Mitigating an ARP Bluffing Attack
An ARP bluffing advance is astringent because it break the wrong—but widespread—
assumption that sniffing is not accessible in a switched environment.
To abate an ARP bluffing attack, use the afterward three options:
• Layer 3 switch. Can advantage the official
and can after bead all spoofed ARP replies based on the official mapping.
• Host. Can avoid the chargeless ARP packets.
• Intrusion apprehension systems (IDS). Can accumulate states about all
and ascertain whether addition tries to change an absolute mapping.
Dynamic ARP Inspection
Chapter 5, "Leveraging DHCP Weaknesses," explained that Layer 3 switches can inspect
DHCP cartage to anticipate attacks adjoin the DHCP.
DHCP concern additionally agency that the about-face now knows the
hosts application DHCP. With this actual mapping knowledge, the about-face can audit all ARP
traffic and analysis whether the advice central the ARP replies is valid; if it’s not, the
switch artlessly drops the ARP packet. This abode is alleged Activating ARP Inspection
(DAI).
NOTE DAI does not affect accustomed ARP cartage (normal ARP requests and replies and not faked
gratuitous ARP). Only artificial chargeless ARP packets are dropped.
DAI in Cisco IOS
The DAI agreement in a Cisco IOS about-face is straightforward. Let’s aboriginal attending at the
learned
Example 6-3 Corrupted ARP Table
C:\\>arp -a
Interface: 10.0.0.26 on Interface 2
Internet Abode Physical Abode Type
10.0.0.1 00-10-83-34-29-72 dynamic
Mitigating an ARP Bluffing Advance 113
shows the DHCP bounden table (assuming that DHCP concern was already configured, as
Chapter 5 discusses).
Example 6-5 shows all the Cisco IOS agreement commands to about-face on DAI.
The aboriginal band globally enables DAI on VLAN 100. Of course, assorted VLAN can be listed
in the command.
If assorted switches are in VLAN 100, not all of them are able to apprentice the DHCP binding
of hosts absorbed to addition about-face because they will not see the DHCP traffic. Therefore,
DAI cannot be enabled on the uplinks. However, because the switches absorbed to the
uplinks can usually be trusted (for example, they additionally run DAI), it is safe to accept that
ARP packets advancing from those uplinks can be trusted, which is the purpose of the aftermost two
lines in Archetype 6-5.
In the case of an ARP bluffing attack, Cicso IOS generates a log event:
1w2d: %SW_DAI-4-INVALID_ARP: 9 Invalid ARPs (Req) on Gi3/31, vlan
100.([0002.0002.0002/170.1.1.2/0001.0001.0001/170.1.1.1/02:30:24 UTC Fri Feb 4
2005])
The DAI additionally keeps a history of all violations, as Archetype 6-6 shows.
Example 6-4 Agreeable of a DHCP Bounden Table
# sh ip dhcp concern binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
----------------- ------------ --------- ------------ ---- ---------------
00:03:47:B5:9F:AD 10.120.4.10 193185 dhcp-snooping 4 FastEthernet3/18
00:03:47:c4:6f:83 10.120.4.11 213454 dhcp-snooping 4 FastEthermet3/21
Example 6-5 Enabling DAI in Cisco IOS
Switch(config)# ip arp analysis vlan 100
Switch(config)# interface Gi1/1
Switch(config-if)# ip arp analysis trust
Example 6-6 Event Log
SwitchB# appearance ip arp analysis log
Total Log Absorber Size : 1024
Syslog amount : 100 entries per 10 seconds.
Interface Vlan Sender MAC Sender IP Num Pkts Reason Time
---------- ---- -------------- -------- --------- --------- ----
Gi3/31 100 0002.0002.0002 170.1.1.2 5 DHCP Deny 02:30:24 UTC
Fri Feb 4 2005
114 Chapter 6: Exploiting IPv4 ARP
In Archetype 6-7, the aboriginal band shows how to configure the abuse log absorber to 1024
entries. The additional band specifies that it takes 100 spoofed ARP replies to accomplish a log
event every 10 abnormal during an attack.
Because DAI is CPU intensive, there is a amount absolute aloft which ARP frames are forwarded
to the switch’s CPU; otherwise, the about-face CPU ability be afflicted with ARP traffic
and ability be clumsy to accumulate the Open Shortest Path Aboriginal (OSPF) action running, which
leads to astringent acquisition adherence issues.
This amount limiter is configured in the aftermost two curve of Archetype 6-7. In this example, if the
switch receives added than 100 ARP packets per additional (pps) on interface FastEthernet
1/1, the anchorage is err-disabled to assure the switch’s CPU.
Which ARP Amount Threshold?
The amount absolute charge anxiously be called and charge be beyond than the aiguille ARP cartage in
your network.
The acute case for aiguille ARP cartage should be taken into account; this is a new server
joins the LAN and all added hosts in the aforementioned LAN try to acquaint with the new server
(all aural the aforementioned second). As anniversary host generates an ARP appeal and receives an ARP
reply; the amount absolute should be active the cardinal of hosts in the LAN to acquiesce the normal
two ARP packets per host.
If some hosts are not application DHCP but accept changeless IP addresses, they can additionally be protected
by manually entering the
SwitchB(config)# ip antecedent bounden 0000.0000.0001 vlan 100 10.0.10.200
interface fastethernet 3/1
Cisco IOS additionally supports acceptance the authority of ARP cartage by blockage whether the
Ethernet advance contains the aforementioned MAC addresses as the ARP payload.
