RE: ARP Spoof Question

["David Gillett" <gillettdavid () fhda edu>]

  In a live network, you might (a) replace the NIC in a machine
(perhaps later installing the removed NIC in a different machine),
and (b) move a machine from one switch port to another.
  So the way node A, and the switch, handle this is to just keep
the last information they saw.  Node B can reply more than once
to the ARP request from A, and could even send out a gratuitous
ARP (broadcast ARP reply for which no request was received)
periodically.  The windows during which a sender has the real
address of C can be made quite small.

  (Note that if B wants to remain undetected, he needs to forward
those packets to C.  So in fact, any time B sees an ARP request 
for C, it should issue its own ARP for C as well.  It's pretty 
safe to assume that when it gets an answer from C, C has already 
sent its answer to A and so B can send a reply to A without fear
that it will arrive before C's.
  Here's some good logic for B:

when you see a broadcast ARP request for C
  send a broadcast ARP response advertising your MAC address as C's
  if the ARP request didn't come from us
    send a broadcast ARP request for C

Note that the sent request (last line) will be seen and trigger
an additional response (first two lines) but the "if" prevents it
from looping infinitely.)

David Gillett


> -----Original Message-----
> From: Vineet Mehta [mailto:vineet () linux com kw]
> Sent: July 22, 2003 22:22
> To: security-basics () securityfocus com
> Subject: ARP Spoof Question
>
>
> Hi all members,
>
> I have a small question. I was reading about ARP Spoofing and 
> here is my
> question.
>
> When Node A wants to send some packets to Node C, it sends a ARP
> Broadcast to find out the MAC address of Node C. This 
> broadcast reaches
> all nodes in a network in a switched or Hub network. So when 
> Node B is a
> attacker he catches the ARP Request and sends his MAC address in reply
> to Node A. This way Node B gets the packets destined for Node C.
>
> Q1.My Question is, Node C will also reply to that request of 
> Node A. SO
> now Node A has 2 different MAC for the same IP. How is Node A handling
> this situation???
>
> Q2.The switch also updates its table of IP/MAC address 
> bindings, so how
> is switch handling this situation???
>
> Is it "first-come-first-serve" methodology which Node 
> A/Switch takes???
>
> Thanks in advance
> Regards,
>
> -- 
> Vineet Mehta
> Network Security Consultant
> Kuwait Linux Company
> Kuwait
> Ph-2412552/2463633
> <vineet [at] linux [dot] com [dot] kw>
> www.linux.com.kw

---------------------------------------------------------------------------
----------------------------------------------------------------------------