When the virus attacks, the symptoms are:
1) The computer network connection is normal, but it cannot access the Internet or is disconnected from time to time, and it is often disconnected;
2) User private information (such as QQ, online games and other accounts) is stolen;
3) Network congestion occurs in the LAN, and even causes some network equipment to crash;
Basic concepts:
In order to explain the problem, it is necessary to introduce some basic concepts first, and those who know can skip it.
First of all, let’s talk about IP addresses. Everyone should be familiar with them. We know that IP addresses are a 32-bit (binary) unsigned integer, such as: 192.168.110.1. Its most basic function is to uniquely identify a specific host in the (IP) network. On the Internet, we use our IP addresses to locate other hosts or devices and communicate with each other. It should be noted that the IP protocol is located in the third layer of the OSI reference model, that is, the network layer, where what we usually call the router works.
Then let’s talk about the MAC address, also known as the physical address, which is usually obtained by the network equipment manufacturer from IEEE and burn it into the EPROM chip of the device (such as a network card). This is a 48-bit unsigned integer (binary), which is normally unique to the world, such as: 00-E0-FC-28-AF-36. (Note: In 2000/XP, by clicking "Start", selecting "Run", entering "cmd" to call up the command prompt, and then entering "ipconfig /all" to enter, you can check your MAC address). It should be noted that the implementation of MAC is in the second layer of the OSI reference model, namely the data link layer, where traditional (layer 2) switches work.
In Ethernet, if one host wants to communicate directly with another host, in addition to knowing the IP address of the target host, it also needs to know the MAC address of the target host. Because during the transmission process at the bottom of the network, the host or device is identified through physical addresses. Therefore, the destination IP address must be converted into the destination MAC address to ensure the smooth progress of communication.
So how do you get the target MAC address? This needs to be achieved through ARP. The full name of "ARP" is "Address Resolution Protocol", that is, "address resolution protocol". Specifically, the basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device.
How the ARP protocol works
In each computer with TCP/IP protocol installed, there is an ARP cache table, and the IP addresses and MAC addresses in the table correspond one by one. (Note: Starting from Windows 98, after correctly installing the network adapter, the system will automatically install the TCP/IP protocol for it)
1. After starting the computer normally, each host will establish an ARP list in its ARP buffer to represent the correspondence between the IP address and the MAC address (Note: you can see the current list information through the command arp –a).
2. When the source host needs to send a data packet to the destination host, it will first check whether the MAC address corresponding to the IP address exists in the ARP list. If so, send the data packet to this MAC address directly; if not, initiate an ARP requested broadcast packet to the local network segment and query the MAC address corresponding to the destination host. This ARP request packet includes the IP address of the source host, the hardware address, and the IP address of the destination host.
3. After all hosts in the network receive this ARP request, they will check whether the destination IP in the data packet is the same as their IP address. If it is not the same, ignore this data packet; if it is the same, the host first adds the sending end MAC address and IP address to its ARP list; if the information of the IP already exists in the ARP table, it will overwrite it; then, the destination host sends an ARP response packet to the source host, attaches its own MAC address, and tells the other party that it is the host it is looking for.
4. When the source host receives this ARP response packet, add the IP address and MAC address of the destination host to its ARP list, and use this information to encapsulate the data frame to start the data transmission. If the source host has not received the ARP response packet, it means that the ARP query has failed.
The principle of ARP spoofing:
External causes: Generally, the legendary plug-in and other programs carry and spread the virus into the intranet of the enterprise;
Internal causes: In the enterprise LAN, the method of accessing the Internet through the gateway is generally adopted; the so-called ARP spoofing is roughly divided into two types: one is to deceive the gateway - the principle is to notify the gateway of a series of wrong intranet MAC addresses, and the gateway continuously learns and updates at a certain frequency, resulting in the real address information being unable to be saved in the gateway's ARP list. As a result, the gateway will send all the data to the wrong non-existent address, causing normal clients to be unable to receive the information, so the intranet PC cannot access the Internet; the other is to deceive the intranet PC - the principle is to fake the gateway by publishing fake ARP information and misleading other PCs to send data to the fake gateway, rather than accessing the external network through normal routes, resulting in that all PCs in the same gateway cannot access the external network. It seems that this situation is more.
