-
From the perspective of the way of affecting the smooth network connection, ARP spoofing is divided into two types: one is the deception of the router ARP table; The other is gateway spoofing for intranet PCs.
The first type of ARP spoofing works – intercepting gateway data. It notifies the router of a series of wrong intranet MAC addresses, and continuously proceeds according to a certain frequency, so that the real address information cannot be saved in the router by updating, and as a result, all the data of the router can only be sent to the wrong MAC address, causing the normal PC to not receive the information. The second type of ARP spoofing works – fake gateways.
It works by setting up a fake gateway and letting the PC tricked by it send data to the fake gateway instead of surfing the Internet through a normal router. In the eyes of the PC, it is just that it can't be connected to the Internet, and "the network is disconnected".
Recently, a new type of "ARP spoofing" Trojan virus is spreading in the campus network, which has seriously affected the normal operation of the campus network. Computers infected with this Trojan attempt to intercept the communications of other computers on the network through "ARP spoofing", causing communication failures for other computers on the network. The poisoning phenomenon of ARP spoofing Trojans is manifested as:
When using the campus network, the connection will suddenly drop, and after a period of time, it will return to normal. For example, the client status frequently turns red, users frequently disconnect from the network, IE browser frequently errors, and some commonly used software malfunctions. If the campus network is connected to the Internet through identity authentication, the phenomenon that the Internet can be authenticated but cannot access the Internet (the gateway cannot be pinged) suddenly appears, and the Internet access can be resumed after restarting the machine or running the command arp -d in the ms-dos window.
ARP spoofing Trojans are very rampant, and the harm is particularly great, and the local area networks such as university campus networks, community networks, company networks, and Internet cafes have been affected to varying degrees, bringing about the serious consequences of large-scale network paralysis. The ARP spoofing Trojan only needs to successfully infect one computer, which may cause the entire LAN to be unable to access the Internet, and in serious cases, it may even bring the entire network down. In addition to causing other users in the same LAN to surf the Internet intermittently, the Trojan also steals the user's password.
Such as stealing QQ passwords, stealing passwords for various online games and doing money transactions, stealing online banks to do illegal trading activities, etc., this is the usual trick of Trojans, which has caused great inconvenience and huge economic losses to users.
Methods on how to check and deal with 'ARP spoofing' Trojans.
-
If someone else is attacking you, install an ARP firewall to find the attacker, and then let it kill the virus and install the firewall.
ARP attacks are launched from the data link layer, and ARP firewall and 360 are all application-layer software, which cannot be prevented. In addition, ARP and other network attacks have always existed, and network attacks are sometimes not deliberately sabotage, because the Ethernet protocol has inherent vulnerabilities and difficult-to-manage defects, resulting in various intranet problems. In order to completely solve intranet attacks, the only way to prevent and control the network card of each terminal is to prevent ARP attacks from being issued. >>>More
I think there should be someone in the LAN who uses ARP to spoof Trojan programs (such as: World of Warcraft, Audition and other number-stealing software, and some plug-ins have also maliciously loaded this program). >>>More
In general, there are generally three ways to prevent ARP spoofing: >>>More
Your network architecture is a medium-sized network, don't use class C IP, change to class B, divide several VLANs, divide the office building into a VLAN, each office is divided into VLAN, and then put the OA and business system server separately into a VLAN, the default VLAN can be, easy to manage, but also can prevent ARP attacks, and then there are ARP attacks can only attack in this VLAN, will not affect the server, you can enable the routing function on the main switch, Support cross-VLAN data exchange, control the direction of data exchange through ACL, how do you usually manage the external network, you can see if you need to change it again, as for ARP detection, your VLAN should be attacked in a certain VLAN after it is divided, you can know which switch under the computer issued the ARP attack, you can then go to the corresponding switch web page through the MAC detection function to detect the attacker's MAC and IP, Even if someone manually changes the MAC and IP, the above will also be recorded, as for what you said can not find the attacker's MAC, it may be manually modified, you can find the attacker's real MAC address and IP through the MAC detection function on the web page, you can easily find out which computer is attacking, in this way, the network is safe, viruses, and human aspects are all eliminated After reading your information above, I feel that your network is a little messy, and you can apply to move the network once, Let's make a rectification and re-plan.
Before there was no ARP spoofing, the data flow was from "gateway" to "native". After an ARP spoofing attack, the data flow direction is from the "gateway" to the "attacker" to the "local", and all communication data between the "local" and the "gateway" will flow through the attacker ("NMS"), resulting in the failure to access the Internet normally.