Saturday, September 17, 2016

Leave a Comment

Dynamic ARP Inspection

A really common Man-in-Middle (MIN) Attack is a “Gratuitous ARP” (MIM) Attack.
First up we got PC1 and its pointing to a Default Gateway, may be a learned via DHCP of

                    And it has also learned via ARP the (Address Resolution Protocol). That has a Mac-address of all DDDD.DDDD.DDDD for make us easier to visualize, and when this PC is sending out of frame to the internet, that frame is destined Layer2 for the default gateway mac-address. And normally here how it works. The PC will send the traffic to the default gateway.
The default gateway knows how to forward the traffic out to the destination on the internet.
                            However, let’s say that an attacker gains access to this network to this subnet. Where PC1 is located and will say that the attacker PC has a Mac-address of all AAAA.AAAA. AAAA

                        When the Attacker is going to do with a Gratuitous ARP Man-in-Middle Attack is, it going to send a “Gratuitous ARP reply” another words an “Unsolicited ARP reply”. Telling PC1 “Hey, the mac-address for, the default gateway is actually all AAAA.AAAA. AAAA”. it sends the “Unsolicited ARP or Gratuitous ARP Reply” saying that “the mac-address for your default gateway is really my mac-address”.

                  And the PC1 might see that and say “I need to update my ARP cache to have this new mac-address for my default gateway”. Now when it forward the frame destined for the internet with a Layer2 destination of a default gateway, that Layer2 destination mac-address is gonna be Attacker mac-address. The traffic is gonna flow to the Attackers PC and attacker can then capture that traffic and then send the traffic out on the internet. That’s the way The PC doesn’t know anything is going on because the traffic did make it out to the internet. There session is working.
                     Meanwhile the attacker has injected themselves in this path. That’s why is called Man-in-Middle Attack. Cisco gives us feature called “Dynamic ARP Inspection (DAI)” that we can enable on cisco catalyst switches to prevent this type of attack

Configuration: -
                    Dynamic ARP Inspection is going to be enable on some of the port on our switch. We can either “Trusted or Untrusted” Ports, much like DHCP Snooping and, if the port is Untrusted, it gonna intercept and ARP message coming into that Port and it’s gonna make sure that the context of that ARP message are consistent with the IP to Mac-address bindings. These binding were build using DHCP Snooping.

ü  So we enable DHCP Snooping and then
ü  We enable Dynamic ARP Inspection (DAI)

If you Don’t Know About Click on DHCP Snooping

Here on Switch Sw1, I have already enabled that DHCP snooping. We did that in Prior Topic.

        If you Don’t Know About Click on DHCP Snooping

                               Now let’s add on that Configuration
Ø  Sw1(config)#ip arp inspection vlan 1
 ü  Specify the vlan, which we want to do ARP Inspection. Right now everybody the member of VLAN 1.

When we do that, that makes all of the Port on the Switch “Untrusted Ports”. But in our design we gonna say that “fastethernet1/0/1” is a “Trusted Port”.

Here how we do that: -

   Ø  Sw1(config)#interface fastEthernet 1/0/1
   Ø  Sw1(config-if)#ip arp inspection trust
   Ø  Sw1(config-if)#end

That’s gonna make that a “Trusted” Port which will bypass the DAI if an ARP message comes into the fast Ethernet 1/0/1.

                       That’s look that how we can use that DAI in addition to DHCP Snooping to mitigate a Gratuitous ARP Man-in-Middle Attack.


If You Like the Post. Don’t forget to Subscribe/Share/Comment”. Thank You.


Post a Comment