Category: Security – layer 2

Prevent ARP Spoofing using Dynamic ARP Inspection – DAI

Additional protection of potential man in the middle attack
Dynamic ARP Inspection will help us prevent Address Resolution Protocol – ARP spoofing attacks with help of DHCP functionality and specially DHCP snooping. This is why  Dynamic ARP Inspection is usually used simultaneously with DCHP snooping. Let’s se how is this technology protecting us from ARP attack.

Spoofing Attacks – ARP Spoofing

How attacker can launch man in the middle attack using ARP spoofing and what is ARP spoofing?
Attackers can attempt to launch an attack by sending gratuitous ARP – GARP replies. GARP reply messages are sent from some device in the network to other without the prior receiving of a request for sending a ARP reply. Is an ARP reply without cause. This reply without cause can tell network devices that the attacker’s MAC address corresponds to specific IP addresses that is actually IP address of some other device in the LAN.

Prevent DHCP Server Spoofing by using DHCP snooping

Function of DHCP

On our networks all the different clients will usually obtain their IP address information automatically, using DHCP – Dynamic Host Configuration Protocol. This is faster and more precise than having their IP address information statically configured by manually entering the IP address, subnet mast and Default gateway into PC.

DHCP Attack

DHCP spoofing - All data going accross Attacker PCTo dynamically obtain IP address information, a client makes a DHCP request. A DHCP server sends back a DHCP response in which includes information as an IP address, subnet mask, and default gateway. If an attacker puts and false DHCP server in our LAN network, the rogue DHCP server can respond to a client’s DHCP request. Even if the rogue DHCP server and the actual DHCP server both respond to the request of our PC, the PC will use the rogue DHCP server’s response if it reaches the PC faster than actual DHCP server.

More about DHCP and about DHCP attack here. Let’s se the mechanisms to mitigate the attacks or prevent them fully:


DHCP snooping

The DHCP snooping feature on Cisco and Juniper switches can be used to mitigate a DHCP server spoofing attack. With this mechanism switch ports are configured in two different state, the trusted and untrusted state. If a port is configured to be trusted, it can receive DHCP responses. In other way, if a port is untrusted, it is not allowed to receive DHCP responses, and if a false attackers DHCP response attempts to enter an untrusted port, the port will be disabled.

STP Layer 2 attack – Manipulating Spanning Tree Protocol settings

Redundant links are always welcome in switch topology as they are increasing the network’s availability and robustness.

Redundant links, if we look at them from layer 2 perspective, can cause Layer 2 loops. This is simply because TTL (Time To Live) field of the packet is found in Layer 3 header and L2 doesn’t have such a field.

On L3, this means that TTL number will be diminished only when the packet is passing through the router. There is no way to “kill” a packet that is stuck in layer 2 loop. This situation can result in broadcast storms.

Fortunately, Spanning Tree Protocol (STP) can allow you to have redundant links while having a loop-free topology, thus preventing the potential for a broadcast storm.