Manualsbrain.com
  1. Manuels
  2. Marques
  3. 3com
  4. WX3000
  5. Manuel D’Utilisation

3com WX3000 Manuel D’Utilisation

Télécharger
Page de 715
 
1-4 
mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) 
will process the request. 
4)  Host B compares its own IP address with the destination IP address in the ARP request. If they are 
the same, Host B saves the source IP address and source MAC address into its ARP mapping 
table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A. 
5)  After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table 
for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out. 
Usually ARP dynamically implements and automatically seeks mappings from IP addresses to MAC 
addresses, without manual intervention. 
Introduction to ARP Attack Detection 
Man-in-the-middle attack 
According to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC mapping of 
the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce the 
ARP traffic in the network, but it also makes ARP spoofing possible. 
, Host A communicates with Host C through Switch. To intercept the traffic between Host A 
and Host C, the hacker (Host B) forwards invalid ARP reply messages to Host A and Host C respectively, 
causing the two hosts to update the MAC address corresponding to the peer IP address in their ARP 
tables with the MAC address of Host B. Then, the traffic between Host A and C will pass through Host B 
which acts like a “man-in-the-middle” that may intercept and modify the communication information. 
Such attack is called man-in-the-middle attack. 
Figure 1-3 Network diagram for ARP man-in-the-middle attack 
Host A
IP_A
MAC_A
Host B
IP _B
MAC_B
Host C
IP_ C
MAC_ C
Switch 
Invalid 
ARP reply
Invalid 
ARP reply
 
 
ARP attack detection 
To guard against the man-in-the-middle attacks launched by hackers or attackers, the device supports 
the ARP attack detection function. All ARP (both request and response) packets passing through the 
device are redirected to the CPU, which checks the validity of all the ARP packets by using the DHCP 
snooping table or the manually configured IP binding table. For description of DHCP snooping table and 
the manually configured IP binding table, refer to the DHCP snooping section in the part discussing 
DHCP in this manual.