ARP poisoning

ARP: The ability to associate any IP address with any MAC address.

ARP Table: All network devices have an ARP table, a short-term memory of all IP
addresses and MAC addresses that device has already matched together. The ARP table
ensures that the device doesn't have to repeat ARP requests for devices it has
already communicated with.

ARP poisoning: In an ARP spoofing attack, the attacker associates its own MAC
address with the IP address of a network device connected to the switch. Traffic
intended for that IP address is now sent to the attacker instead of being sent to
the intended destination. The attacker can send faked, or “spoofed,” ARP messages
on the LAN. It is a technique whereby an attacker sends fake ARP messages onto a
local area network that causes the redirection of network traffic to a hacker. Once
the attacker’s MAC address is connected to an authentic IP address the attacker
will begin receiving any data that is intended for that IP address & then any
traffic destined for the legitimate resource is sent through the attacking system.
ARP spoofing attacks are used to steal sensitive information of network. Various
types of ARP spoofing are:

1.Man-in-the-middle attacks
2.Denial-of-service attacks
3.Session hijacking

1. Man in the Middle(MITM) attacks: By spoofing two hosts in the network at the
same time, an attacker can silently sit in between the two hosts so that they think
they are communicating with each other. This attacker is then able to listen to all
the traffic sent in both directions. This attack can also be performed between any
host in the LAN and an outside host, as the attacker can perform the attack between
the host and the default gateway. With a MITM attack, the attacker can gain access
to sensitive information (e.g., passwords) or he/she can even modify the data being
sent, compromising the data’s integrity.

A hacker can exploit ARP Cache Poisoning to intercept network traffic between two
devices in your network. The hacker can see all the traffic between your computer
and then whenever you try to go to the Internet, your computer sends the network
traffic to the hacker's machine, which it then forwards to the real router. Since
the hacker is still forwarding your traffic to the Internet router, you remain
unaware that he is intercepting all your network traffic and perhaps also sniffing
your clear text passwords or hijacking your secured Internet sessions.

2. Denial of Service(DoS) attacks: An attacker can poison an ARP table of a host so

that every packet that the host sends is sent to the attacker instead of its real
destination. In this way, the attacker blocks the communication from the host being
attacked. A hacker can easily associate an operationally significant IP address to
a false MAC address. A hacker can send an ARP reply associating your network
router's IP address with a MAC address that doesn't exist. Your computers believe
they know where your default gateway is, but in reality they're sending any packet
whose destination is not on the local segment. In one move, the hacker has cut off
your network from the Internet.

3. Session Hijacking: Instead of just dropping the packets received from the host
being attacked, the attacker can respond, impersonating any host in the network.
Session hijacking attacks can steal session IDs, granting attackers access to
private systems and data.

Network Safeguards

1. Port-Security
2. DYNAMIC ARP INSPECTION
3. IP Source Guard

1. Port-Security We can prevent ARP attacks by using static IP addresses and static
ARP tables. However, static ARP entries are hard to maintain, also impossible in
large networks. So for large network, we can prevent it by implementing "Port
Security" features. "Port Security" feature lets force our switch to allow only one
MAC address for each physical port on the switch. This feature prevents hackers
from changing the MAC address of their machine or from trying to map more than one
MAC address to their machine. It can often help prevent ARP-based Man-in-the-Middle
attacks.

2. DYNAMIC ARP INSPECTION Dynamic ARP inspection (DAI) is a security feature that
rejects invalid and malicious ARP packets. The feature prevents a class of man-in-
the-middle attacks, where an unfriendly station intercepts traffic for other
stations by poisoning the ARP caches of its unsuspecting neighbors. The miscreant
sends ARP requests or responses mapping another station’s IP address to its own MAC
address.

Without dynamic ARP inspection, a malicious user can attack hosts, switches, and
routers connected to the Layer 2 network by poisoning the ARP caches of systems
connected to the subnet and by intercepting traffic intended for other hosts on the
subnet. Dynamic ARP inspection prevents this type of attack. It intercepts, logs,
and discards ARP packets with invalid IP-to-MAC address bindings.

The address binding table is dynamically built from information gathered in the
DHCP request and reply when DHCP snooping is enabled. The MAC address from the DHCP
request is paired with the IP address from the DHCP reply to create an entry in the
DHCP binding table.

When you enable Dynamic ARP inspection, ARP packets on untrusted ports are filtered
based on the source MAC and IP addresses stored in the DHCP snooping table. The
switch forwards an ARP packet when the source MAC and IP address matches an entry
in the DHCP snooping table. Otherwise, the ARP packet is dropped.

Dynamic ARP Inspection(DAI), works with DHCP Snooping i.e. DAI relies on DHCP
snooping. Therefore for dynamic ARP inspection to function, DHCP snooping must be
globally enabled. Dynamic ARP inspection is configured on a VLAN to VLAN basis.
Then switch will intercept ARP traffic and compare it to the DHCP Snooping table.
When DAI is enabled, the switch drops ARP packet if the sender MAC address and
sender IP address do not match an entry in the DHCP snooping bindings database. To
enable this, we have to enable DHCP Snooping, with following commands:

Enable DHCP snooping

switch(config)# ip dhcp snooping

switch(config)# ip dhcp snooping vlan vlan_id {, vlan_id}
switch(config-if)# ip dhcp snooping trust
switch(config-if)# ip dhcp snooping limit rate rate

Enable DAI
 Switch(config)#ip arp inspection vlan <Vlan ID>
Switch(config)#ip arp-inspection enable
Switch(config)#interface gi0/1
Switch(config)#ip arp inspection trust

3. IP Source Guard IP Source Guard provides security to the network by filtering

clients with invalid or spoofed IP addresses. IP Source Guard is a Layer 2 (L2),
port-to-port feature that works closely with information in the Dynamic Host
Control Protocol (DHCP) snooping binding table. When you enable IP Source Guard on
an untrusted port with DHCP snooping enabled, an IP filter entry is created or
deleted for that port automatically, based on IP information stored in the
corresponding DHCP binding table entry. When a connecting client receives a valid
IP address from the DHCP server, a filter is installed on the port to allow traffic
only from the assigned IP address. A maximum of 10 IP addresses are allowed on each
IP Source Guard-enabled port. When this number is reached, no more filters are set
up and traffic is dropped.

While Dynamic ARP Inspection blocks only ARP packets, IP Source Guard blocks all IP
packets.

switch(config)#interface gi0/1
switch(config)#ip verify source
switch(config)#exit

NOTE: Both these scenario DAI & IP Source guard doesn't seem to gain anything more
than port security which is a lot less complex.