{"id":645,"date":"2017-04-25T18:05:00","date_gmt":"2017-04-25T18:05:00","guid":{"rendered":"https:\/\/jay-miah.co.uk\/?p=645"},"modified":"2024-11-17T18:10:09","modified_gmt":"2024-11-17T18:10:09","slug":"dynamic-arp-inspection-dai-concept-attack-example-and-implementation","status":"publish","type":"post","link":"https:\/\/jay-miah.co.uk\/index.php\/dynamic-arp-inspection-dai-concept-attack-example-and-implementation\/","title":{"rendered":"Dynamic ARP Inspection (DAI) Concept\/Attack Example and Implementation"},"content":{"rendered":"

Dynamic ARP Inspection is a security feature that rejects invalid and malicious ARP packets, by using DAI we can prevent ARP Poisoning\/Spoofing Attacks.<\/p>\n

The Address Resolution Protocol works the following way<\/p>\n

\u201c192.168.0.1\u201d\u00a0wants to communicate with\u00a0\u201c192.168.0.50\u201d\u00a0however the switch does not know how to reach the layer 3 address as switches only understands L2 addresses, in order to obtain the L2 address for the .50 it must send out a broadcast on the network asking .50 to respond with its MAC address.<\/p>\n

The ARP frame is sent as a broadcast on the network using the source IP of\u00a0\u201c192.168.0.1\u201d, the source MAC address is\u00a0\u201c78:45:c4:1f:57:0c\u201d. The destination IP is\u00a0\u201c192.168.0.50\u201d\u00a0the destination MAC address is unknown,<\/p>\n

<\/p>\n

 <\/p>\n

The ARP frame will reach all devices in the same broadcast domain and the device with the IP\u00a0\u201c192.168.0.50\u201d\u00a0will respond with a ARP reply and its MAC address.<\/p>\n

<\/p>\n

The reply says my source IP is\u00a0\u201c192.168.0.50\u201d, here is my MAC address of\u00a0\u201c00:of:8f:0d:4d:4e\u201d. The target IP is\u00a0\u201c192.168.0.1\u201d, the target MAC address is\u00a0\u201c78:45:c4:1f:57:0c\u201d\u00a0that of the requester. \u00a0The MAC address is then cached into the switches CAM table for a default of 300 seconds, if data is re-transmitted within this time the entry is updated with a new time-stamp, otherwise the entry is aged -out and the process of ARP will begin again if required later.<\/p>\n

If everyone is playing by the rules, in the reply ARP frame \u2013 the sender MAC address \u201c00:0f:8f:0d:4d:4e\u201d should match the source Ethernet address and the target MAC address \u201c78:45:c4:1f:57:0c\u201d should match the source MAC address that was in the original ARP request.<\/p>\n

Spoofing Attacks take place when the switch receives a\u00a0\u201cgratuitous\u201d\u00a0ARP \u2013 an ARP reply with a devices MAC address without a request from anybody.<\/p>\n

For example \u2013<\/strong><\/p>\n

Router has the MAC address\u00a0A<\/p>\n

Attacker has MAC address\u00a0B<\/p>\n

PC has a MAC of\u00a0C<\/p>\n

The router knows the PC\u2019s MAC address and the PC knows the routers MAC address<\/p>\n

The attacker sends a gratuitous ARP to the router and says my IP is that of the PC my MAC is actually\u00a0B\u00a0(as opposed to the real MAC of\u00a0C)<\/p>\n

If the router believes the request the router will think the MAC address for the PC is really\u00a0B<\/p>\n

At the same time the attacker can also send a gratuitous ARP to the PC saying I\u2019m the routers IP address and the MAC of the router is\u00a0B\u00a0(when its actually\u00a0A)<\/p>\n

From there on the attackers MAC address\u00a0B\u00a0will receive all the packets from the PC and vice versa and the attacker will likely route the traffic to the real devices bi-directional.<\/p>\n

it\u2019s pretty easy to pull of an attack like this, so it\u2019s a very good idea to take steps to mitigate this with dynamic ARP inspection.<\/p>\n

Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking, it is also supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports. ARP Inspection is enabled globally, once enabled all ports become an untrusted port. What ARP Inspection will do is look at all the ARP traffic coming into the port and make sure it all matches up. ARP Inspection relies on the DHCP snooping binding table as a reference point to verify the mappings of what IP addresses belong to which MAC address and If it doesn\u2019t believe a request it drops the packet.<\/p>\n

As devices with static IPs won\u2019t be part of the DHCP snooping table, we would need to manually create an ARP ACL to allow these devices to send ARP replies. The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.<\/p>\n

we can say MAC xyz is for IP 192.x.x.x so when ARP inspection is done at the port it will be successful.<\/p>\n

