Recently! There have been a crazily problem of local machines being disconnected in Internet cafes across the country!
The Internet cafe I maintained! I have had two ARP fraud viruses before. However, since I changed the PF-2.8 oem server system!
Bind the gateway and MAC! There will basically be no arp spoofing problem!
This time I was disconnected, I also suspected that it was a virus problem! But I actually checked that it was not a virus!
Summarize the experience:
1: Turn off all switches in the LAN for 5 minutes. Turn on the power again and see if the network returns to normal! (Reason: It may be that the switch has run out of memory before restarting for a long time, resulting in slow data exchange, or blockage due to network storm) (Other may be that one or several interface modules of the switch are damaged, or network riots caused by a switch failure. The solution is to replace the switch)
Solution 2: Find a machine to install a CommView, set the IP address to your router IP (unplug the router and leave it out of the network). Then you see what packets the intranet machines send to the outside, and see which machine sends the most packets and what IP they send to? If you find that a machine sends a large number of destination IPs to the outside, it is a continuous packet and the speed is very fast, please repair the machine!
(The possible reason is that one or more machines in the LAN are infected with worm viruses and are sending packets frantically, causing the router NAT connection to be filled quickly)
Solution 3: If the above two reasons are excluded or cannot solve their problems, it may be caused by your router's poor performance and limited processing capabilities. You can make ROUTE
Software routers such as OS, or purchase hard routes of about 3,000 to 5,000 yuan and replace them to observe the situation.
Solution 4: The network card interface of a certain/several computers in the LAN is damaged, and the network is blocked by continuously sending a large number of * data packets to the network. (This problem is prone to integrated network cards, especially when there are many machines in the network. This problem is difficult to check. You can try to disconnect a switch and check one by one) After confirming which switch has a problem with the machine inside it. Open these machines one by one, enter the desktop, exit all management software, open the network connection, and see who is sending or receiving packages in large quantities without doing anything.
Solution 5: (This situation is quite special: someone in the LAN uses illegal software to maliciously attack Internet cafes or
ARP virus attacks the network) When technicians make master disks, they should block some software that illegally attacks Internet cafes and perform static ARP binding on the gateway MAC if possible. Now many hard routers have special anti-disconnection functions. Our Internet cafe's Feiyuxing router can be used to broadcast normal ARP packets regularly. If you are a software router, you can use software to protect it.
Here we also draw on some of the experiences of others!
Some suggestions on the recent disconnection of Internet cafe clients across the country
Conditions and phenomena when the flow is cut off:
1: It can PING connects to other clients on the network, but PING does not pass the route and cannot access the network (connect to INTERNET).
2: It can PING connect to other clients on the network, but PING does not route, but can access the Internet (can connect to INTERNET).
When this situation occurs, use the following operations to restore the connection: 1: Enable it after disabling the network card, 2: Restart the client, 3: Restart the router, 4: Delete the ARP list corresponding to its disconnected machine on the route.
Cause possibilities analysis: ARP virus or other latest variant viruses and vulnerability attacks.
By analyzing the above situation, we can draw the following conclusions:
When this virus infects the machine, the client's MAC address may be modified, or the corresponding MAC in the ARP cache.
When this virus infects the machine, the MAC corresponding to the gateway IP in the client ARP cache may be modified.
A: When the poisoned machine sends a request to the gateway route, the ARP cache of the gateway route has not yet reached the refresh time, and the ARP cache table in the gateway route saves the MAC address before the client is poisoned. This MAC address is inconsistent with the MAC currently requested by the client (modified by a virus), and the client's connection request is rejected by the gateway. That is, the flow interruption occurs with the gateway.
B: When the source machine of the poisoned source sends a fake MAC broadcast to the LAN, the gateway route also receives this message, corresponds these fake MAC addresses to their IP, and establishes a new ARP cache. Causes the client to disconnect from the server.
Solution:
1: Use static MAC binding to the client on the gateway route. PF-2.8
Users of OEM soft routing can refer to the relevant tutorials, or select the corresponding items one by one in the IP--->ARP list, right-click and select "MAKE
STATIC” command to create a static counterpart.
