ARP Part 3 | ARP Hardening: Dynamic ARP Inspection

ARP Defined

ARP Threat Exposure: ARP Spoofing

ARP Hardening: Dynamic ARP Inspection

Dynamic ARP Inspection

DAI is designed to prevent layer 2 abuse of ARP which lead to denial of service and man-in-the-middle attacks demonstrated in the previous ARP post. DAI discards invalid and malicious ARP traffic that enter the switch where DAI is enabled by referencing the switch’s DHCP snooping database.

This DHCP snooping dependency is necessary to track all DHCP requests that pass through the switch in order to build a table that records the following information for each lease:

IP, MAC, VLAN, DHCP lease time and switch port where request originated from. Note that static IPs need to be added to the DHCP snooping database manually so their ARP messages can be trusted.

ARP validity is vetted by comparing ARPs to the DHCP snooping database and if perhaps the source MAC address doesn’t match the DHCP snooping table because that source MAC isn’t in the database at all or is assigned through DHCP to a different port on the switch, then the ARP message is discarded.

To enable DHCP snooping we can use the following commands on the switch:

Switch(config)#ip dhcp snooping Enable DHCP Snooping Switch(config)#ip dhcp snooping vlan 3 Activate only on VLAN 3 Switch(config)#interface g0/1 Configure interface g0/1 which is attached to DHCP server Switch(config-if)#ip dhcp snooping trust Allow this port to transit DHCP server traffic

Now that the database is listening I've triggered a DHCP lease request from the administrator computer and you can see it show up in the snooping database here.

Here are the commands used to enable Dynamic ARP Inspection and statically assign the default gateway an entry so that it is able to generate ARP traffic

Switch(config)#ip arp inspection vlan 3

Switch(config)#ip source binding fa16.3ef0.1914 vlan 3 172.17.4.1 interface G0/1

Now we can attempt to reproduce the man-in-the-middle attack from the previous post with the ARP spoofing tool again, but now DAI blocks them as illustrated below:

Consoled into the switch, we can see it these malicious ARPs being discarded:

Checking the administrator ARP cache we can confirm that the legitimate ARP entry for its default gateway is still present:

Terms of Use For Packet Orbit

By reading anything at PacketOrbit.com, you acknowledge and agree to, all of the following:

All information and software available on this site are for educational purposes only. The author is no way responsible for any misuse of the information. The website owner expressly disclaims all liability for any information presented here. The owner of this website and its posts shall not be held liable for any errors or omissions in any information or representations contained in this website, or in any of its blog entries.The website owner also expressly disclaims any liability for the current or future availability of any such information. The website owner makes no representations as to the accuracy or completeness of any information on this website or which may be found by following any link on this website. The website owner shall not be held liable for any losses, injuries, damages, claims, or causes of action from the display or use of any information on this website or in any of its blog entries. If you use the information on this website, or on any of its blog entries, you do so at your own risk.