip% -n 1
if exist del
arp -a %gateip% >
for /f "skip=3 tokens=2" %%h in ( do set gatemac=%%h
arp -s %gateip% %gatemac%
deldeldelexit
ARP attacks are launched from the data link layer, and ARP firewall and 360 are all application-layer software, which cannot be prevented. In addition, ARP and other network attacks have always existed, and network attacks are sometimes not deliberately sabotage, because the Ethernet protocol has inherent vulnerabilities and difficult-to-manage defects, resulting in various intranet problems. In order to completely solve intranet attacks, the only way to prevent and control the network card of each terminal is to prevent ARP attacks from being issued. >>>More
I think there should be someone in the LAN who uses ARP to spoof Trojan programs (such as: World of Warcraft, Audition and other number-stealing software, and some plug-ins have also maliciously loaded this program). >>>More
From the perspective of the way of affecting the smooth network connection, ARP spoofing is divided into two types: one is the deception of the router ARP table; The other is gateway spoofing for intranet PCs. >>>More
You're being attacked by other users in the whole LAN network, like a cell that comes from a backbone signal that interconnects through a switch, so there's a situation like this.
Your network architecture is a medium-sized network, don't use class C IP, change to class B, divide several VLANs, divide the office building into a VLAN, each office is divided into VLAN, and then put the OA and business system server separately into a VLAN, the default VLAN can be, easy to manage, but also can prevent ARP attacks, and then there are ARP attacks can only attack in this VLAN, will not affect the server, you can enable the routing function on the main switch, Support cross-VLAN data exchange, control the direction of data exchange through ACL, how do you usually manage the external network, you can see if you need to change it again, as for ARP detection, your VLAN should be attacked in a certain VLAN after it is divided, you can know which switch under the computer issued the ARP attack, you can then go to the corresponding switch web page through the MAC detection function to detect the attacker's MAC and IP, Even if someone manually changes the MAC and IP, the above will also be recorded, as for what you said can not find the attacker's MAC, it may be manually modified, you can find the attacker's real MAC address and IP through the MAC detection function on the web page, you can easily find out which computer is attacking, in this way, the network is safe, viruses, and human aspects are all eliminated After reading your information above, I feel that your network is a little messy, and you can apply to move the network once, Let's make a rectification and re-plan.