How to prevent and respond:
1. Prevention must be implemented.
1. Enhance security awareness and do not browse some websites that lack credibility;
2. Do not easily download and install pirated or untrusted software or programs;
3. Don’t open emails of unknown origins casually, especially email attachments;
4. Don’t click on the link information sent from chat tools such as QQ, MSN, etc.;
5. Don’t share files casually. If you really need to set permissions and specify access, it is recommended that you do not write them;
6. Fix system vulnerabilities in time (for example, apply ARP patch KB842168, etc.);
7. Fix unsafe settings (for example, set a strong password for the system, that is, the length is no less than seven digits, and use capital letters,
A combination of three or more types of lowercase letters, Arabic numerals and special symbols);
8. Turn off unnecessary system services;
9. Install genuine antivirus software online version and update the virus library frequently
2. Temporary countermeasures:
Step 1. When you can access the Internet, enter the MS-DOS window and enter the command: arp –a to view the correct MAC address corresponding to the gateway IP and record it. Note: If you can no longer access the Internet, run the command arp –d to delete the content in the arp cache once. The computer can temporarily restore the Internet (if the attack does not stop). Once you can access the Internet, the network will be immediately disconnected (disable the network card or unplug the network cable), and then run arp –a.
Step 2. If you already have the correct MAC address of the gateway, manually bind the gateway IP to the correct MAC when you cannot access the Internet, to ensure that the computer is no longer affected by the attack.
Manual binding can run the following commands in the MS-DOS window: arp –s, gateway IP, gateway MAC. For example: Suppose the gateway of the network segment where the computer is located is 218.197.192.254, the local address is 218.197.192.1. After running arp –a on the computer, the output is as follows: C:\Documents and Settings>arp -a Interface: 218.197.192.1 -- 0x2 Internet Address Physical Address Type 218.197.192.254 00-01-02-03-04-05 dynamic The MAC address type corresponding to the gateway 218.197.192.254 is dynamic, so it can be changed. After being attacked, use this command to check it and you will find that the MAC has been replaced by the MAC of the attacking machine. If you hope to find the attacking machine and completely eradicate the attack, you can record the MAC at this time to prepare for future searches. The command manually bound is: arp –s 218.197.192.254 00-01-02-03-04-05 After binding, you can use arp –a to view the arp cache. C:\Documents and Settings>arp -a Interface: 218.197.192.1 -- 0x2 Internet Address Physical Address Type 218.197.192.254 00-01-02-03-04-05 static At this time, the type becomes static and will no longer be affected by the attack.
However, it should be noted that manual binding will fail after the computer is shut down and rebooted, and it needs to be re-bound. Therefore, to completely eradicate the attack, only by finding out the computers infected by viruses in the network segment, allowing them to be anti-virus or through the system can be solved.
How to find out a virus computer:
If you already have the MAC address of a virus computer, you can use NBTSCAN or Anti ARP Sniffer software to find out the IP corresponding to the MAC address in the network segment, that is, the IP address of the virus computer, and then report it to the school network center to seal it. How to use NBTSCAN: Download it to the hard disk and decompress it, then copy the two files to c:\windows\system32 (or system), enter the MSDOS window and enter the command: nbtscan -r 218.197.192.0/24 (assuming that the network segment where the machine is located is 218.197.192 and the mask is 255.255.255.0; when using this command, the italic part should be changed to the correct network segment). Note: When using nbtscan, sometimes because some computers install firewall software, nbtscan's output is incomplete, but it can react in the computer's arp cache. Therefore, when using nbtscan, you can also view the arp cache at the same time to get a relatively complete correspondence between the computer IP and MAC in the network segment.
Anti ARP Sniffer Instructions
1. Function description: Using Anti ARP Sniffer can prevent packet interception using ARP technology and prevent address conflicting packets from being sent using ARP technology.
2. Instructions for use:
1. ARP spoofing: Fill in the gateway IP address and click [Get Gateway Mac Address] to display the gateway's MAC address. Click [Auto Protection] to protect the communication between the current network card and the gateway from being listened to by third parties. Note: If an ARP spoofing prompt appears, it means that the attacker sent an ARP spoofing packet to obtain the network card data packet. If you want to track the source of the attack, please remember the attacker's MAC address. Use the MAC address scanner to find the MAC address corresponding to the IP.
2. IP address conflict. First click "Restore Default" and then click "Protect Address Conflict". If the IP address conflict occurs frequently, this means that the attacker frequently sends ARP spoofed packets, which will cause the IP conflict warning. Using Anti ARP Sniffer can prevent such attacks. First of all, you need to know the conflicting MAC address, and Windows will record these errors. The specific method is as follows: Right-click [My Computer]-->[Management]-->Click [Event Viewer]-->Click [System]-->View the source is [TcpIP]--->Double-click the event to see that the displayed address conflicts and record the MAC address. Please copy the MAC address and fill in the local MAC address input box of Anti ARP Sniffer (please note that it will be converted to -). After the input is completed, click [Protect Address Conflict]. In order to make the MAC address take effect, please disable the local network card and then enable the network card. Enter Ipconfig/all in the CMD command line to see if the current MAC address matches the MAC address in the local MAC address input box. If successful, the address conflict will no longer be displayed. Note: If you want to restore the default MAC address, please click [Restore Default]. In order to make the MAC address effective, please disable the local network card and then enable the network card.
