Avert the ARP attack availably by bonding gateway IP address and MAC address

Publication Date:  2012-09-26 Views:  476 Downloads:  0
Issue Description
Client reflect the internal network computer has ARP virus ,it will masquerading gateway and lead internal network computer cannot access internet the latent problem of information security .At this time the firewall cannot do anything.
Alarm Information
None.
Handling Process
None.
Root Cause
None.
Suggestions
We suggest cilent to bond gateway IP address and MAC address on the computer .operation steps as follows:
check the local process of Trojan infecting virus of”ARP spoofing”
press the “CTRL”and “ALT” and “DEL” at the same time,choosing “task manager”,click “process” label.check if there has virus process.
Check the computer which has infected process of Trojan infecting virus of”ARP spoofing”
Under “start”-“process”-“accessory” menu move out “command prompt”.input and execute the command as follows
arp-a
Find the gateway IP address under “Internet Address”,register corresponding physics address,”Physical Address” cost,such as”00-01-e8-1f-35-54”.This is right physical address og gateway when the network is normal,it will trun to abnormality after the network being affecter by “ARP spoofing”,it is the netword card address which is the trojan at.
We can scan all the IP address which is in the subnet and check ARP list.If there has IP corresponding physical address is the same with gateway,the IP address and physical address is the IP address and network card address which has virus been in.
The method of set ARP list to avert the affect of “ARP spoofing” trojan 
    This method can abate the other computer which has trojan affect local computer.Ensure the right gateway IP address and gateway physical address by using the method above,then input and execute the command in the “command prompt”window :
    Arp-s gateway IP  gateway physical address
Static ARP bonding gateway
Step 1:
When we can access Internet normally,enter MS-DOS window,input command:arp-a,check the gateway IP corresponding the right MAC address and register it.
    Notice :If we cannot access Internet,we need use the command of arp-d to delete the content in the apr cache,the computer can come back to access Internet(if the attack doesn’t stop).The network will disconnect once that we can access Internet(forbid using network card or pull out reticle)and run arp-a again.
    Step 2:
    If computer has the right MAC address of gateway,wwhen we cannot access Internet ,we just need bond gateway IP and the right MAC address by handwork,it can ensure the computer isn’t attacked by spoofing.If we want to bond by handwork,we can execte the command at the MS-DOS window:
    Arp-s gateway IP  gateway MAC
    For example:we suppose the gateway of the computer being the network segment is 192.168.1.1,local address is 192.168.1.5,after executing the command of arp-a on the computer and export ad follows:
    Cocuments and Settings>arp -a
Interface:192.168.1.5 --- 0x2
Internet Address Physical Address Type
192.168.1.1 00-01-02-03-04-05 dynamic
Thereinto ,00-01-02-03-04-05 is the gateway 192.168.1.1 corresponding MAC address,the style is dynamic ,so it can be changed.after being attacked,use the command to check,we can find this MAC has been replace attack  machine MAC.If we hope to find  the attacking machine,deracinate the attack,we can register the MAC ,prepare for checking the attacking machine  later.
Handwork command is
arp -s 192.168.1.1 00-01-02-03-04-05
After bonding ,we can use arp-a to check arp cache:
Cocuments and Settings>arp -a
Interface: 192.168.1.5 --- 0x2
Internet Address Physical Address Type
192.168.1.1 00-01-02-03-04-05 static
At this time,the style truns to static,it won’t be affected by attack.
But we need to account that the handwork bonding will be invalidation after restarting computer,it need bond again.But then we can write batch processing and put it to startup.The script as follows:
@echo off
arp -s192.168.1.1 00-01-02-03-04-05
end
Save it to be *.bat file and put it in boot-strap startup.
If we want to deracinate the attack drastically,only find the computer which has virus in the network segment and kill the virus,the problem can be solved .

END