Shulou(Shulou.com)06/01 Report--

Recently, I have seen a lot of friends' help company network suffering from ARP***. Let me share with you how I prevent ARP*** on the Internet.

First of all, ARP***: is the culprit that leads to instant disconnection and large-scale network outage. In the local area network, the translation between the IP address (layer 3) and the layer 2 physical address (MAC address) is carried out through the ARP protocol. Some devices in the company, such as routers and computers equipped with TCP/IP protocol, provide ARP cache tables to improve the speed of communication. At present, many software with ARP spoofing function make use of this feature of ARP protocol to carry out network equipment *. Through the fake MAC corresponding to the IP address in the local area network, and modifying the ARP cache table of the router or computer, the computer with legal MAC can not correspond to the IP, so that it cannot surf the Internet through the router. After the router is disconnected and restarted, the ARP cache table will be refreshed, and the network will return to normal in a short time, and after ARP*** starts, the network will be cut off again, so repeatedly, it is easy to be mistaken as a router "crash", so that the company network administrator can not take timely action to quickly restore the normal operation of the company.

Since our company uses TP-LINK 's dedicated broadband router TL-R4148, I will take this as an example to introduce how to prevent ARP***:.

If the router has a "IP and MAC address binding" function (ordinary routers have this function), it can generally effectively prevent ARP***. When the corporate network is normal, enable the IP and MAC address binding function (figure 1), which can save the one-to-one corresponding relationship between the MAC of each computer in the company and the intranet IP to the ARP cache table (figure 2). If the corporate network cannot modify the ARP cache table even if it is affected by ARP***, it fundamentally excludes the impact of ARP*** on the router and ensures the normal operation of other users' networks.

Figure 1

Figure 2

Moreover, it is very easy to set up the binding function between IP and MAC. There is no need to enter the IP and MAC of the computer one by one. Regardless of the size of the company, you only need to click the "bind all" button in the ARP mapping table of the router management interface when the company is working normally (figure 3) to complete the binding between IP and MAC. Click the "Import all" button to save the established binding relationship between IP and MAC to the system without rebinding even if you restart it.

Figure 3

In addition, in the company's devices, there are generally only two types of devices with ARP cache, one is the router, the other is the user's Internet computer, and only these two types of devices are the most vulnerable to ARP***. Just as the packet cannot reach the computer when the router is subjected to ARP***, when the Internet computer receives ARP***, the packet will not be sent to the router, but to the wrong place, and of course it will not be able to surf the Internet through the router. Therefore, in order to deal with ARP***, in addition to binding IP and MAC to the router, it is also necessary to bind IP and MAC on the computer.

The binding of IP and MAC to the router has been described above, how to bind IP and MAC on the computer? In fact, Microsoft's operating system has the command line program ARP, run cmd in the computer's Windows command line interface, enter "arp-s return router IP such as 192.168.1.1 + router LAN port MAC address" can bind the router IP and MAC to the computer's ARP table. If you enter the ARP command in the Windows command line interface to bind IP and MAC, the computer needs to enter the ARP command after every restart. There is a simpler way to automatically bind the router's IP and MAC to the computer's ARP table each time the computer starts:

First: create a new batch file such as static_arp.bat, with the suffix bat. Edit it, add the ARP command to it, and save it.

To get the MAC address of the router's LAN port, you can view the "LAN running status" in the router's interface.

Second:

Copy the established batch file static_arp.bat to the startup directory of the system. The computer will run the file automatically every time it starts, and automatically bind IP and MAC.

Third: copy the static_arp.bat file to the system boot directory of all computers in the company. (if the company has a domain environment, you can run the script directly, otherwise you can share it.)

At this point, all the computers in the company bind the router's IP and MAC to the ARP table, so there is no need to worry about being unable to access the Internet because of ARP***.

Special note: when using the ARP prevention function (IP and MAC binding function), the computer should use fixed IP instead of dynamic IP (obtaining IP automatically through DHCP), because if dynamic IP is used, the computer may get different IP each time it starts, which may cause inconsistency with the binding entries of IP and MAC saved in the router, so that the computer will not be able to access the Internet.

In addition to the above two methods, you can also use third-party software, I will briefly introduce a few here. Such as Color Shadow ARP Firewall (this tool is small and convenient, it can judge and block ordinary ARP tools, and can help find * host troubleshooting), Jusheng Network Management (there are green version 1000 users here. You can reply if you need it. I'll send it to the mailbox. I used to use it a lot. If the network is down, the uploads and downloads of that one are very large. I guess this is the ARP in this station. Directly give him the network cable to return to normal), the network post tool is also very good (cracking programs and video tutorials are available), and you can also use some package grabbing software for analysis (you can also leave an email if you need the package grabbing tool). Depending on the degree of mastery of human technology.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.