LAN ARP virus observation and obstruction methods

network maintenance work, I encountered three types of ARP virus:
first: the virus is only posing as the gateway IP address of the host. Three switches in the core we can see the virus host and gateway address conflict logging, we can find via the MAC address of the host where the virus switches, then the port shutdown, to eliminate the impact of the virus host on the network, then you can go to site anti-virus. If the other user's computer prior to the gateway's MAC address for the ARP binding, then the impact of the virus to the host in fact see it. AntiARP like installed software can also have a preventive effect.
second: the virus host all mad with the entire network IP address conflict. Our essence switch IP can penetrate a lot of conflicting information, and conflict-of IP address is a circular circle, but all of the conflicts they are all the same source MAC address, namely is, the virus host. Subjected to IP conflicts tend to attack the computer network of a few seconds suddenly blocked, and then returned to natural behind a few minutes, the afterward round of conflict began, will net a few minutes off, more annoying. Similarly, we can find the MAC address on the host where the virus switches,GHD Straighteners, then the port shutdown, the host on the network to eliminate the impact of the virus, then anti-virus can work family. For this a virus, even now the installed software like AntiARP, the achieve is not massive, even in the switch do not use MAC address fastening is only source of early observation of the virus as presently as possible Caixing.
third: This is the maximum mighty ARP virus, it can be two-way ARP spoofing. Virus host some randomly selected host within the network of online fraud, tell them the virus host is a firewall, the firewall and then it cheating, mentioning that cheated the MAC address of the host is the host of the MAC address of my virus. As a result, the firewall does not know who the host cheated, and deceived the host file packet will be sent forward through the virus host, the firewall will also return the packet forwarded by the virus hosts, the virus host can from the data package crawl game account password and other information. When the network in such a ARP virus, the core switch I simply can not find any relevant log information for virus detection brings a great handle of trouble. And this virus is cheating a number of randomly selected host, preferably than the whole network cheating, so some user rejoinder times suddenly can not access, but after a when like, and allows upkeep personnel to decide the mistake is not good. The virus can be very severe, nearly impossible to prevent, because even now the computer software or upload a pre-bound AntiARP the MAC address of the firewall is entirely needless, because the firewall has been cheated of its own, you know the firewall, the firewall can not recognize you. If you do not bind the MAC address of the firewall, virus host deceive you, you actually can still access, but the virus host data packets have been forwarded in advance if you bind the MAC address of the firewall that hosts both the virus and firewall to cheat you When you can not get online.

my LAN IP address in order to prevent indiscriminate use, have made such a setting. I am in the LAN aggregation layer switches (3 devices) on the ACL rules do provide for aggregation layer switch connected to those under the access layer switch which allows the use of their IP address only,GHD Green Straighteners, if a user with the other IP, it will mesh barrier . This can absolutely serve to prevent IP address with the role of muddle, but it solve the IP address for the role of conflict is not large,GHD Purple Butterfly 2011, because the other users on the switch with the wrong IP address, however he will use the wrong IP network barrier However, this IP address is the main information will still receive the IP conflict, and his impact on the Internet. To prevent IP address conflicts in fact the best solution would be to make the switch IP address and port-based MAC address binding,GHD Midnight Gift Set 2011, but also to bind up layer by layer, has been jump to the core switches. But to do also much go, and the maintenance is trouble, if some computers change positions, it is estimated will network crazy.
precisely because I did such a setting, so when the network appears in the 1st type of ARP virus, the virus host posing as the doorway IP address is not successful because the IP address of the doorway host does not allow the virus where the use of the access layer switch. But as I said before I do the ACL rules can not stop the impact of IP conflict, so the firewall host to the impact of the virus, guiding to all network users can not access. But the avail is that I can instantly find the network anomalies, and then the log to find the virus host. Without the ACL rules, the virus can successfully impersonate the host firewall, and then along the parcel to all users, grasp username and password, and it is estimated that there will not be reported to failure that the consumer can not access, so that network treatment can not know the network as soon as possible ARP has this virus. But installing a AntiARP software or viruses can be found in this host.
ARP for the second type of virus, I do not really understand it and the whole network IP address conflicts of intention, perhaps to make the whole network off every now and then almost the host bars.
ARP for the third type of virus, when the virus host computer randomly select some way cheating, because I set the ACL rules allow the virus to the host can not impersonate the firewall IP, ping the host it is deception IP firewall will ping barrier, even now the host's MAC address to bind the firewall is useless because the virus has also been the host firewall cheated, it does not know these deceived the real MAC address of the host, the virus only know the MAC address of the host. This is why I also have several companies that constantly reflect their users suddenly can not access the computer, but also unreasonable firewall ping IP, but it can ping through other people's computer, and then changed their computer IP addresses but also other Internet reason. This happens, restart the firewall, no use, it is depressing.
now know the reason to solve the problem very well, and this third ARP virus so cunning, how do we destroy it to find it? On the one hand we can not see the switch in the core log information narrated to the other hand, if we do not restrict the IP addresses on the switch to use ACL rules,GHD Benefit Straighteners, it is difficult to detect within the network have this virus in the host. In order to find the virus host,GHD NZ, we will do so. Or school me to set restrictions on the switch in the IP address using ACL rules, so that a virus attack can allow the user to call the attack reported failure. Or in many computer using arp-s command to bind the MAC address of the firewall, or a large digit of AntiARP software installed, so a virus, these do AntiARP ARP binding and installed software, the computer will not access, accordingly finding of the virus as soon as possible will help the host network.
know the web has a third type of virus, how to speedily nail the virus host it? If AntiARP software installed, the software may report the virus host MAC address, merely just possibly Oh, is not utter. Also, if, like me, who set the ACL rule, then cheated can not get the virus above the host MAC address of the host, for they host ping ping the firewall address is assorted from the host and the virus was restricted ACL rules, can not simulate to firewall, Therefore, the host is unable to get deceived virus host MAC address. Having said entire this cluster, in the end how to immediately find the virus host MAC address? The response is to find from the firewall.
