Solved: Re: Dynamic address inspection

PietroPoliseno27977 · ‎02-14-2021

Hi everyone I'm trying to understand the "DAI" dynamic address inspection. The first functions of the DAI I understood those that make a check with the help of the dhcp spooning. Right after she says: """"DAI can be configured to check for both destination or source MAC and IP addresses: Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses."""" When would a hacker change the target mac address in the body arp to launch an attack? There is no example of this: I only thought about this scenario in the case of the destination address. PCB (hacker) sends an arp reply with header its mac address and in the mac address of the arp body the mac address of another computer. Obviously the example is also valid in the case of modification of the sender. I hope for a good day clarification

MHM Cisco World · ‎02-16-2021

Port A "hacker"
Host mac-A IP-A
Port B
Host mac-B IP-B
Port C
Host mac-C IP-C

ARP request from Host B to Host C
Ether Des.= ffff:ffff:ffff
Ether Scr.= mac-B <- ok for DHCP snooping the check is doing by DAI
Sender Mac= mac-B
Sender IP= IP-B
Target Mac = mac-C
Target IP= IP-C

ARP reply

Ether Des.= ffff:ffff:ffff
Ether Scr.= mac-C <- ok for DHCP snooping the check is doing by DAI

*Sender Mac= mac-C
*Sender IP= IP-C
*Target Mac = mac-B
*Target IP= IP-B
*note the the MAC/IP is flap for ARP reply

NOW what if Host A reply ??

ARP reply

Ether Des.= ffff:ffff:ffff
Ether Scr.= mac-A <- ok for DHCP snooping the check is doing by DAI
Sender Mac= mac-A
Sender IP= IP-C
Target Mac = mac-B
Target IP= IP-B

this make
Host B use mac-A instead of mac-C for sending frame. and hence hack....
using DAI validate option

ARP reply

Ether Des.= ffff:ffff:ffff
Ether Scr.= mac-A <- ok for DHCP snooping the check is doing by DAI
Sender Mac= mac-A
Sender IP= IP-C<- not OK for DHCP snooping & DAI because the IP-C not map to mac-A
Target Mac = mac-B
Target IP= IP-B

View solution in original post

Mohammed al Baqari · ‎02-15-2021

Hi,

DAI is used to block ARP spoofing. The attacker can send unsolicited ARP
message to the switch to update the entry in ARP table pointing to his
machine, i.e. change the ARP mapping from victim IP-MAC to attacker IP-MAC.
The IP address is same but the MAC changes. The switch will accept this and
start forwarding the traffic to attacker. The attacker will act as man in
the middle by getting copy of the traffic and pass it to victim.

DAI will inspect ARP requests and only allows them if there is no valid
entry in DHCP snooping DB. If there is a valid DHCP snooping entry it will
drop the ARP message because the client is still active on that IP address.
It will only accept ARP changes on that IP if the DHCP snooping entry is
cleared.

***** please remember to rate useful posts

PietroPoliseno27977 · ‎02-15-2021

Hi Mohammed thank for your answer. I understand DAI function when interfacing with dhcp snooping. """"DAI can be configured to check for both destination or source MAC and IP addresses: Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses."""" I didn't understand when it says that it checks the mac address in the header with the mac address in the arp body; it's a different case

Mohammed al Baqari · ‎02-15-2021

Hi,

I got the question now. Yes, this is another option in DAI to validate the
actual MAC address in L2 header (source or destination) against the address
listed in the ARP payload. If you look at the ARP message structure below,
you will notice that ARP payload will have the L2 addresses for sender and
receiver. If the attacker sends an ARP message to the switch/router to
update ARP table, the switch will validate the MAC address of the attacker
in his frame against the MAC address in the payload. This should mismatch
because the MAC of attacker will be different from the MAC of the victim
which is in the payload.

[image: image.png]

**** please remember to rate useful posts

MHM Cisco World · ‎02-15-2021

One example
Server with IP-A Mac-A
Host
hacker with IP-B Mac-B
all request dhcp and they all have entry in dhcp snooping table,
Now
hacker will send GARP with
source is Mac-B
target Mac is Mac-B
target IP is IP-A

this make all host instead of send the packet to Server it will send it to hacker using the Mac-B.

this is why DAI using validation option to stop suck as this attack.

