how to prevent invalid destination IP and MAC addresses in ARP reply !?

mohammed hashim · ‎05-04-2016

hi,

to be more specific,

can Dynamic ARP Inspection be configured to prevent invalid destination IP and MAC addresses in ARP reply !?

like: there is an ARP request with:

source IP: 192.168.1.100

Source MAC: aaaa.aaaa.aaaa

the hacker reply but change these addresses, and keep his valid source IP and MAC

probably the reasons for that is he wants to make L2 broadcast floods

?

Carlos Villagran · ‎05-04-2016

Hi!

That's the exact goal of DAI (Dynamic ARP Inspection). The point of using the DHCP spoofing is to avoid any Rogue DHCP assigning convenient IP Addresses to hosts and usually all of this is to avoid any man in the middle attack like using the Gateway address as its own, sniffering all traffic and then redirecting it to true gateway.

Please refer to the following link for configuration for configuration details:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/dynarp.html

Hope it helps, best regards!

JC

mohammed hashim · ‎05-06-2016

Hi Carlos,

thanks for your reply,

If I am not mistaken, the Switch does not keep a record for pending ARP requests sent by hosts like:

Host1--------SW1------------SW2----------Host2

so let us say, Host1 want to resolve Host2 L2-to-L3 addresses, it will send ARP request with source addresses of:

source IP: 192.168.1.100

Source MAC: aaaa.aaaa.aaaa

then assume Host2 as an attacker reply with destination addresses of (in the ARP reply as well as in the actual L3 packet and L2 frame):

destination IP: 192.168.1.200

destination MAC: bbbb.bbbb.bbbb

if DAI is enabled on SW2, it has no way to figure this out.

because DAI is to check if the ARP reply source addresses (MAC\IP) has a match in the DHCP snooping database.

command "Ip arp inspection validate src-mac dst-mac ip" also does not help in my case,