Or you can change the ip address and mac address.
Analysis of four common ARP prevention measures
First, double restraint measures.
Double binding is a measure of IP-MAC binding between router and terminal, which can suppress ARP spoofing, forge gateway and intercept data. This is a preventive measure based on ARP deception principle, and it is also the most commonly used method. It is effective against the most common ARP spoofing.
However, the defects of the double constraint lie in three points:
The static binding on the 1. terminal is easily destroyed by the upgraded ARP attack. A virus ARP–D command can completely invalidate the static binding.
2. Binding the IP-MAC table on the router is time-consuming and laborious, which is a tedious maintenance work. Changing the network card or changing the IP requires reconfiguring the route. For mobile computers, this kind of binding work that needs to be done at any time is a huge burden for network maintenance, and network administrators can hardly complete it.
3. Double binding only prevents computers and routers at both ends of the network from receiving related ARP information, but a large number of ARP attack data can still be sent out and transmitted in the intranet, which greatly reduces the transmission efficiency of the intranet and still causes problems.
Therefore, although double binding was once the basic measure to prevent ARP, it is too troublesome to manage because of its limited preventive ability and limited effect.
Second, ARP personal firewall
Adding the function of ARP personal firewall to some antivirus software is a measure to protect its own data from being stolen by binding the gateway to the terminal computer to ensure that it is not affected by the fake gateway in the network. ARP firewall is widely used. Many people think that ARP attacks will not pose a threat with firewalls, but this is not the case at all.
ARP personal firewall also has great defects:
1. It cannot guarantee that the bound gateway must be correct. If ARP spoofing occurs in the network and someone is forging a gateway, then the ARP personal firewall will bind the wrong gateway, which is extremely risky. Even if there is no default prompt for configuration, users who lack network knowledge may be at a loss.
2.ARP is a problem in the network. ARP can not only forge gateways, but also intercept data. It's a two-headed monster. It is not a complete method to do ARP prevention on personal terminal, regardless of gateway. The function of ARP personal firewall is to prevent its own data from being stolen, but it can't do anything about the whole network problems such as dropped calls and cards.
Therefore, ARP personal firewall does not provide reliable guarantee. Most importantly, this is a measure that has nothing to do with network stability. It's personal, not online.
Third, VLAN and switch port binding.
Binding by dividing VLAN and switch port is also a common method to prevent ARP. The practice is to divide VLAN carefully, narrow the scope of broadcast domain, and let ARP work in a small scope without causing a large-scale impact. At the same time, some network management switches have the function of learning MAC addresses. After learning, turn off this function, and the corresponding MAC can bind the port to prevent the virus from tampering with its address through ARP attack. In other words, the risk of data interception in ARP attack is relieved. This method can really play a certain role.
However, the problem with VLAN and switch port binding is that:
1, without the protection of the gateway, no matter how to subdivide the VLAN, once the gateway is attacked, it will still cause the whole network to be disconnected and paralyzed.
2, each computer is firmly fixed on a switch port, this management is too rigid. This is not suitable for mobile terminals at all. From the office to the conference room, I'm afraid this computer can't access the Internet. What should I do under the wireless application? Still need other ways.
3. To realize switch port binding, all advanced network management switches and three-layer switches must be used, which greatly increases the cost of the whole switching network.
Because the switching network itself unconditionally supports ARP operation, the possibility of ARP attack is its own vulnerability, and its management means are not aimed at ARP. Therefore, the implementation of ARP preventive measures on the existing switching network belongs to the shield of attacking with a spear. And the operation and maintenance is complicated, which is basically a thankless thing.
Fourth, PPPoE
Each user is assigned an account and password under the network, and must pass PPPoE authentication when surfing the Internet. This method is also one of measures to prevent ARP. PPPoE dial mode encapsulates the data packet twice, so that it is not affected by ARP spoofing. Many people think that the ultimate solution to ARP problem has been found.
The problem mainly focuses on efficiency and practicality:
1, PPPoE needs to encapsulate the data packet for the second time, and then decapsulate it on the access device, which will inevitably reduce the network transmission efficiency and waste bandwidth resources. You should know that the processing efficiency of PPPoE server and routing equipment is not an order of magnitude.
2. In PPPoE mode, LANs cannot access each other. In many networks, there are domain control servers, DNS servers, mail servers, OA systems, data sharing, print sharing and so on. In a local area network, this requires communication between local areas. However, the PPPoE mode makes all this unusable and unacceptable.
