Configuring IP DHCP Snooping and Dynamic Arp Inspection to mitigate against Arp spoofing attacks

Configuring IP DHCP Snooping and Dynamic Arp Inspection to mitigate against Arp spoofing attacks

1.       DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, also referred to as a DHCP snooping binding table.

2.       For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces.

3.       The switch drops a DHCP packet when one of these situations occurs:

• A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or DHCPLEASEQUERY packet, is received from outside the network or firewall.
• A packet is received on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match.
• The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC address in the DHCP snooping binding database, but the interface information in the binding database does not match the interface on which the message was received.
• A DHCP relay agent forwards a DHCP packet that includes a relay-agent IP address that is not 0.0.0.0, or the relay agent forwards a packet that includes option-82 information to an untrusted port.

 4.       Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

5.       You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range global configuration command.

6.       Address Resolution Protocol (ARP) poisoning is a type of attack where the Media Access Control (MAC) address is changed by the attacker.  Also, called an ARP spoofing attacks, it is effective against both wired and wireless local networks.  Some of the things an attacker could perform from ARP poisoning attacks include stealing data from the compromised computers, eavesdrop using man-in-the middle methods, and prevent legitimate access to services, such as Internet service.

7.       Scenario:

User A will contact DLS1 (172.16.1.1) to obtain an ip address via DHCP.  This will create an entry in the DHCP binding table on DLS1.  “Attacker” will be on same vlan 1 as User A and will attempt to spoof an invalid mac address using Cain & Abel software. This will send out a gratuitous ARP, updating the arp entry for 172.16.1.1 on User A and on DLS1 for ip 172.16.1.2.  User A will send packets to attacker thinking it is sending to default gateway. This is called a “man-in-the-middle” attack.

8.       Topology

9.       Configuration

a.       Configure DLS1 as a DHCP server and configure DHCP snooping

b.       

c.       Verify DHCP Snooping picked up laptop’s DHCP binding:

Additional reading:

1.       Good flash animation on how ARP poisoning works: http://www.oxid.it/downloads/apr-intro.swf

2.       Intro to ARP cache poisoning: http://www.grc.com/nat/arp.htm