+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
180
Chapter 24 Prevent ARP Spoofing
Configuration
24.1 Overview
24.1.1 ARP (Address Resolution Protocol)
Generally speaking, ARP (RFC-826) protocol is mainly responsible of mapping IP address to
relevant 48-bit physical address, that is MAC address, for instance, IP address is 192.168.0.1,
network card Mac address is 00-1F-CE-FD-1D-2B. What the whole mapping process is that a
host computer send broadcast data packet involving IP address information of destination host
computer, ARP request, and then the destination host computer send a data packet involving
its IP address and Mac address to the host, so two host computers can exchange data by
MAC address.
24.1.2 ARP Spoofing
In terms of ARP Protocol design, to reduce redundant ARP data communication on networks,
even though a host computer receives an ARP reply which is not requested by itself, it will also
insert an entry to its ARP cache table, so it creates a possibility of “ARP spoofing”. If the
hacker wants to snoop the communication between two host computers in the same network
(even if are connected by the switches), it sends an ARP reply packet to two hosts separately,
and make them misunderstand MAC address of the other side as the hacker host MAC
address. In this way, the direct communication is actually communicated indirectly among the
hacker host computer. The hackers not only obtain communication information they need, but
also only need to modify some information in data packet and forward successfully. In this sniff
way, the hacker host computer doesn’t need to configure intermix mode of network card, that
is because the data packet between two communication sides are sent to hacker host
computer on physical layer, which works as a relay.
24.1.3 How to prevent void ARP Spoofing
There are many sniff, monitor and attack behaviors based on ARP protocol in networks, and
most of attack behaviors are based on ARP spoofing, so it is very important to prevent ARP
spoofing. ARP spoofing accesses normal network environment by counterfeiting legal IP
address firstly, and sends a great deal of counterfeited ARP application packets to switches,
after switches learn these packets, they will cover previously corrected IP, mapping of MAC
Содержание QSW-2800 series
Страница 189: ...7 495 797 3311 www qtech ru 18 1 175...
Страница 414: ...7 495 797 3311 www qtech ru 18 1 400...