3. Without PPPoE, when accessing the intranet, the ARP problem still exists, nothing is solved, and the stability of the network is still not good.
Therefore, PPPoE is technically to avoid the underlying protocol connection, out of sight, out of mind, and exchange network stability by sacrificing network efficiency. The most unacceptable thing is that the network can only be used online, and other internal enjoyment cannot be carried out under PPPoE.
Through the analysis of the above four common ARP prevention methods, we can see that there are problems in the existing ARP prevention measures. This is why ARP can't be completely solved in practice even though it has been studied for a long time.
Immune network is the most fundamental method to solve ARP.
As the saying goes, the magic height is one foot and the road height is one foot, and the network problem must be solved by network method. At present, the omni-directional immune network is the most practical method to completely solve the ARP problem.
From the technical principle, there are three technical points to completely solve ARP deception and attack.
1. The binding between the terminal and the gateway should be firm and reliable, and this binding can resist virus damage.
2. The access router or gateway should always ensure the unique and accurate identification of the IP-MAC of the subsequent terminal.
3. There should be a most reliable organization in the network to provide the strongest protection for the gateway IP-MAC. It can not only distribute the correct gateway information, but also block the wrong gateway information immediately.
Immune network has special technical solutions to these three problems, and these technologies are the technical patents of manufacturers. We will explain it in detail below. Now, we will briefly introduce the structure and implementation of immune network.
Immune network is a set of security and management solutions based on the existing common switching network composed of routers, switches, network cards and network cables. In this way, in ordinary network communication, security and management mechanism are integrated, which ensures the security management and control ability in the process of network communication and plugs the innate vulnerability that ordinary networks are never unprepared for security.
Realizing an immune network is not a very complicated matter, and the cost is not very large. All it has to do is to replace the existing broadband access equipment with an immune wall router or an immune gateway. Under the immune wall router, you need to bring your own server to run the immune operation center 24 hours a day. You don't need an immune gateway, you have your own server. This is the hardware adjustment measure required by this scheme. The hardware price ranges from 1 ten thousand yuan to 1 ten thousand yuan. According to the needs of different enterprises, large, medium and small enterprises can have their own needs and have a wide range of choices.
Soft network adjustment is the configuration and installation work such as IP planning, grouping strategy, automatic installation of internet drivers for terminals, etc., to ensure the effective operation of the whole security management function. In fact, this part of the work is not much different from the daily management of the network by the network administrator.
Immune network has powerful network basic security and management functions, and its ability to prevent ARP is less than one tenth. But this paper is about ARP, so we need to go back and explain the mechanism of ARP deception and the anti-attack of immune network. As for the immune network, it is more powerful and can be further studied.
The three technical points of ARP governance mentioned above, terminal binding, gateway and organization, and immune network, adopt special technical means respectively.
1, terminal binding adopts guard binding technology. The immune network requires each terminal to automatically install the driver, and it can't surf the Internet without installing or uninstalling. The guardian binding in the driver is to store the correct gateway information in a non-public location to protect it. Due to the close monitoring of the gatekeeper program, it is impossible to change the gateway information successfully, which completes the requirement of firm and reliable terminal binding.
2. ARP innate immune technology of immune wall router or immune gateway. In the process of NAT forwarding, due to the special mechanism, the immune wall router simply ignores any ARP statement to the terminal IP-MAC, that is, no one can cheat the gateway. Unlike other routers, the Immune Wall router does not use the list of IP-Macs to work, and certainly does not need complicated router IP-MAC table binding and maintenance operations. Innate immunity has this ability even if it doesn't care.
3. Ensuring that the IP-MAC of the gateway is always organized correctly is a set of security mechanisms in the immune network. First of all, it can distribute the real gateway information obtained from the router to every terminal in the network, while the driven terminal only accepts this information, and other information cannot be accepted, thus ensuring the uniqueness and correctness of the gateway. Secondly, in each terminal, the immune driver will intercept the transmission of the wrong gateway sent by the virus, prevent it from escaping into the network, and cut off ARP deception and attack from the root.
From the above three measures, the immune network has really solved the long-standing ARP problem, with rigorous technology, feasible application and relatively low cost. Therefore, compared with the four common ARP prevention methods, immune network is the most fundamental method to solve ARP.