TP-Link TL-SL3428 Switch User Manual


 
Figure 11-12 Man-In-The-Middle Attack
Suppose there are three Hosts in LAN connected with one another through a switch.
Host A: IP address is 192.168.0.101; MAC address is 00-00-00-11-11-11.
Host B: IP address is 192.168.0.102; MAC address is 00-00-00-22-22-22.
Attacker: IP address is 192.168.0.103; MAC address is 00-00-00-33-33-33.
1. First, the attacker sends the false ARP response packets.
2. Upon receiving the ARP response packets, Host A and Host B updates the ARP table of
their own.
3. When Host A communicates with Host B, it will send the packets to the false destination
MAC address, i.e. to the attacker, according to the updated ARP table.
4. After receiving the communication packets between Host A and Host B, the attacker
processes and forwards the packets to the correct destination MAC address, which
makes Host A and Host B keep a normal-appearing communication.
5. The attacker continuously sends the false ARP packets to the Host A and Host B so as to
make the Hosts always maintain the wrong ARP table.
In the view of Host A and Host B, their packets are directly sent to each other. But in fact, there is a
Man-In-The-Middle stolen the packets information during the communication procedure. This kind
of ARP attack is called Man-In-The-Middle attack.
ARP Flooding Attack
The attacker broadcasts a mass of various fake ARP packets in a network segment to occupy the
network bandwidth viciously, which results in a dramatic slowdown of network speed. Meantime,
the Gateway learns the false IP address-to-MAC address mapping entries from these ARP
packets and updates its ARP table. As a result, the ARP table is fully occupied by the false entries
and unable to learn the ARP entries of legal Hosts, which causes that the legal Hosts can not
access the external network.
151