Preventing ARP Spoofing and Flood Attack

Information About ARP Spoofing and Flood Attack

Overview of ARP Anti-Spoofing

ARP provides IP communication within a broadcast domain by mapping an IP address to a MAC address. For example, host B wants to send information to host A but does not have the MAC address of host A in its ARP cache. In ARP terms, host B is the sender and host A is the target.

To get the MAC address of host A, host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of host A. All hosts within the broadcast domain receive the ARP request, and host A responds with its MAC address.

ARP spoofing attacks occurs because ARP allows a reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.

An ARP spoofing attack can affect hosts, switches, and routers connected to your network by sending false information to the ARP caches of the devices connected to the subnet. Sending false information to an ARP cache is known as ARP cache poisoning. Spoof attacks can also intercept traffic intended for other hosts on the subnet.

Figure 1. ARP Spoofing

Hosts A, B, and C are connected to the device on interfaces A, B, and C, which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, host A uses IP address IA and MAC address MA. When host A needs to send IP data to host B, it broadcasts an ARP request for the MAC address associated with IP address IB. When the device and host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When host B responds, the device and host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.

Host C can poison the ARP caches of the device, host A, and host B by broadcasting two forged ARP responses with bindings: one for a host with an IP address of IA and a MAC address of MC and another for a host with the IP address of IB and a MAC address of MC. Host B and the device then use the MAC address MC as the destination MAC address for traffic intended for IA, which means that host C intercepts that traffic. Likewise, host A and the device use the MAC address MC as the destination MAC address for traffic intended for IB.

Because host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. This topology, in which host C has inserted itself into the traffic stream from host A to host B, is an example of a man-in-the middle attack.

To prevent spoofing, you can enable ARP anti-spoofing. If ARP anti-spoofing is enabled, all ARP packets will be redirected to CPU for a check. The ARP packets will be verified with the entries in the static ARP table or the IP source guard static binding table or the DHCP snooping table. All ARP packets that match the entries in any one of the table will be transmitted. All incomplete ARP packets, or packets that partially match with any one of the table entries, will be discarded. Unkown ARP packets, or packets that do not match with any table entries, can be configured to either be discarded or flooded to all ports. ARP anti-spoofing attack is disabled by default.

You can configure the host protection feature to bind the IP address or MAC address and the connected port of the host together. ARP packets transmitted from this port is accepted by all other connected ports. ARP packets with the same IP address or MAC address is discarded if transmitted from any other port.

You can configure the source MAC address consistency inspection feature to check whether the ethernet source MAC address in the ARP packet is the same as the source MAC address stored in the table. If the source MAC addresses do not match, the packet is discarded. This feature is disabled by default.

A layer-3 device can configured as the gateway for certain LAN devices. An attacker host can try to add the Layer 3 device to the blocked list by sending a gratuitous ARP identfying itself as the correct gateway. You can configure the gateway anti-spoofing feature to prevent this kind of attack. This feature is disabled by default.

By default, after an attack all ports are considered as not trustworthy. You can configure a port that does not require monitoring and is trustworthy as a trusted port.

Overview of ARP Flooding Attack

An ARP spoofing attack can affect hosts, switches, and routers connected to your network by flooding packets to the CPU of the devices connected to the subnet and thus affecting device performance. Flooding the CPU on the device is known as ARP flooding attack.

To prevent ARP flood attack, the following configurations are available.

  • You must enable ARP anti-flood attack to prevent ARP flood attack. The ARP packet is forwarded to the CPU. Each traffic flow is identified based on the source MAC address of the packet.

  • You can configure a rate threshold to monitor the ARP flow. If the rate threshold is exceeded, then it is considered as an attack. You configure a rate threshold globally or for an interface.

  • Once an attack occurs, you can configure whether to add the host's source MAC address to the blackhole address list and discard all packets, or discard only the ARP packets from the host.

  • To remove hosts from the blackhole address list, you can either define a recovery time interval or manually restore the host.

  • You can bind the dynamic MAC address to the static MAC address of a host in the blackhole address list. This prevents the host from transmitting any type of packets.

How to Prevent ARP Spoofing And Flood Attack

Enabling ARP Anti-Spoofing

To enable ARP anti-spoofing, perform this procedure.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. [no] arp anti-spoofing
  4. arp anti-spoofing unknown{discard| flood}

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

[no] arp anti-spoofing

Example:

Device(config)# arp anti-spoofing

Enables ARP anti-spoofing.

Use the no form of this command to disable ARP anti-spoofing.

Step 4

arp anti-spoofing unknown{discard| flood}

Example:

Device(config)# arp anti-spoofing unknown discard

Specifies whether to discard or flood unknown packets.

Configuring Host Protection

Configuring host protection on a port allows the port to discard unknown ARP packets.

Configure IP-port binding when you configure the device to discard the unknown ARP packets. This allows the ARP packet of this IP address to flood to the other ports only through this configured port. If the ARP packet of this IP address enters through another port, it will be discarded.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. [no] host-guard bind ip ip-address interface {ethernet | gpon} slot_number/port_number

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

[no] host-guard bind ip ip-address interface {ethernet | gpon} slot_number/port_number

Example:

Device# host-guard bind ip 192.168.5.13 interface ethernet 1/2

Configures host protection on the specified port.

  • slot-number :

    • GPON: The value is 0.

