Shulou(Shulou.com)06/01 Report--

First, diagnose whether it is ARP virus *

1, when we find that the Internet has obviously slowed down, or suddenly dropped, we can use the arp-a command to check the ARP table: (click the "start" button-select "run"-enter "cmd" click the "OK" button, enter the "arp-a" command in the window) if you find that the MAC address of the gateway has changed, or that there are many IP pointing to the same physical address, then it must be the result of ARP deception.

2. Use AntiARPSniffer software or 360 arp firewall to check.

Second, find out the host of ARP virus

1. Using the "arp-d" command, you can only temporarily solve the problem of surfing the Internet. If you want to solve the problem fundamentally, you have to find the host of the virus. Through the arp-a command above, you can determine that the changed gateway MAC address or the physical address pointed to by multiple IP is the MAC address of the virus machine. Which host corresponds to this MAC address? there are ipconfig/all commands in windows to check the information of each one, but if there are too many computers, it is not a way to check them one by one, so you can download a software called "NBTSCAN", which can get the real IP address and MAC address of PC.

Command: "nbtscan-r 192.168.80.0 nbtscan 24" (search the entire 192.168.80.0amp 24 segment, that is, 192.168.80.1-192.168.80.254), or "nbtscan 192.168.80.25-137" search for 192.168.80.25-192.168.80.137. The first column of the output is the IP address, and the last column is the MAC address. This allows you to find the IP address of the virus host.

2. What if I don't have this software on hand? At this time, you can also run routing tracking commands on the client, such as: tracert-d 114.114.114.114, and immediately find that the first is not the private network ip of the gateway machine, but the IP of another machine in this network segment, and the next hop is the private network IP; of the gateway. normally, the first output after route tracking should be the default gateway address, which determines that the host of the non-gateway IP address of the first hop is the culprit. 3, of course, after finding the IP, the next step is to find the specific machine corresponding to the IP. If you have numbered each computer and have regular settings for using a fixed IP,IP, then you will find it quickly. But what if this is not the case, the IP setting is irregular, or the IP is obtained dynamically? Do we still have to check it out one by one? No! You can do this: set the IP address of a machine to the same as the machine, and then cause the IP address conflict, cause the poisoned host to call the police and find the host.

Third, deal with virus hosts

1. Use antivirus software to check and kill virus.

2. It is recommended to reinstall the system, and it is over. (of course, you should pay attention to whether there are viruses on other disks except the system disk.)

Fourth, how to prevent ARP virus

1. From the point of view of the ways that affect the smooth connection of the network, there are two kinds of ARP spoofing, one is to deceive the router ARP table, and the other is to cheat the gateway of the intranet PC. The first principle of ARP spoofing is to intercept gateway data. It notifies the router of a series of wrong intranet MAC addresses and continues according to a certain frequency, so that the real address information can not be updated and saved in the router. As a result, all the data of the router can only be sent to the wrong MAC address, resulting in the normal PC can not receive the information. The second principle of ARP spoofing is to forge gateways. Its principle is to set up a fake gateway and let the deceived PC send data to the fake gateway instead of surfing the Internet through a normal router. In PC's view, it is not online, "the network is offline." Therefore, many people suggest that users should use two-way binding to solve and prevent ARP spoofing, which is indeed the best solution, but if there are a large number of computers, it will be a lot of work to bind on the router. I personally think it is mainly necessary to bind the router's IP and MAC addresses on PC. Binding on PC can be done as follows:

1) first, obtain the MAC address of the router's intranet (for example, the MAC address of the gateway address 172.16.1.254 is 0022aa0022ee).

2) write a batch file rarp.bat as follows:

@ echooffbr/ > 3. Of course, after finding the IP, the next step is to find the specific machine corresponding to the IP. If you have numbered each computer and have a regular setting for using a fixed IP,IP, then you will find it quickly. But what if this is not the case, the IP setting is irregular, or the IP is obtained dynamically? Do we still have to check it out one by one? No! You can do this: set the IP address of a machine to the same as the machine, and then cause the IP address conflict, cause the poisoned host to call the police and find the host.

Third, deal with virus hosts

1. Use antivirus software to check and kill virus.

2. It is recommended to reinstall the system, and it is over. (of course, you should pay attention to whether there are viruses on other disks except the system disk.)

Fourth, how to prevent ARP virus

1. From the point of view of the ways that affect the smooth connection of the network, there are two kinds of ARP spoofing, one is to deceive the router ARP table, and the other is to cheat the gateway of the intranet PC. The first principle of ARP spoofing is to intercept gateway data. It notifies the router of a series of wrong intranet MAC addresses and continues according to a certain frequency, so that the real address information can not be updated and saved in the router. As a result, all the data of the router can only be sent to the wrong MAC address, resulting in the normal PC can not receive the information. The second principle of ARP spoofing is to forge gateways. Its principle is to set up a fake gateway and let the deceived PC send data to the fake gateway instead of surfing the Internet through a normal router. In PC's view, it is not online, "the network is offline." Therefore, many people suggest that users should use two-way binding to solve and prevent ARP spoofing, which is indeed the best solution, but if there are a large number of computers, it will be a lot of work to bind on the router. I personally think it is mainly necessary to bind the router's IP and MAC addresses on PC. Binding on PC can be done as follows:

1) first, obtain the MAC address of the router's intranet (for example, the MAC address of the gateway address 172.16.1.254 is 0022aa0022ee).

2) write a batch file rarp.bat as follows:

@ echooff

Arp-s 172.16.1.254 00-22-aa-00-22-ee

Just change the gateway IP address and MAC address in the file to your own gateway IP address and MAC address. Drag the batch software to "windows-- start-Program-start".

This not only reduces the trouble of setting up one by one, but also avoids the trouble of having to redo the data because the computer is rebooted. Of course, it is better for the computer to have a restore card and a protection system, so that the batch will not be deleted at will.

2. As a network administrator, I think we should make full use of some tools and software and prepare some commonly used tools. As far as ARP is concerned, it is recommended to prepare the following software on hand:

① "AntiARPSniffer" (use AntiARPSniffer to prevent the use of ARP technology for packet interception and to prevent the use of ARP technology to send address conflict packets, and to find the IP and MAC addresses of * hosts).

② "NBTSCAN" (NBTSCAN can get the real IP address and MAC address of PC, which can be used to know the corresponding MAC address of each IP in the LAN)

③ "Network Marshal" (a LAN management assistant software, using the underlying network protocol, can penetrate each client firewall to monitor every host, switch and other network devices equipped with IP in the network. Using the network card number (MAC) to identify users, the main function is to monitor the whole local area network in real time according to the permissions limited by the administrator for each host, and automatically manage the illegal users, which can isolate the illegal users from some hosts or the whole network in the network, and no matter what kind of firewall the hosts in the local area network are running, they can not evade monitoring, nor cause firewall warnings, thus improving the security of the network.

3. Check the local area network virus regularly, scan the machine for virus, usually install patches for the system, it is best to ensure that every computer in the local area network has antivirus software (upgradable)

4. Instruct the users in the network not to click to open the link information sent by QQ, MSN and other chat tools, and not to open or run strange or suspicious files and programs, such as strange attachments in email, plug-in programs, etc.

5. It is recommended that each computer in the local area network should be fixed IP as far as possible. Routers do not enable DHCP, and assign a number to each computer in the network, and each number corresponds to a unique IP, so that it is convenient to manage future fault queries. And use "NBTSCAN" software to find out the corresponding MAC address of each IP, and establish an one-to-one corresponding database of "computer number-IP address-MAC address".

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.