Man-in-the-middle attack, Arp detection mechanism, Ip-to-mac bindings – H3C Technologies H3C S5120 Series Switches User Manual

Page 232

Advertising
background image

2-4

Man-in-the-middle attack

According to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the

sender to its ARP mapping table. This design reduces the ARP traffic on the network, but also makes

ARP spoofing possible.

As shown in

Figure 2-1

, Host A communicates with Host C through a switch. After intercepting the traffic

between Host A and Host C, a hacker (Host B) forwards forged ARP replies to Host A and Host C

respectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding to

the peer IP address in their ARP tables with the MAC address of Host B (MAC_B). After that, Host B

establishes independent connections with Host A and Host C and relays messages between them,

deceiving them into believing that they are talking directly to each other over a private connection, while

the entire conversation is actually controlled by Host B. Host B may intercept and modify the

communication data. Such an attack is called a man-in-the-middle attack.

Figure 2-1 Man-in-the-middle attack

Switch

Host A

Host B

IP_ A

MAC_ A

IP_B

MAC_B

IP_C

MAC_C

Host C

Forged

ARP reply

Forged

ARP reply

ARP detection mechanism

With ARP detection enabled for a specific VLAN, ARP messages arrived on any interface in the VLAN

are redirected to the CPU to have their MAC and IP addresses checked. ARP messages that pass the

check are forwarded, and other ARP messages are discarded.

Enabling ARP Detection Based on DHCP Snooping Entries/802.1X Security
Entries/Static IP-to-MAC Bindings

With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet

received from the VLAN against the DHCP snooping entries, 802.1X security entries, or static

IP-to-MAC binding entries. You can specify a detection type or types as needed.

1) After you enable ARP detection based on DHCP snooping entries for a VLAN,

z

Upon receiving an ARP packet from an ARP untrusted port, the device compares the ARP packet

against the DHCP snooping entries. If a match is found, that is, the parameters (such as IP address,

Advertising