Telnet to TOPSEC firewall, escape the arp command will show all of the ARP information. As follows:
System> arp
? (192.168.64.98) at 00:0 F: 1F: 54:00: E6 [ether] on eth5
? (192.168.64.185) at 00:14: 78:58: B8: 7F [ether] on eth5
? (192.168.64.213) at 00:0 A: EB: 92: D8: D3 [ether] on eth5
? (192.168.64.186) at 00: 00: C8: 75:99: ED [ether] on eth5
? (192.168.64.68) at 00:15:58: E1: 14: F9 [ether] on eth5
? (192.168.64.67) at 50:78:4 C: 6B: 57:42 [ether] on eth5
? (192.168.64.208) at 00:10: DC: 36: DE: AA [ether] on eth5
? (192.168.64.47 ) at 00:0 D: 87: E8: E3: AA [ether] on eth5
? (192.168.64.211) at 00:15:58: E1: 18:42 [ether] on eth5
? (192.168 .64.148) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.221) at 00:15:58: D1: 0F: DA [ether] on eth5
? (192.168.64.251) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.151) at 00:0 D: 56:53: C7: AC [ether] on eth5
? (192.168.64.105) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.181) at 00:0 D: 60: A4: CF: CD [ether] on eth5
? (192.168.64.217) at 00: E0: 4C: 39:8 E: BB [ether] on eth5
? (192.168.64.37) at 00:11:25:38:20: B7 [ether] on eth5
? (192.168.64.1) at 00:00:5 E: 00:01:03 [ether] on eth5
? (192.168.64.182) at 00: E0: 4C: E7: 9D: 88 [ ,],[3F [ether] on eth5
? (192.168.64.143) at 00:0 D: 60: E4: 65: A6 [ether] on eth5
? (192.168.64.141) at 00: E0: 4C: 5A: 1F: EC [ether] on eth5
? (192.168.64.58) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.59) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.86) at 00: E0: 4C: 5E: CE: 89 [ether] on eth5
? (192.168.64.61) at 00:14: 2A: 88: ED: FE [ether] on eth5
? (192.168.64.63) at 00:11:5 B: 9A: DC: DC [ether] on eth5
? (192.168.64.192) at 00: 15:58: D6: FE: 15 [ether] on eth5
? (192.168.64.136) at 00:08:74: AC: BF: E9 [ether] on eth5
? (192.168.64.92) at 00:0 B: CD: 65:2 C: 5F [ether] on eth5
? (192.168.64.50) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.239 ) at 00: E0: 4C: 74:1 A: 32 [ether] on eth5
? (192.168.64.238) at 00:10:5 C: B6: 13:98 [ether] on eth5
? (192.168 .64.203) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.124) at 00:50: BA: 45: A9: 42 [ether] on eth5
? (192.168.66.17) at 00:03:0 D: 2F: E6: 7E [ether] on eth4
? (192.168.64.54) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.201) at 00:0 D: 60:9 E: 5B: CD [ether] on eth5
? (192.168.64.55) at 00:15:58: E1: 15:0 B [ether] on eth5
ARP information table to copy the upon down, saved to a txt file. Then open it with Excel, choose the breakdown according to the space character, and then sorted according to MAC address, we will accessible find many of the same IP address, MAC address, then the MAC address is the host of the virus.
example, I list here the ARP sorted according to MAC address, see this section:
? (192.168.64.148) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.251) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.105) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.58) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.59) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.50) at 00:0 D: 87: D6: BC: 09 [ether] on eth5
? (192.168.64.203) at 00:0 D: 87: D6: BC: 09 [ ,],[corresponds to which IP address? If the network IP address of the management in area, there ought be a detailed IP address and MAC address charting chart, and characteristic to every IP address corresponds to which user, which ministry, in which switch port on which so A check will be remove. Of course, the implementation of the switch in the core layer, then show arp command, and then search for the MAC address, the virus can quickly find the host IP. I soon found the MAC address corresponding to the IP address is 192.168.64.105.
know the MAC address to find the corresponding switch port, and then to near the port to eliminate shock. Know the IP address of the calculator ambition be capable to know who, and then anti-virus site. However, for the firewall as the ARP menu update TOPSEC no so fast, even if we host the web off the virus, and those who have been cheated for a time host still tin no way the Internet, for the firewall ARP list Topsec store or wrong MAC address. This is simple to knob, use arp-d directive line. UltraEdit editor with a few batch commands:
arp-d 192.168.64.148
arp-d 192.168.64.251
arp-d 192.168.64.58
arp-d 192.168.64.59
arp - d 192.168.64.50
arp-d 192.168.64.203
arp-d 192.168.64.54
run the commands, the host can immediately cheated online. Of course, reset the firewall is also a straight line.
detect the virus before the host said a lot of ways, and that a third type of ARP for the virus, there is not direction to prevent it? Of course, there is not a firewall ARP Topsec binding traits it? If we had used in the TOPSEC firewall arp-s command to bind all IP-MAC address of the Internet, then the third type of ARP virus can not fool the firewall, and the user host arp-s command is likewise used to bind the firewall the MAC address, then, the virus also can not deceive the host of the other hosts, so that way the virus is not illusive in anyone 1 way successfully, certainly, can not affect your online. However, the downside is that this network may be complicated to find the virus host, too made a MAC address binding, if many users want to change the IP address, estimated network will be crazy.