Chapter 18 prevent arp, nd spoofing configuration, 1 overview, 1 arp (address resolution protocol) – QTECH QSW-8300 Инструкция по настройке User Manual

+7(495) 797-3311 www.qtech.ru

Москва, Новозаводская ул., 18, стр. 1

146

Chapter 18 Prevent ARP, ND Spoofing

Configuration

18.1 Overview

18.1.1 ARP (Address Resolution Protocol)

Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to

relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1,

network card Mac address is 00-1F-CE-FD-1D-2B. What the whole mapping process is that a

host computer send broadcast data packet involving IP address information of destination host

computer, ARP request, and then the destination host computer send a data packet involving

its IP address and Mac address to the host, so two host computers can exchange data by

MAC address.

18.1.2 ARP Spoofing

In terms of ARP Protocol design, to reduce redundant ARP data communication on networks,

even though a host computer receives an ARP reply which is not requested by itself, it will also
insert an entry to its ARP cache table, so it creates a possibility of “ARP spoofing”. If the

hacker wants to snoop the communication between two host computers in the same network

(even if are connected by the switches), it sends an ARP reply packet to two hosts separately,

and make them misunderstand MAC address of the other side as the hacker host MAC

address. In this way, the direct communication is actually communicated indirectly among the

hacker host computer. The hackers not only obtain communication information they need, but

also only need to modify some information in data packet and forward successfully. In this sniff
way, the hacker host computer doesn’t need to configure intermix mode of network card, that

is because the data packet between two communication sides are sent to hacker host

computer on physical layer, which works as a relay.

18.1.3 How to prevent void ARP/ND Spoofing

There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and

most of attack behaviors are based on ARP spoofing, so it is very important to prevent ARP

spoofing. ARP spoofing accesses normal network environment by counterfeiting legal IP

address firstly, and sends a great deal of counterfeited ARP application packets to switches,

after switches learn these packets, they will cover previously corrected IP, mapping of MAC

address, and then some corrected IP, MAC address mapping are modified to correspondence

relationship configured by attack packets so that the switch makes mistake on transfer packets,

and takes an effect on the whole network. Or the switches are made used of by vicious

attackers, and they intercept and capture packets transferred by switches or attack other