securitysofts
Visit our Web site readers are mostly in the enterprise network management and network security enthusiasts, I believe the most recent period for us the most headaches is the ARP to deceive the type worm, the virus is very troublesome to deal with, a machine infected Net result of all the machines in the Internet disruption or chaos. The author also has categories for the ARP deception by the worm Kunrao, below the author in accordance with their own experience and experience and we are working together to deceive the ARP-like virus under control ideas.
1, ARP deception virus overview:
We can not for lack of space between here substantially on the ARP to deceive the working principle of the virus and spread mechanism, the author of the ARP is only a deception virus probably introduced. The so-called ARP deceive the virus is actually a computer infected with the virus constantly posing as the gateway IP address, repeatedly told the network gateway in all the computer's MAC address corresponding information is infected machines MAC, such as his contract Far greater than the actual gateway sent the ARP information and data.
Therefore, the correct ARP packets have been false data packets disguised by the mask, leading to other computers to the Internet when the corresponding data will be sent to the Gateway (in fact the gateway corresponding MAC is already poisoning the MAC address of the machine ), Then send and receive data from poisoning machines and completely normal machines, the gateway address is correct and complete Skip, resulting in network access problems, out false information to deceive on the page, other computer or the Internet is slow Can not get online, or even access to the address into a false pages, and so on.
2, ARP deception virus control key:
ARP deceive the birth and spread of the virus outbreak and the key is that he sent to the network in a large number of false data packets, false data packets is to tell the contents of other computers Gateway is the MAC address of the infected MAC, such as the machine's MAC address 1111-1111-1111 is, your IP address is 192.168.1.5, the network is truly the gateway address 192.168.1.254, then falsely told the other data packets is the corresponding computer 192.168.1.254 MAC address is 1111-1111-1111.
As TCP / IP protocol transmission from the low-level data link layer to start high-level network layer, so the computer must be identified by MAC address, the network of other computers have received the corresponding MAC address 192.168.1.254 is 1111-1111-1111 , Then they will be the first through the MAC and ARP cache of information to determine the target gateway computer.
So by the above analysis we can be more specific, that is, to prevent the virus ARP deception is the key to dealing with this illegal data packets - IP address is the gateway and the MAC address of the computer is infected with the virus.
3, ARP virus prevention ideas:
This paper is a discussion of the ARP cheating worm control ideas, is not burning in a Prevention of the measures, if ARP has been deceiving the outbreak of the virus, network administrators then you need to do is to detect the virus by sniffer target computer, I specific methods in the previous "close-Downloader virus" has been introduced in the article, here is not described in detail.
Below that line of thought under control - we will control the key points on handling ARP packets deceit, deception because we know that the contents of the packet is "IP address is the gateway and the MAC address of the computer is infected with the virus", as long as for this Packet filter can be. The network does not have the virus when we can know the true gateway to the correct corresponding MAC address, it is only through arp-a switch on or directly in the query. Here assume that the real gateway corresponding MAC address is 2222-2222-2222.
Then we need to switch settings on a list of filtering access control strategy, will switch from all the various ports sent out on the direction of the source address is 192.168.1.254 However, the source MAC address is not 2222-2222-2222 or destination address is 192.168 .1.254 And purpose of the MAC address is not 2222-2222-2222 packets discarded (Add to the black hole loopback loop), while the corresponding close automatically switch ports.
4, ARP deception control the virus simulation process:
As ARP deceive the spread of the virus is sent through switch broadcasting false information, and the information content of the false data source or destination IP address information must include 192.168.1.254, and the corresponding MAC address is not necessarily correct 2222-2222-2222, Such false information will be before we switch on the set of access control lists or filter shielding strategy, combined with the corresponding port completely shut down automatically to avoid ARP deceive the spread of worms. After infected with the virus will not be able to access the computer, he will be linked network administrators, thus helping us to quickly positioning of the computer, the first time to solve the problem.
Tip:
But if taken in the enterprise network topology in a switch ports such as the HUB has also connect the equipment, then connect HUB if the equipment under the computer virus infection ARP deception, it will automatically switch ports are still closed, the entire HUB Even under all the computer equipment will not be able to access, it is proposed to make full use of all or switch to connect corporate computers.
5, summed up:
Such preventive measures are needed with ACL access control lists and routing strategies such as routing switching equipment function, we must first ensure that the exchange of routing equipment to support these functions, a reasonable addition to the establishment, can not filter out the correct Data packets. Of course, this content is the author several times in the fight against the virus ARP deceive the idea of a preventive, and hope more friends to explore, learn more proposals, we will make progress together ARP deception killing the virus completely.
No comments:
Post a Comment