arp can be divided into as many as seven at present.

1. arp spoofing (gateway, pc)

2. arp attack

3. arp incomplete

4. Massive arp

5. Second-generation arp (fake ip, fake mac)

Because the second-generation arp is the most difficult to solve, now I will analyze the problems of the second-generation arp.

The phenomenon ARP has a new variety, the second generation ARP attack has the ability to spread automatically, the existing macro file binding method has been broken, and the network is facing a new round of dropped calls and stuck hacking!

principle? The second generation ARP is mainly manifested in the mutual spread of viruses through network access or access between hosts. Because the virus has infected the computer host, you can easily remove the static binding of arp on the client computer (ARP is executed first? -d, and then it's arp? -s? With the cancellation of the binding, the wrong gateway IP and MAC can be written to the client computer smoothly, and the ARP attack is unimpeded again.

solution (1) after some users adopt "double/single binding", ARP attacks have been controlled to some extent.

faced with problems, both double binding and single binding need to be bound on the client. The second generation ARP attack will clear the binding on the computer, making the static binding method of the computer invalid.

(2) Some users adopt a method called "round robin binding", that is, the client automatically binds an "IP/MAC" every "time".

faced with the problem, if we "loop bind" for a long time (longer than arp clearance), that is to say, it is cleared before the "loop bind" is bound for the second time, so the prevention against arp is still ineffective. If the cycle binding time is too short (shorter than the arp clearing time), this block will temporarily use more system resources, which is "not worth the loss"

(3) Some users adopt a method called "arp protection". That is, the gateway sends the correct IP/MAC in the intranet at a certain frequency every once in a while.

If the "frequency" is sent too fast (more arp is sent every second), it will seriously consume the resources of the intranet (which will easily lead to the congestion of the intranet). If the "frequency" is sent too slowly (there is no high frequency of arp attacks), it will have no effect on ARP prevention.

the most radical solution

(4)arp is a "two-headed monster". To solve it completely, it is necessary to give consideration to both ends. There are two ways to achieve

first? Using the method of "guard binding", the computer ARP cache is monitored in real time to ensure the correct correspondence between gateway MAC and IP in the cache. There will be a static binding in the arp cache table. If it is attacked by arp, or whenever there is a request from the public network, this static binding will automatically jump out, so it will not affect the correct access of the network. This way is a manifestation of the integration of security and network card functions, which is also called "terminal suppression"

Secondly, there should be a "integration of security and network functions" in the network access architecture, that is, when the access gateway does NAT, it does not forward data according to the "MAC/IP" mapping table as in the traditional routing, but determines it according to their MAC in the NAT table (so that it can definitely come back as long as the data can be forwarded). Even if ARP breaks out on a large scale, (without looking at the IP/MAC mapping table) This method is also the most thorough in the existing control ARP. Also known as an important feature of "immune network". At present, only the patrol immune network has this special function.