We can also set a port that has a device with a static IP as a \u201cTrusted\u201d port, this will allow ARP messages to come in as they want, most of the time we would set all the \u201cTrunk\u201d ports between switches as a trusted port to allow ARP messages to traverse to other switches.<\/p>\n

on untrusted ports by default there is a rate limit of 15pps for ARP messages, to prevent other types of attacks like a ping sweep. Any violations on an untrusted port will put the port into err-disabled state.<\/p>\n

ARP Poisoning Attack Example:<\/strong><\/p>\n

In this example we will take a look at how simple it is to carry out an ARP spoofing attack. If you are replicating this \u2013 make sure this is done so in a lab environment and you have permission beforehand. The lab below was created using GNS 3, with\u00a0\u201cKALI Linux\u201d\u00a0running on VMware WS connected to port\u00a0\u201ce0\/2\u201d, in this example we will send gratuitous ARP frames from the \u201cAttackers\u201d machine into the switch and over to PC1, we will inform PC 1 that the MAC address for the\u00a0\u201cInternet Router\u201d\u00a0is not what it has in its ARP cache but the MAC address we are presenting (which will the MAC address of the attacker\u2019s machine), this will poison the ARP cache and PC1 will believe the new presented MAC address.<\/p>\n

<\/p>\n

 <\/p>\n

Step 1.<\/strong>\u00a0From the\u00a0\u201cKali Linux\u201d\u00a0box, let\u2019s make sure we have network connectivity and that we can reach all the devices in VLAN 10.<\/p>\n

Ping is successful which indicates our network has basic connectivity between all the devices.<\/p>\n

<\/p>\n

 <\/p>\n

Step 2.<\/strong>\u00a0Let makes sure that PC1 has a valid IP address from DHCP and the interface up.<\/p>\n

<\/p>\n

 <\/p>\n

Step 3.<\/strong>\u00a0From PC1 lets ping the\u00a0\u201cInternet Router\u201d\u00a0and get it cached into its ARP table,<\/p>\n

#ping 192.168.10.250<\/p>\n

#show arp<\/p>\n

We can see from the output below that ARP has resolved the MAC address of the\u00a0\u201cInternet Router\u201d\u00a0which is\u00a0\u201caabb.cc00.0831\u201d<\/p>\n

<\/p>\n

 <\/p>\n

Step 4.<\/strong>\u00a0On the\u00a0\u201cKali Linux\u201d\u00a0box lets send in some gratuitous ARP frames<\/p>\n

#arpspoof \u2013I eth0 \u2013t 192.168.10.100 192.168.10.250<\/p>\n

The command is saying \u2013 run a continuous ARP spoofing reply through interface \u201ceth0\u201d of the\u00a0\u201cKali Linux\u201d\u00a0machine to the IP\u00a0\u201c192.168.10.100\u201d\u00a0claiming the MAC address of\u00a0\u201c192.168.10.250\u201d\u00a0is that of\u00a0\u201ceth0\u201d\u00a0(Linux Machine)<\/p>\n

<\/p>\n

 <\/p>\n

\u00a0Step 5.\u00a0<\/strong>On the PC, lets take a look at the ARP cache,<\/p>\n

#show arp<\/p>\n

We can see that the ARP entry for the\u00a0\u201cInternet Router\u201d\u00a0has now changed and according to the PC the IP address\u00a0\u201c192.168.10.100\u201d\u00a0now has a Mac address of\u00a0\u201c000c.29c8.110e\u201d\u00a0which is the\u00a0\u201cKali Linux\u201d\u00a0machine.<\/p>\n

<\/p>\n

 <\/p>\n

Step 6.\u00a0<\/strong>Stop the attack form the Kali Linux box with a\u00a0\u201cCtrl C\u201d\u00a0and wait for the ARP cache to age out. On the PC1 perform another ping to\u00a0\u201c192.168.10.250\u201d\u00a0then have a look at the ARP cache again,<\/p>\n

#show arp<\/p>\n

The entry should now show the original MAC address of the\u00a0\u201cInternet Router\u201d\u00a0as the attack has stopped and the device was able to resolve the L2 address by completing an normal ARP request.<\/p>\n

<\/p>\n

 <\/p>\n

Step 7.\u00a0<\/strong>As an additional step lets perform a ping sweep to see how the\u00a0\u201cKali Linux\u201d\u00a0box is able to scan a subnet to retrieve IP and MAC address information as well as port information.<\/p>\n

On the\u00a0\u201cKali\u201d\u00a0box use the following:<\/p>\n

#nmap 192.168.10.0\/24<\/p>\n

From the output below we can see a lot of information regarding this subnet, the application also reports any ports that may be open so an attacker could use this information against you.<\/p>\n

<\/p>\n

 <\/p>\n

Let\u2019s configure DAI to prevent ARP related attacks and put a rate limit on the ports to make sure ping sweeps are not possible.<\/p>\n

