Table of Contents
Advertisement
Chapter 23 Prevent ARP, ND Spoofing
Configuration
23.1 Overview
23.1.1 ARP (Address Resolution Protocol)
Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit
physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is
00-30-4f-FD-1D-2B. What the whole mapping process is that a host computer s end broadc ast data packet
involving IP address information of destination host computer, ARP request, and then the destination host
computer send a data packet involving its IP address and Mac address to the host, so two host computers can
exchange data by MAC address.
23.1.2 ARP Spoofing
In terms of ARP Protocol design, to reduce redundant ARP data communication on net works, even though a
host computer receives an ARP reply which is not requested by itself, it will also insert an entry to its ARP
cache table, so it creates a possibility of "A RP spoofing". If the hacker wants to snoop t he communication
between two host computers in the same network (even if are connected by the switches), it sends an ARP
reply packet to two hosts separately, and make them misunderstand MA C address of the ot her side as the
hacker host MAC address. In this way, the direct communication is actually communicated indirectly among
the hacker host computer. The hackers not only obtain communication information they need, but also only
need to modify some information in data packet and forward successfully. In this sniff way, the hacker host
computer doesn't need t o configure intermix mode of network card, that is because the data packet bet ween
two communication sides are sent to hacker host computer on physical layer, which works as a relay.
23.1.3 How to prevent void ARP/ND Spoofing
There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and most of attack
behaviors are bas ed on A RP spoofing, so it is very important to prevent ARP spoofing. ARP spoofing
accesses normal network environment by counterfeiting legal IP address firstly, and sends a great deal of
counterfeited ARP application packets to switches, after switches learn these packets, they will cover
previously corrected IP, mapping of MA C address, and then some corrected IP, MAC address mapping are
modified to correspondence relationship configured by attack packets so that the switch makes mistake on
transfer packets, and takes an effect on the whole network. Or the switches are made used of by vicious
attackers, and they intercept and capture packets transferred by switches or attack other switches, host
computers or net work equipment.
What the essential method on preventing attack and spoofing s witches based on ARP in net works is to
disable switch automatic update function; the cheater can't modify corrected MAC address in order to avoid
wrong packets transfer and c an't obtain other information. At one time, it doesn't interrupt the automatic
learning function of ARP. Thus it prevents ARP spoofing and attack to a great extent.
ND is neighbor discovering protocol in IP v6 protocol, and it's similar to ARP on operation principle, therefore
23-1
Advertisement
Table of Contents
Troubleshooting
