Table of Contents
Advertisement
Chapter 28 Prevent ARP Spoofing
28.1 Overview
28.1.1 ARP (Address Resolution Protocol)
Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to
relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1,
network card Mac address is 00-30-4F-FD-1D-2B. What the whole mapping process is that a
host computer send broadcast data packet involving IP address information of destination host
computer, ARP request, and then the destination host computer send a data packet involving
its IP address and Mac address to the host, so two host computers can exchange data by
MAC address.
28.1.2 ARP Spoofing
In terms of ARP Protocol design, to reduce redundant ARP data communication on networks,
even though a host computer receives an ARP reply which is not requested by itself, it will also
insert an entry to its ARP cache table, so it creates a possibility of "ARP spoofing". If the hacker
wants to snoop the communication between two host computers in the same network (even if
are connected by the switches), it sends an ARP reply packet to two hosts separately, and
make them misunderstand MAC address of the other side as the hacker host MAC address. In
this way, the direct communication is actually communicated indirectly among the hacker host
computer. The hackers not only obtain communication information they need, but also only
need to modify some information in data packet and forward successfully. In this sniff way, the
hacker host computer doesn't need to configure intermix mode of network card, that is
because the data packet between two communication sides are sent to hacker host computer
on physical layer, which works as a relay.
28.1.3 How to prevent void ARP Spoofing
There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and
most of attack behaviors are based on ARP spoofing, so it is very important to prevent ARP
Configuration
28-23
Advertisement
Table of Contents
Troubleshooting