Configuration Example:<\/strong><\/p>\n

In this step-by-step guide building on the topology used earlier using GNS3 we will implement DAI on the\u00a0\u201cCORE-SW\u201d. We will configure\u00a0\u201cE0\/0\u201d\u00a0as a trusted port and then we will configure an ARP ACL for the\u00a0\u201cInternet Router\u201d\u00a0that has a static IP Address to allow the ARP replies.<\/p>\n

Using\u00a0\u201cKali Linux\u201d\u00a0we will then perform an\u00a0\u201cARP spoofing\u201d\u00a0attack to see how DAI behaves now that we have taken steps to mitigate the attack. The lab has the basic network connectivity required and DHCP snooping has been enabled.<\/p>\n

Complete LAB Configuration can be downloaded here\u00a0\u2013<\/p>\n

Internet Router<\/a><\/p>\n

CORE-SW<\/a><\/p>\n

DHCP-Server<\/a><\/p>\n

<\/p>\n

 <\/p>\n

Setp 1.<\/strong>\u00a0On the\u00a0\u201cCORE-SW\u201d\u00a0lets validate IP DHCP Snooping is enabled.<\/p>\n

#show ip dhcp snooping<\/p>\n

from the ouput below we can see that dhcp snooping is enabled globally, ip dhcp snooping is operational on VLAN 10 and interface\u00a0\u201ce0\/0\u201d\u00a0is a trusted port which will allow DHCP server messages through as the real DHCP server is connected on this port.<\/p>\n

<\/p>\n

 <\/p>\n

Step 2.<\/strong>\u00a0Let\u2019s check the snooping binding table \u2013<\/p>\n

#show ip dhcp snooping binding<\/p>\n

We can see that there are two entries in the table, the first ending with\u00a0\u201c0E\u201d\u00a0is the\u00a0\u201cKali Linux\u201d\u00a0machine attached to\u00a0\u201cethernet0\/2\u201d\u00a0in VLAN 10, the second ending with\u00a0\u201c00\u201d\u00a0is the user PC1 connected on port\u00a0\u201cethernet0\/1\u201d.\u00a0 DHCP has issued both machines an IP and recorded the L2 and L3 address in the snooping table. ARP Inspection will use this information to ensure the addresses match.<\/p>\n

<\/p>\n

 <\/p>\n

Step 3.<\/strong>\u00a0Turn on Dynamic ARP Inspection<\/p>\n

#ip arp inspection vlan 10<\/p>\n

All ports in VLAN 10 are now untrusted from a DAI perspective<\/p>\n

<\/p>\n

 <\/p>\n

Step 4.<\/strong><\/p>\n

#show ip arp inspection vlan 10<\/p>\n

From the output below we can see that dynamic ARP inspection is now enabled for VLAN 10<\/p>\n

<\/p>\n

 <\/p>\n

Step 5.<\/strong>\u00a0From the core switch lets attempt to ping the\u00a0\u201cInternet Router\u201d\u00a0at .250, we can see that the ARP replies are being dropped by the switch on port\u00a0\u201cE1\/3\u201d\u00a0where the\u00a0\u201cInternet Router\u201d\u00a0is connected to, this is because\u00a0\u201cE1\/3\u201d\u00a0is currently an untrusted port and any ARP replies that come in from this port will be dropped, also the address of the\u00a0\u201cInternet Router\u201d\u00a0is not listed in the DHCP snooping table.<\/p>\n

<\/p>\n

 <\/p>\n

Step 6.<\/strong>\u00a0Let\u2019s create an access-list to manually add the IP and MAC of the\u00a0\u201cInternet Router\u201d\u00a0to allow the ARP replies.<\/p>\n

#Conf t<\/p>\n

#arp access-list ARP-ACL-01<\/p>\n

#permit ip host 192.168.10.250 mac host 000c.29c8.110e<\/p>\n

#do show arp access-list<\/p>\n

<\/p>\n

 <\/p>\n

Step 7.<\/strong>\u00a0Apply the ARP ACL<\/p>\n

#ip arp inspection filter ARP-ACL-01 vlan 10<\/p>\n

<\/p>\n

 <\/p>\n

Step 8.<\/strong>\u00a0Validate the ACL has been applied<\/p>\n

#show ip arp inspection vlan 10<\/p>\n

We can see that the\u00a0\u201cARP-ACL-01\u201d\u00a0has been applied<\/p>\n

<\/p>\n

 <\/p>\n

Step 9.<\/strong>\u00a0Ping should now work as the ARP replies are now allowed from that MAC address, and is matching the ACL we created.<\/p>\n

<\/p>\n

we can also see that an ACL has been matched by checking the\u00a0\u201cARP inspection statistics\u201d<\/p>\n

