MAC Address, ARP, and DHCP Vulnerabilities
Using dynamic ARP inspection to mitigate MAC spoofing attacks

Address Resolution Protocol (ARP) is used to map IP addressing to MAC addresses in a local area network segment where hosts of the same subnet reside. Normally, a host will send out a broadcast ARP request to find the MAC address of another host with a particular IP address and an ARP response will come from the host whose address matches the request. The requesting host will then cache this ARP response.

ARP Spoofing
Within the ARP protocol a provision is made for hosts to perform unsolicited ARP replies. The unsolicited ARP replies are called gratuitous ARPs (GARP). GARP can be exploited maliciously by an attacker to spoof the identity of an IP address on a LAN segment. Typically, this is used to spoof the identity between two hosts or all traffic to and from a default gateway in a Man in the Middle attack.

By crafting an ARP reply, a network attacker can make their system appear to be the destination host sought by the sender . The ARP reply causes the sender to store the MAC address of the attacking system in the ARP cache. This MAC address is also stored by the switch in its CAM table. In this way the network attacker has inserted the MAC address of his or her system into both the CAM table of the switch and the ARP cache of the sender. This allows the network attacker to intercept frames destined for the host that is being spoofed.

DHCP Snooping
A solution that can be used to mitigate various ARP-based network exploits is the use of DHCP snooping . DHCP Snooping provides security by filtering trusted DHCP messages and then using these messages to build and maintain a DHCP snooping binding table. DHCP Snooping considers DHCP messages originating from any user facing port that is not a DHCP server port or an uplink to a DHCP server as untrusted. From a DHCP Snooping perspective these untrusted, user-facing ports should not send DHCP server type responses such as DHCPOffer, DHCPAck, or DHCPNak.

DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives the adminstrator a way to differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the DHCP server or another switch.

DHCP Snooping Configuration Guidelines
These are the configuration guidelines for DHCP snooping.

  • DHCP snooping must be enabled globally on the switch.
  • DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
  • Before configuring the DHCP information option on the switch, make sure to configure the device that is acting as the DHCP server. For example, you must specify the IP addresses that the DHCP server can assign or exclude must be specified, or DHCP options for devices must be configured.

The steps to configure DHCP snooping are shown in Figure .

The DHCP Snooping Binding Table
The DHCP snooping binding table contains the MAC address, IP address, lease time, binding type, VLAN number, and interface information corresponding to the local untrusted interfaces of a switch. The table does not have information about hosts interconnected with a trusted port because each interconnected switch has its own DHCP snooping binding table.

An untrusted interface is an interface configured to receive messages from outside the network or firewall. A trusted interface is an interface that is configured to receive only messages from within the network. The DHCP snooping binding table can contain both dynamic as well as static MAC address to IP address bindings.

The show ip dhcp snooping binding command displays the DHCP snooping binding entries for a switch, as shown in Figure .

Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) determines the validity of an ARP packet based on the valid MAC address to IP address bindings stored in a DHCP snooping database. Additionally, DAI can validate ARP packets based on user-configurable ACLs. This allows for the inspection of ARP packets for hosts using statically configured IP addresses. DAI allows for the use of per-port and VLAN Access Control Lists (VACLs) to limit ARP packets for specific IP addresses to specific MAC addresses.

NOTE:

Dynamic ARP Inspection (DAI) is not available on the Cisco Catalyst 2950 switch. DAI is available on Catalyst models 3550 and higher.


Web Links