Security Basics mailing list archives
Re: ARP Spoof Question
From: Stephane Nasdrovisky <stephane.nasdrovisky () uniway be>
Date: Wed, 23 Jul 2003 21:05:13 +0200
I have a small question. I was reading about ARP Spoofing and here is my question.
So when Node B is a attacker he catches the ARP Request and sends his MAC address in reply to Node A.
Node B can also send "gratuitous arp". Basically these are broadcasted arp replies without any request. Most hosts send gratuitous arp when they boot so that the neibourhood knows about them.
Q1.My Question is, Node C will also reply to that request of Node A. SO now Node A has 2 different MAC for the same IP. How is Node A handling this situation???
Usually, the last arp reply override the existing one. Some ip stack may decide to make arp replies to their own queries more reliable than gratuitous arps, I'm not sure wether a required behaviour is described in the rfcs.
Q2.The switch also updates its table of IP/MAC address bindings, so how is switch handling this situation???
Switches are layer 2 devices, IP begins at layer 3. A -switch- usually doesn't understand a single ip bit. The management side of the switch (snmp, http, telnet, whatever) are to be considered as any other networked host. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: ARP Spoof Question David J. Bianco (Jul 23)
- <Possible follow-ups>
- RE: ARP Spoof Question David Gillett (Jul 23)
- Re: ARP Spoof Question Simon Gray (Jul 23)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question The Fueley (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- Re: ARP Spoof Question Martin Brecher (Jul 28)