#show ip arp inspection statistics<\/p>\n

<\/p>\n

 <\/p>\n

Step 10.\u00a0<\/strong>From the switch lets attempt to ping the DHCP server at .50, we can see that the switch once again is dropping the ARP replies as the port\u00a0\u201cE0\/0\u201d\u00a0is not a trusted port.<\/p>\n

<\/p>\n

 <\/p>\n

Step 11.<\/strong>\u00a0We can trust the port that is connected directly to the DHCP server to prevent the ARP traffic being inspected.<\/p>\n

#int e0\/0<\/p>\n

#ip arp inspection trust<\/p>\n

<\/p>\n

 <\/p>\n

Step 12.<\/strong>\u00a0Ping should now work as the ARP replies are no longer being inspected.<\/p>\n

<\/p>\n

 <\/p>\n

Step 13.<\/strong>\u00a0To increase security and prevent ping sweeps being performed let\u2019s configure both the user ports with a rate limit on ARP packets. The default violation will put the port into\u00a0\u201cerr-disabled\u201d\u00a0state.<\/p>\n

#int e0\/1<\/p>\n

#ip arp inspection limit rate 10<\/p>\n

#int e0\/2<\/p>\n

#ip arp inspection limit rate 10<\/p>\n

<\/p>\n

 <\/p>\n

Step 14.<\/strong>\u00a0On the\u00a0\u201cCORE-SW\u201d\u00a0verify the DHCP snooping table the correct MAC address for the\u00a0\u201cKali Linux\u201d\u00a0machine<\/p>\n

#show ip dhcp snooping binding<\/p>\n

<\/p>\n

 <\/p>\n

On the\u00a0\u201cKali Linux\u201d\u00a0machine verify its interface MAC address.<\/p>\n

<\/p>\n

 <\/p>\n

From the Kali Linux machine verify connectivity by pinging the\u00a0\u201cCORE-SW\u201d\u00a0and the\u00a0\u201cInternet Router\u201d<\/p>\n

<\/p>\n

 <\/p>\n

On the user PC1 verify the IP address<\/p>\n

#show ip int brief<\/p>\n

<\/p>\n

 <\/p>\n

Step 15.<\/strong>\u00a0From the\u00a0\u201cKali Linux\u201d\u00a0machine launch the ARP spoofing attack<\/p>\n

#arpspoof \u2013t eth0 192.168.10.102 192.168.10.254<\/p>\n

The above command is saying \u2013 run a continuous ARP spoofing reply through interface\u00a0\u201ceth0\u201d\u00a0of the\u00a0\u201cKali Linux\u201d\u00a0machine to the IP\u00a0\u201c192.168.10.102\u201d\u00a0claiming the MAC address of\u00a0\u201c192.168.10.250\u201d\u00a0is that of\u00a0\u201ceth0\u201d\u00a0(Linux Machine)<\/p>\n

<\/p>\n

 <\/p>\n

We see instantly on the\u00a0\u201cCORE-SW\u201d\u00a0the traffic is being dropped on interface\u00a0\u201cE0\/2\u201dwhere the\u00a0\u201cKali Linux\u201d\u00a0machine is connected to. This is what we want, the attacker would not be able to poison the ARP cache as DAI is now doing its job.<\/p>\n

<\/p>\n

 <\/p>\n

Step 16.<\/strong>\u00a0On the\u00a0\u201cKali Linux\u201d\u00a0machine let\u2019s try and run a ping sweep,<\/p>\n

#nmap 192.168.10.0\/24<\/p>\n

<\/p>\n

 <\/p>\n

On the switch we can see the ARP requests flooded the port at more than 10 packets per second and therefore a violation occurred which\u00a0\u201cerr-disabled\u201d\u00a0the port.<\/p>\n

<\/p>\n

 <\/p>\n

#show interface status err-disabled<\/p>\n

<\/p>\n

 <\/p>\n

Step 17.<\/strong>\u00a0In a large organisation you may want enable auto recovery of the ports to reduce the administration overhead, to do this we simply set the port to recover after 30 seconds.<\/p>\n

#conf t<\/p>\n

#errdisable recover cause arp-inspection<\/p>\n

#errdisable recovery interval 30<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Dynamic ARP Inspection is a security feature that rejects invalid and malicious ARP packets, by using DAI we can prevent ARP Poisoning\/Spoofing Attacks. The Address<\/p>\n","protected":false},"author":1,"featured_media":647,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,9],"tags":[71,73,76,74,72,25,75],"class_list":["post-645","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-switching","tag-arp-cache","tag-arp-poisoning","tag-arp-spoofing","tag-dai","tag-dynamic-arp-inspection","tag-kali-linux","tag-tagsarp"],"_links":{"self":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/645","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=645"}],"version-history":[{"count":1,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/645\/revisions"}],"predecessor-version":[{"id":683,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/645\/revisions\/683"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media\/647"}],"wp:attachment":[{"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=645"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=645"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jay-miah.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=645"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}