The LAN is normal, but cannot access the Internet

Someone may have used some restrictive software. Such as P2P Terminator

P2P Terminator is normally a good network management software, but many people use it to maliciously restrict other people's traffic and prevent others from accessing the Internet normally. Let's talk about it below. A detailed introduction to the functions, principles and breakthrough methods!

Let’s first take a look at the information from the online PSP: P2P Terminator is a set of software developed by Net.Soft Studio specifically for Network management software that controls P2P download traffic on corporate networks. The software provides a very simple solution to the current problem of P2P software occupying too much bandwidth. The software is implemented based on underlying protocol analysis and processing and has good transparency. The software can adapt to most network environments, including proxy servers, ADSL routers, Internet access, Lan dedicated lines and other network access environments.

P2P Terminator completely solves the problem of switch connection network environment. It only needs to be installed on any host to control the P2P traffic of the entire network. It is very good for hosts in the network. Controlling transparency effectively solves this problem that is currently a headache for many network administrators and has good application value.

The function can be said to be relatively powerful. The author developed it for use by network managers. However, since the cracked version of P2P Terminator is now very popular on the Internet (P2P is a paid software), if It may be used legitimately by network administrators, but there are many people who download it to maliciously control other people’s network speeds, causing problems in our normal use! Its P2P terminator has many more functions than some other network management software. The most prominent one is to control a variety of popular P2P protocols, such as Bittorrent protocol, Baidu protocol, Poco protocol, Kamun protocol, etc. The software can Controls most client software based on the above protocols, such as BitComet, Bit Elf, Greedy BT, Card Alliance, Baidu Xiaba, Poco, PP Diandiantong and other software! It also has HTTP download custom file suffix control function and FTP download limit Functions, QQ, MSN, PoPo, UC chat tool control functions and more!

Now that the function is finished, how is it implemented? If you want to break through it, you must have a clear understanding of its principles!

The most basic principle of restricting the download of these software is the same as that of some other network management software, such as Network Law Enforcement Officer, which all use the ARP spoofing principle! Take a look at this picture first:

|------------》Computer A

|------------》 Computer B

Internet-------->Gateway------->Router (switch is acceptable)------->|------- -----》Computer C (P2P Terminator can be used on any of these five computers)

|------------》Computer D < /p>

|------------》Computer E

Let me first explain the principle of ARP spoofing from this picture! First, let me tell you what ARP is. ARP (Address Resolution Protocol) is an address resolution protocol. It is a protocol that converts IP addresses into physical addresses. There are two ways to map from IP addresses to physical addresses: tabular and non-tabular.

To be specific, ARP resolves the address of the network layer (IP layer, which is equivalent to the third layer of OSI) into the data connection layer (MAC layer, which is equivalent to the second layer of OSI). MAC address.

Anyone who has studied the basics of the Internet knows this!

Under normal circumstances, when A wants to send data to B, it will first query the local ARP cache table, and after finding the MAC address corresponding to B's IP address, the data will be transmitted. Then broadcast A an ARP request message (carrying host A's IP address Ia - physical address Pa), requesting host B with IP address Ib to reply with physical address Pb. All hosts on the network, including B, receive the ARP request, but only host B recognizes its own IP address, so it sends an ARP response message back to host A. It contains B's MAC address. After A receives B's response, it will update the local ARP cache. Then use this MAC address to send data (the MAC address is appended by the network card). Therefore, the ARP table of the local cache is the basis for local network circulation, and this cache is dynamic.

The ARP protocol does not only receive ARP replies after sending ARP requests. When the computer receives an ARP reply packet, it updates the local ARP cache and stores the IP and MAC addresses in the reply in the ARP cache. Therefore, when a machine B in the local network sends a forged ARP response to A, and if this response is forged by B pretending to be C, that is, the IP address is C's IP and the MAC address is forged, then when A After receiving B's forged ARP reply, the local ARP cache will be updated, so that in A's view, C's IP address has not changed, but its MAC address is no longer the original one. Because network traffic on the LAN is not based on IP addresses, but is transmitted based on MAC addresses. Therefore, the forged MAC address is changed to a non-existent MAC address on A, which will cause network failure and prevent A from pinging C! This is a simple ARP spoofing.

After seeing these contents, you will probably understand why P2P can control the flow of computers in the network. In fact, it acts as a gateway here. Spoof the data of all computers in a network segment and then forward it out again. All data from the controlled computer will first pass through this P2P host and then be transferred to the gateway!

The basic principle is this. Let’s break through the working principle of it!

First, it is widely circulated on the Internet to bind the machine IP address and MAC address

Second, it is to modify your own MAC address to deceive P2P into scanning your machine. The method is Modify the HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Class/{4D36E972-E325-11CE-BFC1-08002BE10318} subkey, but the effect is not ideal.

3. Use two-way IP/MAC binding

Bind the MAC address of your egress router on your PC. The P2P terminator software cannot ARP spoof you, and naturally it cannot I don’t mind you, but just binding the router’s MAC on the PC is not safe, because the P2P terminator software can spoof the router, so the best solution is to use a PC with two-way IP/MAC binding on the router, that is, on the PC

Bind the MAC address of the outgoing route on the route, and bind the IP and MAC address of the PC on the route. This requires the route to support IP/MAC binding, such as a HIPER router.

4. I saw a firewall on the Internet, which is the Look N Stop firewall. I saw some prawns on the Internet saying that it can prevent arp spoofing, so I downloaded it and gave it a try! The method is as follows: But the premise is that your machine does not communicate with the machines in the LAN and connects to your own network! And the gateway is fixed!

A. There is an "ARP: Authorize all ARP packets" rule in "Internet Filtering". Put a prohibition mark in front of this rule;

B. But this rule will by default The gateway information is also prohibited. The solution is to put the MAC address of the gateway (usually the gateway is fixed) in the "Target" area of ??this rule, select "Not equal to" in "Ethernet: Address", and put The MAC address of the gateway is filled in at that time; put your MAC address in the "Source" area and select "Not Equal to" in "Ethernet: Address".

C. In the last "Allotherpacket", modify the "Destination" area of ??this rule, select "Not equal to" in "Ethernet: Address", and fill in FF:FF:FF in the MAC address. :FF:FF:FF; put your MAC address in the "Source" area, and select "Not equal to" in "Ethernet: Address". No other changes will be made.

Fifth, it is to detect whose network card in a network segment is in promiscuous mode. Generally, normal hosts will not be in promiscuous mode! Unless you set it up deliberately, there are many tools online that can detect it!