TP-LINK TL-SG3210 User Manual

Figure 11-12 Man-In-The-Middle Attack

Suppose there are three Hosts in LAN connected with one another through a switch.

Host A: IP address is 192.168.0.101; MAC address is 00-00-00-11-11-11.

Host B: IP address is 192.168.0.102; MAC address is 00-00-00-22-22-22.

Attacker: IP address is 192.168.0.103; MAC address is 00-00-00-33-33-33.

1. First, the attacker sends the false ARP response packets.

2. Upon receiving the ARP response packets, Host A and Host B updates the ARP table of

their own.

3. When Host A communicates with Host B, it will send the packets to the false destination

MAC address, i.e. to the attacker, according to the updated ARP table.

4. After receiving the communication packets between Host A and Host B, the attacker

processes and forwards the packets to the correct destination MAC address, which
makes Host A and Host B keep a normal-appearing communication.

5. The

attacker

continuously sends the false ARP packets to the Host A and Host B so as to

make the Hosts always maintain the wrong ARP table.

In the view of Host A and Host B, their packets are directly sent to each other. But in fact, there is a

Man-In-The-Middle stolen the packets information during the communication procedure. This kind

of ARP attack is called Man-In-The-Middle attack.



ARP Flooding Attack

The attacker broadcasts a mass of various fake ARP packets in a network segment to occupy the

network bandwidth viciously, which results in a dramatic slowdown of network speed. Meantime,

the Gateway learns the false IP address-to-MAC address mapping entries from these ARP

packets and updates its ARP table. As a result, the ARP table is fully occupied by the false entries

and unable to learn the ARP entries of legal Hosts, which causes that the legal Hosts can not

access the external network.

156