3com 2928 User Guide
2-1
2
ARP Attack Defense Configuration
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network
attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide
multiple features to detect and prevent such attacks. This chapter mainly introduces these features.
attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide
multiple features to detect and prevent such attacks. This chapter mainly introduces these features.
ARP Detection
Introduction to ARP Detection
The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, hence
preventing man-in-the-middle attacks.
preventing man-in-the-middle attacks.
Man-in-the-middle attack
According to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the
sender to its ARP mapping table. This design reduces the ARP traffic on the network, but also makes
ARP spoofing possible.
As shown in
sender to its ARP mapping table. This design reduces the ARP traffic on the network, but also makes
ARP spoofing possible.
As shown in
, Host A communicates with Host C through a switch. After intercepting the traffic
between Host A and Host C, a hacker (Host B) forwards forged ARP replies to Host A and Host C
respectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding to
the peer IP address in their ARP tables with the MAC address of Host B (MAC_B). After that, Host B
establishes independent connections with Host A and Host C and relays messages between them,
deceiving them into believing that they are talking directly to each other over a private connection, while
the entire conversation is actually controlled by Host B. Host B may intercept and modify the
communication data. Such an attack is called a man-in-the-middle attack.
respectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding to
the peer IP address in their ARP tables with the MAC address of Host B (MAC_B). After that, Host B
establishes independent connections with Host A and Host C and relays messages between them,
deceiving them into believing that they are talking directly to each other over a private connection, while
the entire conversation is actually controlled by Host B. Host B may intercept and modify the
communication data. Such an attack is called a man-in-the-middle attack.