Introduction To Arp Attack Detection - H3C S3100 8C SI Operation Manual

Operation Manual – ARP
H3C S3100 Series Ethernet Switches
To prevent such attacks, you can configure ARP source MAC address consistency
check on S3100 series Ethernet switches (operating as gateways). With this function,
the device can verify whether an ARP packet is valid by checking the sender MAC
address of the ARP packet against the source MAC address in the Ethernet header.
If they are consistent, the packet passes the check and the switch learns the ARP
entry.
If they are not consistent, the ARP packet is considered invalid and the
corresponding ARP entry is not learned.

1.1.6 Introduction to ARP Attack Detection

I. Man-in-the-middle attack
According to the ARP design, after receiving an ARP response, a host adds the
IP-to-MAC mapping of the sender into its ARP mapping table even if the MAC address
is not the real one. This can reduce the ARP traffic in the network, but it also makes
ARP spoofing possible.
In Figure
traffic between Host A and Host C, the hacker (Host B) forwards invalid ARP reply
messages to Host A and Host C respectively, causing the two hosts to update the MAC
address corresponding to the peer IP address in their ARP tables with the MAC
address of Host B. Then, the traffic between Host A and C will pass through Host B
which acts like a "man-in-the-middle" that may intercept and modify the communication
information. Such attack is called man-in-the-middle attack.
Figure 1-3 Network diagram for ARP man-in-the-middle attack
1-3, Host A communicates with Host C through a switch. To intercept the
1-5
Chapter 1 ARP Configuration