Shulou(Shulou.com)06/01 Report--

WireShark discovers ARP virus in LAN

ARP (Address Resolution Protocol) is the underlying protocol used to resolve the address of network nodes in the TCP/IP protocol. ARP viruses or malware spread in the network use ARP mechanism to cheat addresses. The most common ARP problems can be divided into the following three types:

1) Gateway or server IP spoofing: using the ARP mechanism, the gateway or other server IP address in the local area network is used to direct the data flow that normally should be sent to the gateway or server to the computer that carries out ARP spoofing, resulting in network interruption or intermittent, or data loss.

2) covert embezzlement of IP: use the ARP mechanism to embezzle other people's IP without the other party's knowledge, and carry out malicious network activities, from which various infringement operations can be carried out.

3) forcibly occupy IP: use ARP mechanism to * other people's IP, and finally occupy other people's IP, thus carrying out all kinds of malicious or infringing operations.

Network troubleshooting:

According to the response of users, the network is intermittent. Engineers use WireShark to grab packets and find that 90% of the packets in the LAN are ARP messages.

There is a host with MAC address 001F-29DC-F4B1, which continuously sends ARP messages to other computers in this network segment as the source address, and tells them that the MAC address of the gateway is 001F-29DC-F4B1. But in fact, the user's gateway is a firewall of Jiaotong University, and the MAC address is not 001F-29DC-F4B1. From this, we can judge that the host 001F-29DC-F4B1 is sending ARP address spoofing, and the type is gateway spoofing.

Note: X.31.74.254 (this is the default gateway for PC)

But so far, the network of intranet users is still intermittent. We continued to grab the package with WireShark and found the following problems

After packet grabbing and observation, we found that the IP address is X. 31.74.37 the host with 5CFF.3501.9DAF MAC address also sends a large number of ARP packets in the local area network. It scans the IP and MAC addresses of all hosts in the network segment through ARP broadcast packets. Generally speaking, there are a large number of ARP request broadcast packets in the network, which scan almost all the hosts in the network segment. A large number of ARP request broadcasts may consume network bandwidth resources; ARP scanning is generally a prelude to ARP***.

Solution:

The solution is also very simple, which is to shutdown the uplink ports of these two sets.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.