H3C S3100-52P Operation Manual page 476

Operation Manual – ARP
H3C S3100-52P Ethernet Switch
ARP spoofing possible.
In Figure
traffic between Host A and Host C, the hacker (Host B) forwards invalid ARP reply
messages to Host A and Host C respectively, causing the two hosts to update the MAC
address corresponding to the peer IP address in their ARP tables with the MAC
address of Host B. Then, the traffic between Host A and C will pass through Host B
which acts like a "man-in-the-middle" that may intercept and modify the communication
information. Such an attack is called man-in-the-middle attack.
Figure 1-3 Network diagram for ARP man-in-the-middle attack
II. ARP attack detection
To guard against the man-in-the-middle attacks launched by hackers or attackers, an
S3100-52P Ethernet switch supports the ARP attack detection function. All ARP (both
request and response) packets passing through the switch are redirected to the CPU,
which checks the validity of all the ARP packets by using the DHCP snooping table or
the manually configured IP binding table. For description of DHCP snooping table and
the manually configured IP binding table, refer to the DHCP snooping section in the part
discussing DHCP in this manual.
After you enable the ARP attack detection function, the switch will check the following
items of an ARP packet: the source MAC address, source IP address, port number of
the port receiving the ARP packet, and the ID of the VLAN the port resides. If these
items match the entries of the DHCP snooping table or the manual configured IP
binding table, the switch will forward the ARP packet; if not, the switch discards the ARP
packet.
With trusted ports configured, ARP packets coming from the trusted ports will not
be checked, while those from other ports will be checked through the DHCP
snooping table or the manually configured IP binding table.
1-3, Host A communicates with Host C through a switch. To intercept the
1-5
Chapter 1 ARP Configuration