PietroPoliseno27977 · ‎02-16-2021

This answer applies to both of you who have spoken and thank you. In other words, if there is dhcp snooping, the switch will check the mac address - ip address association. But in the case of "" Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. "" for example what happens? In a regular scenario: pc-A sends arp request with header its mac address and mac address fffffffffff. In the arp-body of pc-A mac address sender + ip address of pc-A and ip address of pc-C (which is the recipient of which we have his mac address.) Pc-c reply with its mac address. Now let's assume pc-B intrudes into communication. What does he do? How does it change the payload? In the case of dhcp snooping ok it is clear that the switch checks in the payload the association between ip address and mac address that correspond in the database. Then it looks in the payload and sees that pc-C's ip address doesn't match the right mac address. Now same scenario without dhcp snooping but with "" Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. "" We have the hacker's arp reply which looks like this: Hacker: header sender mac address PC-B and destination mac address PC-A. In the payload we have: IP address of PC-C and the destination mac-address of PC-B. So when it says: "" Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. "" That is, it does not have to coincide what sense it has that it coincides it is normal that the destination mac address will be different from pc-A and the destination mac address in the payload will be that of pc-B ie of the hacker. Here's why I don't find myself with this definition: ""Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. ""

MHM Cisco World · ‎02-16-2021

Port A "hacker"
Host mac-A IP-A
Port B
Host mac-B IP-B
Port C
Host mac-C IP-C

ARP request from Host B to Host C
Ether Des.= ffff:ffff:ffff
Ether Scr.= mac-B <- ok for DHCP snooping the check is doing by DAI
Sender Mac= mac-B
Sender IP= IP-B
Target Mac = mac-C
Target IP= IP-C

ARP reply

Ether Des.= ffff:ffff:ffff
Ether Scr.= mac-C <- ok for DHCP snooping the check is doing by DAI

*Sender Mac= mac-C
*Sender IP= IP-C
*Target Mac = mac-B
*Target IP= IP-B
*note the the MAC/IP is flap for ARP reply

NOW what if Host A reply ??

ARP reply

Ether Des.= ffff:ffff:ffff
Ether Scr.= mac-A <- ok for DHCP snooping the check is doing by DAI
Sender Mac= mac-A
Sender IP= IP-C
Target Mac = mac-B
Target IP= IP-B

this make
Host B use mac-A instead of mac-C for sending frame. and hence hack....
using DAI validate option

ARP reply

Ether Des.= ffff:ffff:ffff
Ether Scr.= mac-A <- ok for DHCP snooping the check is doing by DAI
Sender Mac= mac-A
Sender IP= IP-C<- not OK for DHCP snooping & DAI because the IP-C not map to mac-A
Target Mac = mac-B
Target IP= IP-B

View solution in original post

PietroPoliseno27977 · ‎02-16-2021

This Is not clear you said:

"this make
Host B use mac-A instead of mac-B for sending frame. and hence hack....
using DAI validate option"

I think you wanted said: Host B use mac- A instead of Mac-C not Mac-B right?

MHM Cisco World · ‎02-17-2021

Yes you are right,
thanks for correct me.

PietroPoliseno27977 · ‎02-19-2021

I think I understand, however, what sense does it make for a hacker what sense does it have to change the target address in the payload due to a mismatch between the mac address in the header (sent by the hacker) and the target mac address in the payload. Again in the example: This is clear: Because the hacker makes the traffic arrive on his mac address. """"""""Ether Des.= ffff:ffff:ffff Ether Scr.= mac-A <- ok for DHCP snooping the check is doing by DAI Sender Mac= mac-A Sender IP= IP-C<- not OK for DHCP snooping & DAI because the IP-C not map to mac-A Target Mac = mac-B Target IP= IP-B"""""""" mismatch between sender and sender in the payload body. But if we have this: """"""""Ether Des.= MAC-A (let's assume the hacker wants to attack only A's pc, not all) Ether Scr.= mac-A <- ok for DHCP snooping the check is doing by DAI Sender Mac= mac-A Sender IP= IP-C Target Mac = mac-C ( i.e. the change is made here by the hacker modifying the target in the payload with for example C instead of what should have been C.) Target IP= IP-B"""""""" So if checking for the mismatch between mac sender and mac sender makes sense because the hacker directs traffic to his computer. While in my opinion it makes no sense to change the destination mac other than that of the target destination. in your opinion what sense does it make? If you were the hacker in short