Security Basics mailing list archives
RE: ARP Spoof Question
From: "David Gillett" <gillettdavid () fhda edu>
Date: Wed, 23 Jul 2003 11:30:25 -0700
In a live network, you might (a) replace the NIC in a machine (perhaps later installing the removed NIC in a different machine), and (b) move a machine from one switch port to another. So the way node A, and the switch, handle this is to just keep the last information they saw. Node B can reply more than once to the ARP request from A, and could even send out a gratuitous ARP (broadcast ARP reply for which no request was received) periodically. The windows during which a sender has the real address of C can be made quite small. (Note that if B wants to remain undetected, he needs to forward those packets to C. So in fact, any time B sees an ARP request for C, it should issue its own ARP for C as well. It's pretty safe to assume that when it gets an answer from C, C has already sent its answer to A and so B can send a reply to A without fear that it will arrive before C's. Here's some good logic for B: when you see a broadcast ARP request for C send a broadcast ARP response advertising your MAC address as C's if the ARP request didn't come from us send a broadcast ARP request for C Note that the sent request (last line) will be seen and trigger an additional response (first two lines) but the "if" prevents it from looping infinitely.) David Gillett
-----Original Message----- From: Vineet Mehta [mailto:vineet () linux com kw] Sent: July 22, 2003 22:22 To: security-basics () securityfocus com Subject: ARP Spoof Question Hi all members, I have a small question. I was reading about ARP Spoofing and here is my question. When Node A wants to send some packets to Node C, it sends a ARP Broadcast to find out the MAC address of Node C. This broadcast reaches all nodes in a network in a switched or Hub network. So when Node B is a attacker he catches the ARP Request and sends his MAC address in reply to Node A. This way Node B gets the packets destined for Node C. Q1.My Question is, Node C will also reply to that request of Node A. SO now Node A has 2 different MAC for the same IP. How is Node A handling this situation??? Q2.The switch also updates its table of IP/MAC address bindings, so how is switch handling this situation??? Is it "first-come-first-serve" methodology which Node A/Switch takes??? Thanks in advance Regards, -- Vineet Mehta Network Security Consultant Kuwait Linux Company Kuwait Ph-2412552/2463633 <vineet [at] linux [dot] com [dot] kw> www.linux.com.kw
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: ARP Spoof Question David J. Bianco (Jul 23)
- <Possible follow-ups>
- RE: ARP Spoof Question David Gillett (Jul 23)
- Re: ARP Spoof Question Simon Gray (Jul 23)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question The Fueley (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- Re: ARP Spoof Question Martin Brecher (Jul 28)