Use a firewall to block common virus ports: 134-139, 445, 500, 6677, 5800, 5900, 593, 1025, 1026, 2745, 3127, 6129
And P2P download
2: Static binding of gateway IP and its MAC on the client, and modify and import the following registry:
(A) Disable ICMP redirection packets
ICMP redirection packets control whether Windows will change the routing table and respond to the ICMP redirection messages sent to it by the network device. Although this is convenient for users, it is sometimes used by others to conduct network attacks, which is a very troublesome thing for a computer network administrator. By modifying the registry, redirect messages in response to ICMP can be disabled, making the network more secure.
The method to modify is: open the registry editor, find or create a new branch of "HKEY_LOCAL_Machine\System\CurrentControlSet\Services\TCPIP\Paramters", and change the value of the subkey "EnableICMPRedirects" (REG_DWORD type) to 0 (0 is a redirect message that prohibits ICMP).
(B) Disable response to ICMP routing notification messages
The "ICMP Routing Announcement" function can cause other people's computers to have abnormal network connections, data eavesdropping, computers used for traffic attacks, etc. Therefore, it is recommended to turn off the response ICMP routing announcement message.
The method to modify is: open the registry editor, find or create a new branch of "HKEY_LOCAL_Machine\System\CurrentControlSet\Services\TCPIP\Paramters\Interfaces", and change the value of the subkey "PerformRouterDiscovery" REG_DWORD to 0 in the right window (0 is to prohibit response to ICMP routing notification messages, and 2 is to allow response to ICMP routing notification messages). After the modification is completed, exit the Registry Editor and restart the computer.
(C) Set the aging time setting of the arp cache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:\Tcpip\Parameters
ArpCacheLife REG_DWORD 0-0xFFFFFFFFF (seconds, default value is 120 seconds)
ArpCacheMinReferencedLife REG_DWORD
0-0xFFFFFFFF (seconds, default value is 600)
Note: If ArpCacheLife is greater than or equal to ArpCacheMinReferencedLife, then the referenced or unreferenced ARP
The cache entry expires in seconds of ArpCacheLife. If ArpCacheLife is less than ArpCacheMinReferencedLife,
The unreferenced item expires after ArpCacheLife seconds, while the referenced item expires after ArpCacheMinReferencedLife seconds.
Each time an outbound packet is sent to the IP address of the item, the item in the ARP cache is referenced.
I once saw someone saying that as long as the IP-MAC cache is kept from being updated, the correct ARP protocol can be maintained. Regarding this point, I think it is possible to modify the registry's key values to achieve:
By default, the timeout timeout of ARP cache is two minutes, which you can modify in the registry. There are two key values that can be modified, both located in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Modified key value:
Key value 1: ArpCacheLife, type Dword, unit in seconds, default value is 120
Key value 2: ArpCacheMinReferencedLife, type Dword, unit in seconds, default value is 600
Note: These key values do not exist by default. If you want to modify it, you must create it yourself; after modifying it, it will take effect after restarting the computer.
If the value of ArpCacheLife is larger than the value of ArpCacheMinReferencedLife, the timeout of the ARP cache is set to the value of ArpCacheLife; if the value of ArpCacheLife does not exist or is smaller than the value of ArpCacheMinReferencedLife, the timeout time is set to 120 seconds for the unused ARP cache; for the ARP cache being used, the timeout time is set to the value of ArpCacheMinReferencedLife.
We may be able to set the above key value to very large and not be forced to update the ARP cache. In order to prevent viruses from modifying the registry by themselves, the registry can be restricted.
For small Internet cafes, just use any IP-MAC address viewing tool to record the correct IP-MAC addresses of all machines before encountering ARP attacks. Wait until you are attacked to see which machine has a problem, and then it is usually brute-force to solve it. The problem may not be very serious. However, for the large number of intranet computers, each machine will help determine all IP-MAC addresses. The workload is very huge and must be performed through special software.
Previous page123Next pageRead the full text