Chapter 18 prevent arp, nd spoofing configuration, 1 overview, 1 arp (address resolution protocol) – QTECH QSW-8300 Инструкция по настройке User Manual
Page 147: 2 arp spoofing, 3 how to prevent void arp/nd spoofing, Verview
+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
146
Chapter 18 Prevent ARP, ND Spoofing
Configuration
18.1 Overview
18.1.1 ARP (Address Resolution Protocol)
Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to
relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1,
network card Mac address is 00-1F-CE-FD-1D-2B. What the whole mapping process is that a
host computer send broadcast data packet involving IP address information of destination host
computer, ARP request, and then the destination host computer send a data packet involving
its IP address and Mac address to the host, so two host computers can exchange data by
MAC address.
18.1.2 ARP Spoofing
In terms of ARP Protocol design, to reduce redundant ARP data communication on networks,
even though a host computer receives an ARP reply which is not requested by itself, it will also
insert an entry to its ARP cache table, so it creates a possibility of “ARP spoofing”. If the
hacker wants to snoop the communication between two host computers in the same network
(even if are connected by the switches), it sends an ARP reply packet to two hosts separately,
and make them misunderstand MAC address of the other side as the hacker host MAC
address. In this way, the direct communication is actually communicated indirectly among the
hacker host computer. The hackers not only obtain communication information they need, but
also only need to modify some information in data packet and forward successfully. In this sniff
way, the hacker host computer doesn’t need to configure intermix mode of network card, that
is because the data packet between two communication sides are sent to hacker host
computer on physical layer, which works as a relay.
18.1.3 How to prevent void ARP/ND Spoofing
There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and
most of attack behaviors are based on ARP spoofing, so it is very important to prevent ARP
spoofing. ARP spoofing accesses normal network environment by counterfeiting legal IP
address firstly, and sends a great deal of counterfeited ARP application packets to switches,
after switches learn these packets, they will cover previously corrected IP, mapping of MAC
address, and then some corrected IP, MAC address mapping are modified to correspondence
relationship configured by attack packets so that the switch makes mistake on transfer packets,
and takes an effect on the whole network. Or the switches are made used of by vicious
attackers, and they intercept and capture packets transferred by switches or attack other