Security Basics mailing list archives
RE: ARP Spoof Question
From: "The Fueley" <TheFueley () satx rr com>
Date: Wed, 23 Jul 2003 19:09:48 -0500
-----Original Message----- From: Stephane Nasdrovisky [mailto:stephane.nasdrovisky () uniway be] Sent: Wednesday, July 23, 2003 2:05 PM To: vineet () linux com kw Cc: security-basics () securityfocus com Subject: Re: ARP Spoof Question
I have a small question. I was reading about ARP Spoofing and here is my
question.
So when Node B is a attacker he catches the ARP Request and sends his MAC address in reply to Node A.
Node B can also send "gratuitous arp". Basically these are broadcasted arp
replies without any request. Most hosts send gratuitous arp when they boot so that the neibourhood knows about them.
Q1.My Question is, Node C will also reply to that request of Node A. SO now Node A has 2 different MAC for the same IP. How is Node A handling this situation???
Usually, the last arp reply override the existing one. Some ip stack may
decide to make arp replies to their own queries more reliable than gratuitous arps, I'm not sure wether a required behaviour is described in the rfcs.
Q2.The switch also updates its table of IP/MAC address bindings, so how is switch handling this situation???
Switches are layer 2 devices, IP begins at layer 3. A -switch- usually
doesn't understand a single ip bit. The management side of the switch (snmp, http, telnet, whatever) are to be considered as any other networked host. ------------------------ How would that apply to a layer 3 switch/router? Actually the packaging says that I have a Residential Gateway/Router/Firewall. Aren't gateways layer 7 devices? While switches are layer 2 devices, they deal with MAC addresses right? Maybe a "smart" switch knows which MAC addresses are allowed on the network? Or am I missing it all here? --Rivera-- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: ARP Spoof Question David J. Bianco (Jul 23)
- <Possible follow-ups>
- RE: ARP Spoof Question David Gillett (Jul 23)
- Re: ARP Spoof Question Simon Gray (Jul 23)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- RE: ARP Spoof Question Stuart (Jul 24)
- RE: ARP Spoof Question The Fueley (Jul 24)
- RE: ARP Spoof Question David Gillett (Jul 24)
- Re: ARP Spoof Question Martin Brecher (Jul 28)