    • GE Ethernet: The value is 1.

    • 10GE Ethernet: The value is 2.

  • port-number :

    • GPON: The range is from 1 to 8.

    • GE Ethernet: The range is from 1 to 4.

    • 10GE Ethernet: The range is from 1 to 2.

Use the no form of this command to delete host protection.

Configuring Source MAC Address Consistency Inspection

To configure source MAC address consistency inspection, perform this procedure.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. [no] arp anti-spoofing valid-check

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

[no] arp anti-spoofing valid-check

Example:

Device# arp anti-spoofing valid-check

Enables source mac address consistency inspection.

Use the no form of this command to disable this feature.

Configuring Gateway Anti-Spoofing

To configure gateway anti-spoofing, perform this procedure.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. [no] arp anti-spoofing deny-disguiser

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

[no] arp anti-spoofing deny-disguiser

Example:

Device# arp anti-spoofing deny-disguiser

Enables gateway anti-spoofing.

Use the no form of this command to disable gateway anti-spoofing.

Configuring Trust Port

To configure trust port, perform this procedur

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface ethernet port-number
  4. [no] arp anti trust

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface ethernet port-number

Example:

Device(config)#

Enter the port configuration mode.

Step 4

[no] arp anti trust

Example:

Device(config)#

(Optional) Configures the port as a trusted port.

Use the no arp anti trust command to disable the feature.

Configuring Anti-Flood Attack

To configure anti-flood attack, perform this procedure.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. [no] arp anti-flood
  4. arp anti-flood threshold threshold_value
  5. arp anti-flood action {deny-all |deny-arp}
  6. arp anti-flood recover-time time
  7. arp anti-flood recover {mac address |all}
  8. interface ethernet port-number
  9. arp anti-flood threshold threshold_value

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

[no] arp anti-flood

Example:

Device(config)# arp anti-flood

Enables anti-ARP flooding attack

Use the no form of this command to disable this feature.

Step 4

arp anti-flood threshold threshold_value

Example:

Device(config)# arp anti-flood

Configure the ARP anti-flood threshold value.

The default is 16pps.

Step 5

arp anti-flood action {deny-all |deny-arp}

Example:

Device(config)# arp anti-flood action deny-arp

(Optional) Specifies the type of packets to be discarded.

  • deny-all : Adds the host to a blackhole address list and discards all packets.

  • deny-arp : Discards only ARP packets

Step 6

arp anti-flood recover-time time

Example:

Device(config)# arp anti-flood recover-time 100

(Optional) Defines the recovery time interval after which a host is allowed to transmit again.

The recovery interval is 0-1440 minutes. The default is 10 minutes.

Configuring a time out interval of 0 requires the host to be manually restored.

Step 7

arp anti-flood recover {mac address |all}

Example:

Device(config)# arp anti-flood recover 00:00:00:00:32:33

(Optional) Manually restores the host to transmit again.

Step 8

interface ethernet port-number

Example:

Device(config)#

Enter the port configuration mode.

Step 9

arp anti-flood threshold threshold_value

Example:

Device(config-if)# arp anti-flood

Configure the ARP anti-flood threshold value.

The default is 16pps.

Monitoring ARP Snooping and Flood Attack

The commands in the following table can be used to monitor ARP snooping and flood attack

Table 1. ARP Snooping and Flood Attack

Command

Purpose

show arp anti-snooping

Displays ARP anti-snooping configuration.

show arp anti-flood

Displays ARP anti-flood configuration and attackers list

show arp anti interface

Displays the state of interface

Example: Preventing ARP Spoofing and Flood Attack

Network Requirements

Consider a network scenario in which a switch is connected to a DHCP server and two client devices within the same VLAN. To enable anti-ARP spoofing in this scenario, enable DHCP snooping and set the port connecting the switch to the DHCP server as the trust port of DHCP snooping.

The following example shows how to enable DHCP snooping, set ethernet 1/1 as the trust port from DHCP snooping and bind the port IP to the ip-soure-guard binding table. 

Device> enable
Device# configure terminal 
Device(config)# dhcp-snooping
Device(config)# interface ethernet 1/1
Device(config-if-ethernet-1/1)# dhcp-snooping trust
Device(config-if-ethernet-1/1)# exit
Device(config)# ip-source-guard bind ip 192.168.5.10 mac 40:16:9f:f2:75:a8 interface ethernet 1/3 vlan 1

The following example shows how to configure ARP anti-spoofing

Device> enable
Device# configure terminal
Device(config)# arp anti-spoofing 
Device(config)# arp anti-spoofing unknown discard
Device(config)# interface ethernet 1/1
Device(config-if-ethernet-1/1)# arp anti trust

Client A forwards arp quest message to dhcpserver, dhcpserver can be able to receive this arp quest message

Client B configure static ip=192.168.5.10 mac=40:16:9f:f2:75:a8, Client B forwards arp quest message to dhcpserver, dhcpserver can be able to receive this arp quest message

If client B enable anti-arp spoofing, source ip of arp message=Client A, the equipment will discard the message if it found this arp message is spoof message.

This instance estimates whether this arp message is spoof message or not according to dhcp-snooping clients table or ip-soure-guard bind table. In addition, ayer-3 equipment can be able to realize this function via static arp table. All of this shares the same principle, no more tautology here.