Thursday, July 15, 2010

What is the ARP protocol? How to guard against ARP cheating Trojan?

What is ARP?

ARP (Address Resolution Protocol, Address Resolution Protocol) is the one in the TCP / IP protocol stack in the low-level protocol, responsible for IP address resolution into a corresponding MAC address.

What is ARP cheating?

00000000 from the smooth way affect the view of the network connection, ARP deception into two species, one is cheating the router ARP table; the other is the internal network of PC's gateway to deceive.

The first principle of ARP cheating is - the data intercepted by the gateway. It informs a series of wrong router MAC address within the network, and in accordance with a certain constant frequency, so that the real can not update the address information stored in the router, the results of all the data router can only send to the wrong MAC address, causing the normal PC can not receive the information. The second principle is that ARP deception - fake gateway. Its principle is to establish false gateway, so is it cheating gateway PC to send bogus data, rather than through the normal means of access routers. It seems the PC is unable to get online, "the network is down."

Recently, a new type of "ARP cheating" Trojan virus is spread campus network, has seriously affected the normal operation of the campus network. Infected with this Trojan computer trying to "ARP deception," where the means of interception of communications from other computers within the network information, and other computers within the network thus causing a breakdown in communications. ARP cheating Trojan toxicity as follows: use the campus network will suddenly dropped, after a period of time will return to normal. Example, client state frequently red, the user frequently broken network, IE browser, frequent errors, and some common software failure, etc.. If the campus network through the Internet authentication would suddenly be certified, but not the phenomenon of the Internet (can not ping through the gateway), reboot the machine or run under MS-DOS window after the command arp-d, but also to restore the Internet. ARP cheating is very rampant horse, harm is particularly large, the university campus, community networks, corporate networks and Internet cafes and other local area networks have suffered different degrees of disaster, bringing the network paralysis of the serious consequences of a large area. ARP cheating successfully infected with trojans just one computer, it could cause the entire LAN can not access, serious or even possible paralysis of the entire network. In addition to the Trojan attack will lead to other users within the same LAN Internet access appears intermittent phenomenon, but also to steal user passwords. Such as the theft of QQ passwords, steal passwords and account numbers of various online games to do money transactions, theft, online bank account to do illegal trade activities, this is horse's trick, to the user caused great inconvenience and huge economic loss.

How to check and deal with "ARP cheating" Trojan horse approach

1. Check the machine's "ARP deception," Trojan exposure process

On the keyboard while holding down the "CTRL" and "ALT" key then press "DEL" key, select "Task Manager", click on the "process" tab. This one is a called "MIR0.dat" process. If yes, description has been poisoned. Right click this process and select "End Process."

2. Check network infection "ARP cheating" Trojan Infected Computer

In the "Start" - "Programs" - "Accessories" menu down the "Command Prompt." Enter and execute the following command:


Record gateway IP address, that "Default Gateway" corresponds to the value of, for example, "". Enter and execute the following command:


In the "Internet Address" on the next step to find the gateway IP address of record, record the corresponding physical address, or "Physical Address" value, such as "00-01-e8-1f-35-54". This is normal in the network gateway correct physical address of the network by "ARP cheating" without affecting the normal horse, it is the Trojan physical address where the computer's network card.

Can also scan the entire IP address within the subnet, and then check ARP table. If there is a corresponding physical IP address and gateway the same, then the IP address and physical address of the computer's IP address is poisoning and physical address of network card.

3. Set ARP table to avoid the "ARP cheating" Trojan negative impact on

This method can reduce to some extent in the other computer Trojans the impact of the machine. Introduced the method used on top to determine the correct gateway IP address and gateway physical address, and then in the "Command Prompt" window, enter and execute the following command:

arp-s physical address of the gateway IP Gateway

4, dynamic ARP binding Gateway

Step 1:

To normal when the Internet into the MS-DOS window, type the command: arp-a, view the IP gateway corresponding MAC address correct and it is recorded.

NOTE: If you have no Internet access, you start to run a command arp arp-d to delete the contents of the cache space, the computer can temporarily restore the Internet (attack if you do not stop it). Once you can access the network immediately broken (disable network card or unplug the network cable), then run the arp-a.

Step 2:

If the computer has the correct gateway MAC address, the Internet simply can not manually correct the gateway IP and MAC address binding, you can ensure that the computer no longer be deceived attack.

To hand-bound, can be run under MS-DOS window the following command:

arp-s IP Gateway Gateway MAC

For example: if the computer segment in which gateway is, the machine address of, the computer after running arp-a output is as follows:

Cocuments and Settings> arp-a

Interface: --- 0x2

Internet Address Physical Address Type dynamic

One ,00-01-02-03-04-05 is the gateway corresponding MAC address, type dynamic (dynamic), and therefore can be changed.

