Shulou(Shulou.com)06/01 Report--

background

In every company, ARP virus protection must be done, and with the expansion of the company's scale, the increase in the number of computers, the degree of protection will become more and more difficult, once ARP*** appears, there may be a large-scale client network disconnection situation, affecting the normal progress of the company's business, and serious may bring the company confidential information leakage, causing irreparable consequences!

Our company also has dozens of computers now, so it is necessary to pay attention to ARP prevention!

noun explanation

ARP (Address Resolution Protocol), also known as the Address Resolution Protocol. The basic function of ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure smooth communication. It was an essential protocol for the network layer in IPv4, but it is no longer applicable in IPv6 and has been replaced by ICMPv6.

presenting symptoms

Slow Internet access, or slow file sharing within the network

- --Performance for the use of network capture tools, capture a large number of ARP messages in the local area network

Under the same configuration of the whole network, only one computer cannot access the Internet.

- --After the performance is dropped, restart the computer or disable the network card and then enable it to return to normal, but it will be dropped again for a while.

Large area of simultaneous disconnection, or intermittent connection (usually called "card")

- --Performance for a certain area, a network device under the suspension of all PCs appear abnormal Internet access.

Computers are disconnected one by one, or on and off (commonly known as "cards")

- --

When viewing ARP information, multiple IP addresses may correspond to the same MAC address.

Enter arp -a on the command line.

Restart the computer or run "arp -d" under DOS window, and you can resume Internet access.

……

ARP virus detection method and processing method in the company's practical application

Our company's employees should have anti-virus awareness at ordinary times, combined with the specific situation of our company, we have done the binding of client IP and MAC on the router.

By default, none of our computers are bound.

After binding,

Settings on client computers

When one of the above situations occurs, it is possible that your computer has been infected with ARP virus or has been ARP***.

1. Click Start--Run, enter CMD Enter, enter command window, enter command: arp -d Enter

Open the browser and try to access the Internet again. If you can access it normally for a short time, it means that you have been infected with ARP virus. At this time, open the Task Manager to check whether there is a MIR0.dat process. If there is this process, you can directly end the process.

2. Static ARP binding gateway, first enter the command window with the above method, enter the command: arp -a, check the correct MAC address 58-66-ba-2e-a8-1c corresponding to the gateway IP192.168.188.1, and record this address!

At this time, if you cannot access the Internet, run the command arp -d first, empty the contents of the arp cache, immediately disconnect the network (disable the network card or unplug the network cable), and then use ARP-a to check the correct gateway address.

After finding the correct gateway IP and MAC address, bind with the following command:

arp -s gateway IP gateway mac

For example: Gateway IP: 192.168.188.1 Gateway MAC: 58-66-ba-2e-a8-1c

arp -s 192.168.188.1 58-66-ba-2e-a8-1c

3. Making batch files

When binding gateway in the above way, binding will disappear after computer restart, so you can make a batch file, automatic binding after restart.

Open Notepad and write the following:

@echo off

arp -d

arp -s 192.168.188.1 58-66-ba-2e-a8-1c

Another save as arp.bat, drag this file to "Start---Program--Start", the next time the computer will automatically execute this file binding gateway, the IP and MAC above are the IP and MAC of the gateway, and at the same time, IP and MAC binding should be done for each client on the switch or router or firewall. This is the so-called bidirectional binding.

Of course, the normal computer will directly bind it, no judgment is needed

These are computer settings for XP employees

Other employees of the company who use win7 to perform operations with modification actions such as arp -d must run as administrators

Otherwise, ARP item addition fails: the requested operation needs to be upgraded

And arp -s will not work, although the command explanation will also prompt ARP item added failed: access denied

Instead, you have to use another command, netsh, which is very powerful, but it's a lot more complicated.

The following command looks at the network card number Idx

netsh interface ipv4 show interfaces can of course be abbreviated to netsh i sh in

netsh interface ipv4 show neighbors

Write down the Idx of the network card. I have 21 here.

The following command binds IP and MAC

netsh i i set neighbors 21 "192.168.188.1" "58-66-ba-2e-a8-1c" store=persistent

This is a permanent binding. It will not fail after restarting the computer.

netsh -c i i add neighbors 21 gateway IP gateway mac

netsh i i set neighbors 21 "192.168.188.1" "58-66-ba-2e-a8-1c" store=active

This is a temporary binding. It will expire after restarting the computer.

Let's look at the situation before binding

execution command

After binding, it became static.

Here becomes permanent, static will temporarily be considered permanent

Delete binding information

netsh i i delete neigh 21

Or netsh i i reset

However, this command is quite ruthless. Direct IP will also reset and restart to take effect.

4. In addition, we should check the virus of the local area network regularly, scan the virus of the machine, install the patch program to the system at ordinary times, use the update function of the system itself or use 360 security guard or Jinshan guard, QQ computer housekeeper, etc., preferably, each computer in the local area network is guaranteed to have antivirus software (which can be upgraded).

5, do not click to open QQ, MSN and other chat tools sent link information, do not open or run strange, suspicious files and programs, such as strange attachments in the mail, plug-in programs, etc.

6. Of course, I can also prevent ARP*** by setting up a virtual gateway

After carrying out the above operations, it is basically possible to ensure that the company PC will not easily be infected with ARP virus.

This article does not cover technologies such as VLANs

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.