mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request.

4)Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.

5)After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.

Usually ARP dynamically implements and automatically seeks mappings from IP addresses to MAC addresses, without manual intervention.

Introduction to ARP Attack Detection

Man-in-the-middle attack

According to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC mapping of the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce the ARP traffic in the network, but it also makes ARP spoofing possible.

In Figure 1-3, Host A communicates with Host C through Switch. To intercept the traffic between Host A and Host C, the hacker (Host B) forwards invalid ARP reply messages to Host A and Host C respectively, causing the two hosts to update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B. Then, the traffic between Host A and C will pass through Host B which acts like a “man-in-the-middle” that may intercept and modify the communication information. Such attack is called man-in-the-middle attack.

Figure 1-3Network diagram for ARP man-in-the-middle attack

Switch

Host A

Host C

IP_A

IP_ C

MAC_A

MAC_C

Invalid

Invalid

ARP reply

ARP reply

 

Host B

 

IP _B

 

MAC_B

ARP attack detection

To guard against the man-in-the-middle attacks launched by hackers or attackers, the device supports the ARP attack detection function. All ARP (both request and response) packets passing through the device are redirected to the CPU, which checks the validity of all the ARP packets by using the DHCP snooping table or the manually configured IP binding table. For description of DHCP snooping table and the manually configured IP binding table, refer to the DHCP snooping section in the part discussing DHCP in this manual.

1-4

Page 419
Image 419
3Com WX3000 operation manual Introduction to ARP Attack Detection, Man-in-the-middle attack, ARP attack detection