After the attack, then the command view, you will find that the MAC has been replaced by attacks on the machine MAC. If you want to find the attack machine, the complete eradication of attacks, the MAC can be recorded at this time, look for the future preparation of the attack machine.

Hand-bound command is:


Binding complete, reusable arp-a view arp cache:

Cocuments and Settings> arp-a

Interface: --- 0x2

Internet Address Physical Address Type static

Then, type into a static (static), the impact will not be further attacks.

However, a description is bound by hand after the restart the computer will shutdown failure, need to bind again. Therefore, to eradicate attacks, only to find the virus infected the computer network segment, to kill the virus, which is the real problem.

5. Make a batch file

The client to do on the gateway arp binding, specific steps are as follows:

Step 1:

Find Ben Wang segment gateway address, such as, the following example in this gateway. In the normal Internet, the "Start 鈫?Run 鈫?cmd 鈫?OK", enter: arp-a, point enter, view the gateway corresponding Physical Address.

For example: gateway corresponds to 00-01-02-03-04-05.

Step 2:

Write a batch file rarp.bat, reads as follows:

@ Echo off



Save: rarp.bat.

Step 3:

This batch file will run the batch file to "Windows 鈫?Start 鈫?Programs 鈫?start", if you need immediate effect, run the file.

Note: The above configuration requires the network to conduct normal

6. To use security tools

Download Anti ARP Sniffer software in a timely manner to protect the local computer running. Specific use in online search.

If you already have the MAC address of the computer viruses, such software can be used to identify network segment NBTSCAN with the MAC address corresponding to IP, which infected computers IP address, and then report to their units were sealed hub.

Or use the unit to provide centralized network anti-virus systems to unified killing Trojans. Trojans can also be used to kill off killing other security tools.

7. Emergency plan

Managers use network management described above ARP Trojan detection methods found in the LAN switch ports infected with the virus after the virus immediately shut down the port, the port identified by the corresponding user and inform the complete killing virus. Then, do a good job against stand-alone, completely killing the virus before its opening the corresponding switch port, re-open Internet.

Tsinghua University Campus Network Security Response Team, a small program


Tsinghua University Campus Network Security Response Team, a small program that can protect your computer in the same internal LAN computer Trojan ARP cheating attack, maintaining a normal Internet access. Specific use:

1, Please select the card after the program runs, select the network card and click "select" button.

2, the selected card after the program automatically obtain a gateway address of your machine.

3, access to the gateway address for MAC address, click the button to obtain the correct MAC address of the gateway.

4, confirm that the gateway MAC address, please click the link protection, the program to start protecting your machine.

5, click on the upper right corner of the fork process, the program automatically hide the system tray.

6, to completely exit the program in your system tray in the right-click the program icon choose EXIT.


1, this procedure is only a ARP attack protection program, that Trojan horse attack by ARP to maintain the computer's MAC address is not their own malicious tampering, and thus the network will not be interrupted during the attack. This procedure does not clear the ARP have been infected with the Trojan, to prevent infection or death than genuine horse you install anti-virus software!

Anti Arp Sniffer usage


Double-click Antiarp file dialog box appears as shown in Figure 2.

Figure 2

Enter the gateway address (the gateway address access method: [Start] -> [Programs] -> [Accessories] menu down the "Command Prompt", type ipconfig, which shall be the gateway address Default Gateway); Click for the gateway MAC address, click Auto-Protect to ensure the current card and gateway communication is not a third party monitor.

Click Restore Default, and then click to prevent address conflicts such as IP address conflicts occur frequently, indicating frequent attacker to send ARP packets to deceive.

Right-click [My Computer ]-->[ Management] -> click [Event Viewer] -> Click [System] -> view source [TcpIP ]---> double-click events can see the display address conflicts, and record the MAC address, please copy the MAC address and fill in the Anti ARP Sniffer local MAC address input box (Please note: converted to -), input is complete click [Protective address conflicts ], in order to disable the MAC address of entry into force of the local network card and then enable the network card, the CMD command line, type Ipconfig / all, see the current MAC address is MAC address with the local MAC address input box in line, if successful, will no longer be displayed address conflict.

Note: 1, if you want to restore the default MAC address, click [Restore Defaults], in order to disable the MAC address of entry into force of the local network card and then enable the network card; this software does not support multiple network cards, some cards may change the MAC will be invalid.


Adventure And Roleplay Wizard

Compare Browser Tools

Mr. Ma's reply To Bill Gates


.dvd File

how to CONVERT flv to 3gp

Lenogo Video to iPhone Converter pro

youtube video formats

Christmas-Idea MPEG 3GPP to FLV

Digital CD AMR Audio to Midi Burner


converting AVI to wmv

From The "advertised" To "point And To Announce"

No comments:

Post a Comment