In a live network, you might (a) replace the NIC in a machine
(perhaps later installing the removed NIC in a different machine),
and (b) move a machine from one switch port to another.
So the way node A, and the switch, handle this is to just keep
the last information they saw. Node B can reply more than once
to the ARP request from A, and could even send out a gratuitous
ARP (broadcast ARP reply for which no request was received)
periodically. The windows during which a sender has the real
address of C can be made quite small.
(Note that if B wants to remain undetected, he needs to forward
those packets to C. So in fact, any time B sees an ARP request
for C, it should issue its own ARP for C as well. It's pretty
safe to assume that when it gets an answer from C, C has already
sent its answer to A and so B can send a reply to A without fear
that it will arrive before C's.
Here's some good logic for B:
when you see a broadcast ARP request for C
send a broadcast ARP response advertising your MAC address as C's
if the ARP request didn't come from us
send a broadcast ARP request for C
Note that the sent request (last line) will be seen and trigger
an additional response (first two lines) but the "if" prevents it
from looping infinitely.)
David Gillett
> -----Original Message-----
> From: Vineet Mehta [mailto:[EMAIL PROTECTED]
> Sent: July 22, 2003 22:22
> To: [EMAIL PROTECTED]
> Subject: ARP Spoof Question
>
>
> Hi all members,
>
> I have a small question. I was reading about ARP Spoofing and
> here is my
> question.
>
> When Node A wants to send some packets to Node C, it sends a ARP
> Broadcast to find out the MAC address of Node C. This
> broadcast reaches
> all nodes in a network in a switched or Hub network. So when
> Node B is a
> attacker he catches the ARP Request and sends his MAC address in reply
> to Node A. This way Node B gets the packets destined for Node C.
>
> Q1.My Question is, Node C will also reply to that request of
> Node A. SO
> now Node A has 2 different MAC for the same IP. How is Node A handling
> this situation???
>
> Q2.The switch also updates its table of IP/MAC address
> bindings, so how
> is switch handling this situation???
>
> Is it "first-come-first-serve" methodology which Node
> A/Switch takes???
>
> Thanks in advance
> Regards,
>
> --
> Vineet Mehta
> Network Security Consultant
> Kuwait Linux Company
> Kuwait
> Ph-2412552/2463633
> <vineet [at] linux [dot] com [dot] kw>
> www.linux.com.kw
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
