DGS-3700-12/DGS-3700-12G Series Layer 2 Gigabit Ethernet Switch User Manual

Appendix A

Mitigating ARP Spoofing Attacks Using Packet Content ACL

Address Resolution Protocol (ARP) is the standard method for finding a host's hardware address (MAC address) when only its IP address is known. This protocol is vulnerable because it can spoof the IP and MAC information in the ARP packets to attack a LAN (known as ARP spoofing). This document is intended to introduce ARP protocol, ARP spoofing attacks, and the counter measure brought by D-Link's switches to counter the ARP spoofing attack.

How Address Resolution Protocol works

In the process of ARP, PC A will, firstly, issue an ARP request to query PC B’s MAC address. The network structure is shown in Figure-1.

Figure-1

In the mean time, PC A’s MAC address will be written into the “Sender H/W Address” and its IP address will be written into the “Sender Protocol Address” in ARP payload. As PC B’s MAC address is unknown, the “Target H/W Address” will be “00-00-00-00-00-00” while PC B’s IP address will be written into the “Target Protocol Address”, shown in Table- 1.

H/W

Protocol

H/W

Protocol

Operation

Sender

Sender

Target

Target

type

type

address

address

 

H/W address

protocol

H/W address

protocol

 

 

length

length

 

address

address

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ARP

00-20-5C-01-11-11

10.10.10.1

00-00-00-00-00-00

10.10.10.2

 

 

 

 

request

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Table -1 (ARP Payload)

 

 

 

 

 

 

The ARP request will be encapsulated into Ethernet frame and sent out. As can be seen in Table-2, the “Source Address” in the Ethernet frame will be PC A’s MAC address. Since an ARP request is sent via a broadcast, the “Destination address” is in the format of an Ethernet broadcast (FF-FF-FF-FF-FF-FF).

Destination

Source address

Ether-type

ARP

FCS

259

Page 270
Image 270
D-Link DGS-3700 user manual Arp Fcs