Two solutions to ARP spoofing in Cisco Environment

There are a lot of ways to help prevent ARP viruses on the Internet. In fact, ARP spoofing is a simple principle and uses a "defect" of ARP ", free ARP to reach the arp table entry of the gateway on the spoofing host.

Free ARP was designed for two purposes:

1. IP address conflict detection
2. automatically update ARP entries to update the gateway.

Arp spoofing uses the second one. The attacked host sends an arp update. The IP address is the gateway, but the mac address is not the gateway. When other hosts receive the IP address, based on arp rules, the more reliable the new principle is, the more objective it is to cheat. Although arp is not a member of the TCP/IP protocol cluster, due to the popularity of Ethernet, the dynamic ARP protocol is abandoned and manual arp ing is used, it seems unrealistic (except in some cases ).

This section describes how to solve this problem in the cisco network environment:

In fact, two technologies are used: dhcp snooping and ARP inspection.

I. dhcp snooping

DHCP Snooping is a security feature of DHCP. It filters untrusted DHCP information by creating and maintaining a DHCP Snooping binding table. Such information refers to DHCP information from untrusted areas. The DHCP Snooping binding table contains information such as the user MAC address, IP address, lease period, and VLAN-ID interface of the untrusted region.

When DHCP-Snooping is enabled, the switch listens to the DHCP packet and can extract and record IP address and MAC address information from the received DHCP Request or DHCP Ack message. In addition, DHCP-Snooping allows you to set a physical port to a trusted port or untrusted port. The trusted port can normally receive and forward DHCP Offer packets, but the untrusted port will discard the received DHCP Offer packets. In this way, the vswitch can shield the counterfeit DHCP Server and ensure that the client obtains the IP address from the valid DHCP Server.

Purpose:

1. The main function of dhcp-snooping is to isolate illegal dhcp servers by configuring untrusted ports.

2. Create and maintain a dhcp-snooping binding table. This table is generated through the ip address and mac address in the dhcp ack packet, and can be manually specified.

This table is the basis for subsequent DAI (dynamic arp inspect) and IP Source Guard. These two similar technologies use this table to determine whether the ip address or mac address is valid and restrict the user from connecting to the network.

Configuration:
Switch (config) # ip dhcp snooping
Switch (config) # ip dhcp snooping vlan 10
Switch (config-if) # ip dhcp snooping limit rate 10
/* The forwarding rate of the dhcp packet. If it exceeds the forwarding rate, the interface will be shut down, which is not limited by default.
Switch (config-if) # ip dhcp snooping trust
/* In this way, the port becomes a trusted port. The trusted port can normally receive and forward DHCP Offer packets without recording the binding of ip addresses and mac addresses. The default port is a non-trusted port.
Switch # ip dhcp snooping binding 0009.3452.3ea4 vlan 7 192.168.10.5 interface gi1/0/10
/* You can bind a static IP address to a mac address.
Switch (config) # ip dhcp snooping database tftp: // 10.1.1.1/dhcp_table
/* After power loss, the bound table disappears, so you need to select a storage location, ftp, tftp, and flash. In this example, dhcp_table is a file name, not a folder. At the same time, you must manually create a file name.
Ii. ARP inspection

1. Introduction

DAI checks the validity of mac addresses and IP addresses based on the dhcp-snooping binding table.

2. Configuration

Switch (config) # ip dhcp snooping vlan 7
Switch (config) # ip dhcp snooping information option
/* Default
Switch (config) # ip dhcp snooping
Switch (config) # ip arp inspection vlan 7
/* Defines which VLANs are used for ARP packet Detection
Switch (config) # ip arp inspection validate src-mac dst-mac ip
/* Check the source, target, and IP addresses
Switch (config-if) # ip dhcp snooping limit rate 10
Switch (config-if) # ip arp inspection limit rate 15
/* Define the number of ARP packets per second on the Interface
Switch (config-if) # ip arp inspection trust
/* Trusted interfaces do not check arp packets. The default value is detection.
3. Notes

The port section in the preceding dhcp-snooping binding table is not checked. At the same time, the relationship between mac and ip addresses that already exist in the binding table is obtained by dhcp, you can specify the table as long as it matches the table. If the table does not exist, the corresponding traffic will be blocked.

When the application of Dynamic ARP Inspection is started, the switch records a large number of data packets. when too many data packets pass through the port, the switch will consider it to be under DoS attack, thus automatically disable the port and cause communication interruption. To solve this problem, we need to add the command errdisable recovery cause arp-inspection.

In a cisco network environment, when a boot request is sent to a device with the dhcp snooping feature enabled, option 82 is inserted into the DHCP packet (for details, see RFC3046, the gateway ip address in the packet in the boot request is 0, so once the dhcp relay device detects such a packet, it will discard it.

If the dhcp server uses the relay service, enter the following command on the Gateway Switch:

Method 1:

Inter vlan7
Ip dhcp relay information trusted

Method 2:

Switch (config) # ip dhcp relay information trust-all

Iii. Summary

Although dhcp snooping is used to prevent illegal dhcp server access, it plays an important role once the client obtains a valid dhcp offer. When dhcp snooping is enabled, the obtained IP address and the mac address of the client are recorded under the corresponding interface. This is a basis for ARP inspection detection by another technology. ARP inspection is used to detect arp requests and prevent invalid ARP requests. The table created in the previous dhcp snooping is the legal standard. The table is created when the dhcp server responds normally, including the correct arp information. If there is arp attack information at this time, ARP inspection technology can be used to intercept this illegal arp packet. In fact, using this method can also prevent users from arbitrarily modifying IP addresses, resulting in address conflicts.