Table of Contents
Advertisement
Configuring Security
Configuring Dynamic ARP Inspection
Cisco 220 Series Smart Plus Switches Administration Guide Release 1.0.0.x
ARP Cache Poisoning
A malicious user can attack hosts, switches, and routers connected to a Layer 2
network by poisoning the ARP caches of systems connected to the subnet and by
intercepting traffic intended for other hosts on the subnet. This can happen
because ARP allows a gratuitous reply from a host even if an ARP request was not
received. After the attack, all traffic from the device under attack flows through the
attacker's computer and then to the router, switch, or host.
The following shows an example of ARP cache poisoning:
Figure 1 ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which
are on the same subnet. Their IP, MAC addresses are shown in parentheses; for
example, Host A uses IP address IA and MAC address MA. When Host A needs to
communicate with Host B at the IP layer, it broadcasts an ARP request for the MAC
address associated with IP address IB. Host B responds with an ARP reply. The
switch and Host A update their ARP cache with the MAC and IP of Host B.
Host C can poison the ARP caches of the switch, Host A, and Host B by
broadcasting forged ARP responses with bindings for a host with an IP address of
IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the
MAC address MC as the destination MAC address for traffic intended for IA or IB,
which enables Host C intercepts that traffic. Because Host C knows the true MAC
addresses associated with IA and IB, it can forward the intercepted traffic to those
hosts by using the correct MAC address as the destination. Host C has inserted
itself into the traffic stream from Host A to Host B, the classic man-in-the-middle
attack.
16
218
Advertisement
Table of Contents
