Chapter 23 prevent arp, nd spoofing configuration, 1 overview, 1 arp (address resolution protocol) – PLANET XGS3-24040 User Manual

Chapter 23 Prevent ARP, ND Spoofing Configuration

23-1

Chapter 23 Prevent ARP, ND Spoofing

Configuration

23.1 Overview

23.1.1 ARP (Address Resolution Protocol)

Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to relevant 48-bit

physical address, that is MAC address, for instance, IP address is 192.168.0.1, network card Mac address is

00-30-4f-FD-1D-2B. What the whole mapping process is that a host computer send broadcast data packet

involving IP address information of destination host computer, ARP request, and then the destination host

computer send a data packet involving its IP address and Mac address to the host, so two host computers can

exchange data by MAC address.

23.1.2 ARP Spoofing

In terms of ARP Protocol design, to reduce redundant ARP data communication on networks, even though a

host computer receives an ARP reply which is not requested by itself, it will also insert an entry to its ARP

cache table, so it creates a possibility of “ARP spoofing”. If the hacker wants to snoop the communication

between two host computers in the same network (even if are connected by the switches), it sends an ARP

reply packet to two hosts separately, and make them misunderstand MAC address of the other side as the

hacker host MAC address. In this way, the direct communication is actually communicated indirectly among

the hacker host computer. The hackers not only obtain communication information they need, but also only

need to modify some information in data packet and forward successfully. In this sniff way, the hacker host

computer doesn’t need to configure intermix mode of network card, that is because the data packet between

two communication sides are sent to hacker host computer on physical layer, which works as a relay.

23.1.3 How to prevent void ARP/ND Spoofing

There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and most of attack

behaviors are based on ARP spoofing, so it is very important to prevent ARP spoofing. ARP spoofing

accesses normal network environment by counterfeiting legal IP address firstly, and sends a great deal of

counterfeited ARP application packets to switches, after switches learn these packets, they will cover

previously corrected IP, mapping of MAC address, and then some corrected IP, MAC address mapping are

modified to correspondence relationship configured by attack packets so that the switch makes mistake on

transfer packets, and takes an effect on the whole network. Or the switches are made used of by vicious

attackers, and they intercept and capture packets transferred by switches or attack other switches, host

computers or network equipment.

What the essential method on preventing attack and spoofing switches based on ARP in networks is to

disable switch automatic update function; the cheater can’t modify corrected MAC address in order to avoid

wrong packets transfer and can’t obtain other information. At one time, it doesn’t interrupt the automatic

learning function of ARP. Thus it prevents ARP spoofing and attack to a great extent.