Example 6-7 Advanced DAI in Cisco IOS
SwitchB(config)# ip arp analysis log-buffer entries 1024
SwitchB(config)# ip arp analysis log-buffer logs 100 breach 10
SwitchB(config)#
SwitchB(config)# interface Fa1/1
SwitchB(config-if)# ip arp analysis absolute amount 100 access breach 1
Mitigating an ARP Bluffing Advance 115
DAI in CatOS
DAI is accessible in CatOS switches (for example, on Sup720 with PFC3A). Analysis the
documentation on Cisco.com to see whether this apparatus is accessible on a specific
platform.
Example 6-8 shows how DAI is globally configured and how anchorage 2/2 is declared trusted
(because it is an uplink to added switches in the aforementioned VLAN). DHCP concern charge be
previously configured, obviously.
Of course, CatOS can rate-limit per anchorage the cardinal of ARP packets a anchorage sends to the CPU
per minute:
Console> (enable) set anchorage arp-inspection 3/1 drop-threshold 700 shutdown-threshold
800
Drop Threshold=700, Shutdown Threshold=800 set on anchorage 3/1.
If the amount exceeds 700 pps, the ARP packets are artlessly dropped. If the amount exceeds 800,
the anchorage is shut down. This beginning charge be acquainted based on the baseline ARP cartage as
well as on the about-face CPU ability (see the altercation back DAI in IOS was described
previously).
CatOS can additionally rate-limit the absolute cardinal of packets (including ARP, DHCP, and IEEE
802.1X) beatific globally to the CPU:
Console> (enable) set aegis acl affection ratelimit 1000
Dot1x DHCP and ARP Analysis all-around amount absolute set to 1000 pps
CatOS can additionally bead ARP packets with actionable agreeable (such as an 0.0.0.0 abode or
ffff.ffff.ffff as the acknowledged MAC abode of a host):
Console> (enable) set aegis acl arp-inspection address-validation accredit drop
ARP Analysis address-validation affection enabled with bead option.
Protecting the Hosts
The host themselves can sometimes be adequate by either blank chargeless ARP or by
relying on changeless ARP entries in the ARP table and absolutely blank the chargeless ARP
messages.
Cisco IP phones apparatus the avoid chargeless ARP technique. Cisco CallManager
(CCM) configures this.
Example 6-8 DAI in CatOS
Console> (enable) set aegis acl arp-inspection activating accredit 100
Dynamic ARP Analysis is enabled for vlan(s) 100.
Console> (enable) set anchorage arp-inspection 2/2 assurance enable
Port(s) 2/2 accompaniment set to trusted for ARP Inspection.
Console> (enable) set aegis acl arp-inspection activating log enable
Dynamic ARP Analysis logging enabled.
116 Chapter 6: Exploiting IPv4 ARP
The changeless ARP entries abode is hardly acclimated because it is an authoritative nightmare
to access all the
TCP/IP endless accomplishing will readily alter a changeless ARP access by a chargeless ARP
content. This defeats the purpose of the changeless entry.
Intrusion Detection
Because ARP bluffing requires an antagonist to accelerate traffic, arrangement IDSs can ascertain this
attack.
Cisco arrangement IDS5 has a few signatures accompanying to ARP bluffing based on the
ATOMIC.ARP engine.
A chargeless tool, ARPwatch6, can ascertain an ARP bluffing attack. Typically, ARPwatch runs on
a Linux host and processes all ARP packets on an absorbed Ethernet segment. ARPwatch
executes assorted checks on the ARP packets: Is it a abnormal packet? Is it a new MAC
address (this is a MAC abode never apparent on the network)? Is it a new MAC abode for an
old IP abode (probably a assurance of an ARP bluffing attack)? ARPwatch generates alerts by
sending an e-mail to an administrator. Archetype 6-9 shows the e-mail beatific back a new MAC
address appears on the network. It will again be up to the ambassador to analysis whether this
new MAC abode is a accurate one (this is a new accessory that has abutting the network).
ARPwatch Active for a New MAC Address
Subject: new base (adsl) eth0
Date: Thu, 3 May 2007 11:16:12 +0200
From: "Arpwatch charly"
To:
hostname: adsl
ip address: 192.0.2.1
interface: eth0
ethernet address: 0:4:27:fd:52:40
ethernet vendor: Cisco Systems, Inc.
timestamp: Thursday, May 3, 2007 11:16:12 +0200
Example 6-10 shows the active generated back ARPwatch detects a accessible ARP spoofing
attack: It has accustomed an ARP acknowledgment packet that contradicts the bounden
Example 6-9.
ARPwatch Active for a Potential ARP Bluffing Attack
From: arpwatch@example.org (Arpwatch charly)
To: root@example.org
Subject: afflicted ethernet abode (adsl) eth0
Date: Thu, 3 May 2007 13:31:15 +0200 (CEST)
hostname: adsl
ip address: 192.0.2.1
interface: eth0
ethernet address: 0:15:58:27:83:dc
ethernet vendor:
old ethernet address: 0:4:27:fd:52:40
old ethernet vendor: Cisco Systems, Inc.
timestamp: Thursday, May 3, 2007 13:31:14 +0200
previous timestamp: Thursday, May 3, 2007 13:29:23 +0200
delta: 1 minute