1) The computer network connection is normal, but it cannot access the Internet or is disconnected from time to time, and it is often disconnected;
2) User private information (such as QQ, online games and other accounts) is stolen;
3) Network congestion occurs in the LAN, and even causes some network equipment to crash;
Basic concepts:
In order to explain the problem, it is necessary to introduce some basic concepts first, and those who know can skip it.
First of all, let’s talk about IP addresses. Everyone should be familiar with them. We know that IP addresses are a 32-bit (binary) unsigned integer, such as: 192.168.110.1. Its most basic function is to uniquely identify a specific host in the (IP) network. On the Internet, we use our IP addresses to locate other hosts or devices and communicate with each other. It should be noted that the IP protocol is located in the third layer of the OSI reference model, that is, the network layer, where what we usually call the router works.
Then let’s talk about the MAC address, also known as the physical address, which is usually obtained by the network equipment manufacturer from IEEE and burn it into the EPROM chip of the device (such as a network card). This is a 48-bit unsigned integer (binary), which is normally unique to the world, such as: 00-E0-FC-28-AF-36. (Note: In 2000/XP, by clicking "Start", selecting "Run", entering "cmd" to call up the command prompt, and then entering "ipconfig /all" to enter, you can check your MAC address). It should be noted that the implementation of MAC is in the second layer of the OSI reference model, namely the data link layer, where traditional (layer 2) switches work.
In Ethernet, if one host wants to communicate directly with another host, in addition to knowing the IP address of the target host, it also needs to know the MAC address of the target host. Because during the transmission process at the bottom of the network, the host or device is identified through physical addresses. Therefore, the destination IP address must be converted into the destination MAC address to ensure the smooth progress of communication.
So how do you get the target MAC address? This needs to be achieved through ARP. The full name of "ARP" is "Address Resolution Protocol", that is, "address resolution protocol". Specifically, the basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device.
How the ARP protocol works
In each computer with TCP/IP protocol installed, there is an ARP cache table, and the IP addresses and MAC addresses in the table correspond one by one. (Note: Starting from Windows 98, after correctly installing the network adapter, the system will automatically install the TCP/IP protocol for it)
1. After starting the computer normally, each host will establish an ARP list in its ARP buffer to represent the correspondence between the IP address and the MAC address (Note: you can see the current list information through the command arp –a).
2. When the source host needs to send a data packet to the destination host, it will first check whether the MAC address corresponding to the IP address exists in the ARP list. If so, send the data packet to this MAC address directly; if not, initiate an ARP requested broadcast packet to the local network segment and query the MAC address corresponding to the destination host. This ARP request packet includes the IP address of the source host, the hardware address, and the IP address of the destination host.
3. After all hosts in the network receive this ARP request, they will check whether the destination IP in the data packet is the same as their IP address. If it is not the same, ignore this data packet; if it is the same, the host first adds the sending end MAC address and IP address to its ARP list; if the information of the IP already exists in the ARP table, it will overwrite it; then, the destination host sends an ARP response packet to the source host, attaches its own MAC address, and tells the other party that it is the host it is looking for.
4. When the source host receives this ARP response packet, add the IP address and MAC address of the destination host to its ARP list, and use this information to encapsulate the data frame to start the data transmission. If the source host has not received the ARP response packet, it means that the ARP query has failed.
The principle of ARP spoofing:
External causes: Generally, the legendary plug-in and other programs carry and spread the virus into the intranet of the enterprise;
Internal causes: In the enterprise LAN, the method of accessing the Internet through the gateway is generally adopted; the so-called ARP spoofing is roughly divided into two types: one is to deceive the gateway - the principle is to notify the gateway of a series of wrong intranet MAC addresses, and the gateway continuously learns and updates at a certain frequency, resulting in the real address information being unable to be saved in the gateway's ARP list. As a result, the gateway will send all the data to the wrong non-existent address, causing normal clients to be unable to receive the information, so the intranet PC cannot access the Internet; the other is to deceive the intranet PC - the principle is to fake the gateway by publishing fake ARP information and misleading other PCs to send data to the fake gateway, rather than accessing the external network through normal routes, resulting in that all PCs in the same gateway cannot access the external network. It seems that this situation is more.
