Configuring Arp Detection; Introduction To Arp Detection - H3C S5810 Series Operation Manual

Configuring ARP Detection

For information about DHCP snooping, refer to DHCP Configuration in the IP Services Volume.

Introduction to ARP Detection

The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, hence
preventing man-in-the-middle attacks.
Man-in-the-middle attack
According to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the
sender to its ARP mapping table even if the MAC address is not the requested one. This design reduces
the ARP traffic on the network, but also makes ARP spoofing possible.
As shown in Figure
between Host A and Host C, a hacker (Host B) forwards forged ARP replies to Host A and Host C
respectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding to
the peer IP address in their ARP tables with the MAC address of Host B (MAC_B). After that, Host B
establishes independent connections with Host A and Host C and relays messages between them,
deceiving them into believing that they are talking directly to each other over a private connection, while
the entire conversation is actually controlled by Host B. Host B may intercept and modify the
communication data. Such an attack is called a man-in-the-middle attack.
Figure 2-1 Man-in-the-middle attack
Host A
IP_ A
MAC_ A
Forged
ARP reply
2-1, Host A communicates with Host C through a switch. After intercepting the traffic
Switch
Forged
ARP reply
Host B
IP_B
MAC_B
Host C
IP_C
MAC_C
2-5