Dynamic ARP Inspection (DAI) Mitigates ARP Poisoning to Prevent Man in the Middle Attacks (MITM)

Address Resolution Protocol allows a device to resolve an IP address with a mac address. By example, assume PC A is connected to a switch which is connected to a router. PC A needs to send traffic to the router’s IP of 192.168.4.3 but the switch doesn’t know which mac address to send this traffic to. ARP allows the switch to learn the mac address by forwarding a frame received from PC A’s port and broadcasting it out on all the other ports in the switch. This frame is asking what is the mac address of the device that owns 192.168.4.3? Devices on the other ports will drop the frame if it doesn’t match its IP address. The router will do the opposite and will send replies back with its mac address information because it has the IP address the switch was looking for. This enables communication between PC A and the router.

This ARP process, can be exploited through ARP Poisoning also known as ARP spoofing to eavesdrop on the traffic. Let’s say PC B is the attacker PC that will conduct ARP spoofing and is plugged into this environment above. PC B will send what is called a gratuitous ARP – it is an ARP message that wasn’t requested, but it is sent on its own accord to update ARP information. PC B’s ARP message directed towards PC A will show that it’s IP is 192.168.4.3, so send traffic to PC B’s mac address. PC B also directs a gratuitous ARP to the router saying that it is PC A’s IP address, so send traffic to PC B’s mac address. If the switch believes this, PC B will have successfully conducted ARP poisoning. PC B can than forward the frames between the router and PC A after eavesdropping or manipulating the traffic. ARP spoofing then becomes a MITM attack.

To mitigate this attack, Dynamic ARP Inspection can be used. When configured on a VLAN, it defaults all ports on the VLAN as untrusted and requiring traffic inspection. (Trusted ports are placed for trunks since access ports are mostly where attacks will come from. These are limited to 15 packets per second for ARP traffic to prevent attacks like ping suite.) The inspection verifies a traffic’s mac and IP address have a source or destination is true. DHCP Snooping tables allow this verification to happen for matches between which IP addresses where actually allocated to which mac addresses. This means that PC B will not be able to exploit traffic confidentiality as a MITM server, because DHCP Snooping would know that PC B’s mac address wasn’t provided with the IP address it claims to be.

Some devices will not be on the DHCP Snooping table. In these cases, a static ARP ACL can be manually configured to train a switch what mac addresses to look for to resolve an IP.

Other ways to verify includes checking the mac address of the header, or an IP address inside of a payload.

Taking precautionary measures at the layer 2 level, can help prevent compromise or the integrity of the traffic. Dynamic ARP inspection is a good measure to place as a checklist in hardening network security.