How to prevent and respond:
1. Prevention must be implemented.
1. Enhance security awareness and do not browse some websites that lack credibility;
2. Do not easily download and install pirated or untrusted software or programs;
3. Don’t open emails of unknown origins casually, especially email attachments;
4. Don’t click on the link information sent from chat tools such as QQ, MSN, etc.;
5. Don’t share files casually. If you really need to set permissions and specify access, it is recommended that you do not write them;
6. Fix system vulnerabilities in time (for example, apply ARP patch KB842168, etc.);
7. Fix unsafe settings (for example, set a strong password for the system, that is, the length is no less than seven digits, and use capital letters,
A combination of three or more types of lowercase letters, Arabic numerals and special symbols);
8. Turn off unnecessary system services;
9. Install genuine antivirus software online version and update the virus library frequently
2. Temporary countermeasures:
Step 1. When you can access the Internet, enter the MS-DOS window and enter the command: arp –a to view the correct MAC address corresponding to the gateway IP and record it. Note: If you can no longer access the Internet, run the command arp –d to delete the content in the arp cache once. The computer can temporarily restore the Internet (if the attack does not stop). Once you can access the Internet, the network will be immediately disconnected (disable the network card or unplug the network cable), and then run arp –a.
Step 2. If you already have the correct MAC address of the gateway, manually bind the gateway IP to the correct MAC when you cannot access the Internet, to ensure that the computer is no longer affected by the attack.
Manual binding can run the following commands in the MS-DOS window: arp –s, gateway IP, gateway MAC. For example: Suppose the gateway of the network segment where the computer is located is 218.197.192.254, the local address is 218.197.192.1. After running arp –a on the computer, the output is as follows: C:\Documents and Settings>arp -a Interface: 218.197.192.1 -- 0x2 Internet Address Physical Address Type 218.197.192.254 00-01-02-03-04-05 dynamic The MAC address type corresponding to the gateway 218.197.192.254 is dynamic, so it can be changed. After being attacked, use this command to check it and you will find that the MAC has been replaced by the MAC of the attacking machine. If you hope to find the attacking machine and completely eradicate the attack, you can record the MAC at this time to prepare for future searches. The command manually bound is: arp –s 218.197.192.254 00-01-02-03-04-05 After binding, you can use arp –a to view the arp cache. C:\Documents and Settings>arp -a Interface: 218.197.192.1 -- 0x2 Internet Address Physical Address Type 218.197.192.254 00-01-02-03-04-05 static At this time, the type becomes static and will no longer be affected by the attack.
However, it should be noted that manual binding will fail after the computer is shut down and rebooted, and it needs to be re-bound. Therefore, to completely eradicate the attack, only by finding out the computers infected by viruses in the network segment, allowing them to be anti-virus or through the system can be solved.
How to find out a virus computer:
If you already have the MAC address of a virus computer, you can use NBTSCAN or Anti ARP Sniffer software to find out the IP corresponding to the MAC address in the network segment, that is, the IP address of the virus computer, and then report it to the school network center to seal it. How to use NBTSCAN: Download it to the hard disk and decompress it, then copy the two files to c:\windows\system32 (or system), enter the MSDOS window and enter the command: nbtscan -r 218.197.192.0/24 (assuming that the network segment where the machine is located is 218.197.192 and the mask is 255.255.255.0; when using this command, the italic part should be changed to the correct network segment). Note: When using nbtscan, sometimes because some computers install firewall software, nbtscan's output is incomplete, but it can react in the computer's arp cache. Therefore, when using nbtscan, you can also view the arp cache at the same time to get a relatively complete correspondence between the computer IP and MAC in the network segment.
Anti ARP Sniffer Instructions
1. Function description: Using Anti ARP Sniffer can prevent packet interception using ARP technology and prevent address conflicting packets from being sent using ARP technology.
2. Instructions for use:
1. ARP spoofing: Fill in the gateway IP address and click [Get Gateway Mac Address] to display the gateway's MAC address. Click [Auto Protection] to protect the communication between the current network card and the gateway from being listened to by third parties. Note: If an ARP spoofing prompt appears, it means that the attacker sent an ARP spoofing packet to obtain the network card data packet. If you want to track the source of the attack, please remember the attacker's MAC address. Use the MAC address scanner to find the MAC address corresponding to the IP.
2. IP address conflict. First click "Restore Default" and then click "Protect Address Conflict". If the IP address conflict occurs frequently, this means that the attacker frequently sends ARP spoofed packets, which will cause the IP conflict warning. Using Anti ARP Sniffer can prevent such attacks. First of all, you need to know the conflicting MAC address, and Windows will record these errors. The specific method is as follows: Right-click [My Computer]-->[Management]-->Click [Event Viewer]-->Click [System]-->View the source is [TcpIP]--->Double-click the event to see that the displayed address conflicts and record the MAC address. Please copy the MAC address and fill in the local MAC address input box of Anti ARP Sniffer (please note that it will be converted to -). After the input is completed, click [Protect Address Conflict]. In order to make the MAC address take effect, please disable the local network card and then enable the network card. Enter Ipconfig/all in the CMD command line to see if the current MAC address matches the MAC address in the local MAC address input box. If successful, the address conflict will no longer be displayed. Note: If you want to restore the default MAC address, please click [Restore Default]. In order to make the MAC address effective, please disable the local network card and then enable the network card.