Dynamic ARP Inspection
Introduction: DAI is a layer 2 security, configured on switches. It monitors the incoming ARP messages on untrusted ports. To filter, DAI compares these messages with DHCP snooping binding table and any configured ARP ACLs. If ARP message doesn’t match with table entry, then it discards the packet.
To understand how DAI prevents from attack, first you have to understand normal ARP and GARP (gratuitous ARP) concept.
Normally, a host uses ARP when it knows the IP address of another host and wants to learn that host’s MAC address.
Here, PC1 knows the IP of router but it also needs MAC address of router to go outside the network. So, PC1 send a ARP request to router 1. ARP request is broadcast to all devices in that network, but only router 1 accept it, because frame has router1 IP address.
In the response, router send an ARP reply to PC1 by putting MAC address in the frame. ARP reply is unicast.
After exchanging messages, both router and PC have MAC address of each other in their ARP table.
This is the normal ARP.
What is Gratuitous ARP?
It is an ARP reply. It is sent without receving an ARP request.
It is sent to an Ethernet destination broadcast address so that all hosts in the subnet receive the message. For example, when a host MAC address changes, it sends gratuitous ARP reply to all other hosts in the subnet, so that they can update their ARP table.
So, there is one difference- normal ARP reply is unicast and GARP reply is broadcast.
How do attackers take the advantage of GARP?
Let’s understand with an example.
In this diagram, there are 2 PCs- PC1 (IP: 172.16.2.101, MAC: MAC1) and PC A (MAC: MAC A). Here, PC A is an attacker that sends GARP to other devices in that network. Did you notice one thing in this ARP reply, IP is PC1 IP address.
Normally, a PC sends GARP to inform other hosts that I have changed my MAC address and I am putting new MAC address in this message, so that all other hosts can update their ARP tables.
But, attackers use GARP in a bad way. Here the purpose of attacker to send a GARP so that other hosts update their ARP with wrong MAC address and this way when they sent any message, PC A will get all the messages, it saves a copy of messages then forward to the real recipient i.e. PC 1.
This is a man-in-middle type of attack. To avoid this type of man-in-middle attack DAI is configured on switches.
How dynamic ARP inspection (DAI) works against attacks?
For untrusted ports, DAI compares the ARP message’s origin IP and origin MAC address fields to the DHCP Snooping binding table. If found in the table, DAI allows the ARP message, otherwise discards the ARP.
This is the same example as above, only difference is here DAI is configured in switch 2. So, when PC A sends an ARP, it first checks origin IP and origin MAC address in their DHCP binding table. You can see in fig. 172.16.2.101 IP is map with MAC 1 while ARP message has origin IP: 172.16.2.101 and MAC: MAC A. As, origin IP and MAC are not matched with DHCP binding table entry, it will dropped the packet.
For filtering ARP messages, DAI also checks source MAC field in ethernet header and origin hardware field in ARP message. Both field should have same value only then DAI allow the message.
Note: Same as DHCP snooping, DAI also use the concept of trusted or untrusted ports. Endpoints are considered as untrusted ports and other network devices like servers and routers are considered as trusted ports.
Use rate limiting command to avoid DoS attack:
DHCP snooping and DAI both do their task in switch CPU, so there is a possibility of denial of service (DoS) attack. By sending a large number of request attackers can achieve their goal. CPU has a limited memory; it can’t handle large number of request at a single time. To avoid this rate limiting message command should be configured on a port.