Security Basics mailing list archives

Re: ARP Spoof Question

From: "David J. Bianco" <bianco () jlab org>
Date: 23 Jul 2003 14:04:12 -0400

On Wed, 2003-07-23 at 01:22, Vineet Mehta wrote:

Q1.My Question is, Node C will also reply to that request of Node A. SO
now Node A has 2 different MAC for the same IP. How is Node A handling
this situation???

Q2.The switch also updates its table of IP/MAC address bindings, so how
is switch handling this situation???


The answers to these are both the same.  In general, ARP only remembers
the *last* ARP update, so if the attacker responded first, and then the
the legitimate host responded, both the origin host and the switch would
end up keeping the legitimate host's MAC address in their table, and 
discarding the attacker's address.  Of course, there may be a small 
window of time between when the attacker's reply is received and the 
legitimate host's reply arrives.  During this time, the attacker might
very well get some packets, but the time is so small that this probably
isn't much of an issue for most LANs.

Of course, the basic idea behind your attack model isn't quite what 
you'd expect to see in the wild.  Because the hosts only remember the
last ARP response, an attacker who wants to perform an ARP spoofing 
attack usually just sends out a forged ARP reply *without* waiting 
for a host to send an ARP request.  This doesn't seem to make sense,
but ARP is a stateless protocol so most implementations just believe
all ARP responses they see, without trying to match them up with legit
requests.  

        David

Is it "first-come-first-serve" methodology which Node A/Switch takes???

Thanks in advance
Regards,

-- 
David J. Bianco, GSEC GCUX              <bianco () jlab org>
Thomas Jefferson National Accelerator Facility
GPG Fingerprint:  516A B80D AAB3 1617 A340  227A 723B BFBE B395 33BA 

     The views expressed herein are solely those of the author and
            not those of SURA/Jefferson Lab or the US DOE.



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Re: ARP Spoof Question David J. Bianco (Jul 23)
- <Possible follow-ups>
- RE: ARP Spoof Question David Gillett (Jul 23)
- Re: ARP Spoof Question Simon Gray (Jul 23)
  - RE: ARP Spoof Question Stuart (Jul 24)
    - RE: ARP Spoof Question David Gillett (Jul 24)
    - RE: ARP Spoof Question Stuart (Jul 24)
    - RE: ARP Spoof Question David Gillett (Jul 24)
- Re: ARP Spoof Question jfastabe (Jul 23)
- Re: ARP Spoof Question Stephane Nasdrovisky (Jul 23)
  - RE: ARP Spoof Question The Fueley (Jul 24)
    - RE: ARP Spoof Question David Gillett (Jul 24)

(Thread continues...)