Using dynamic ARP inspection to stop sniffing attacks

Expert Michael Gregg discusses how dynamic Address Resolution Protocol inspection helps prevent hackers from penetrating enterprise switches.

Securing the network infrastructure has never been more important. Today, employees and co-workers access resources from many different locations ranging from the workplace and mobile networks to free Wi-Fi found at restaurants and other public locations. What's the one thing in common that all these technologies share? All make use of switches. Attackers can exploit switches if they're not properly secured with dynamic ARP inspection (DAI). One common exploit is sniffing. Sniffers can potentially allow an attacker to capture passwords, usernames or other types of sensitive information.

For sniffers to be successfully used, the attacker must be on your local network or have access to a switch through which traffic passes. The attacker must also redirect this traffic so that he can have access to it. Network professionals redirect traffic with port mirroring. While the attacker most likely does not have direct access to your switches, there are other ways for him to capture sensitive information. Normally, a switch limits the traffic that a sniffer can see to broadcast packets and those specifically addressed to the attached system. Traffic between other hosts would not be seen by the attacker as it would not be forwarded to the switch port to which the sniffer is plugged in. The attacker can, however, attempt to bypass this functionality with techniques that include Media Access Control flooding and address resolution protocol (ARP) poisoning.

MAC flooding can cause switches to divert to fail-open state

MAC flooding is the act of attempting to overload a switch's content addressable memory (CAM) table. All switches build a lookup table that maps MAC addresses to switch port numbers. This enables the switch to know which port to forward each specific packet out of. The problem is that in older or low-end switches, the amount of memory is limited. If the CAM table fills up and the switch can hold no more entries, some switches might divert to a fail-open state, which means that all frames start flooding out of all ports of the switch. This allows the attacker to sniff traffic that might not otherwise be visible.

More on protecting your enterprise

Integrating LAN edge-switch security

Fortifying your SSL foundation

Ensuring virtual switch security

ARP poisoning, meantime, works by sending unsolicited ARP replies. This allows the attacker to redirect the traffic to his system so that he can intercept the traffic. Neither attack is perfect. MAC flooding can be detected as the attacker is now injecting a large amount of traffic into the network. This can draw attention to the attacker; network professionals can detect ARP cache poisoning because of the large number of ARP replies without the corresponding ARP request packets.

Dynamic ARP inspection can stop these attacks. DAI is a security feature that validates ARP packets. DAI functions by performing an IP-to-MAC address binding inspection. The results are stored in a trusted lookup table. Basically, DAI intercepts all ARP requests and responses, verifies that each of these intercepted packets is valid and silently drops invalid ARP packets. DAI can be used to define trusted and untrusted interfaces. By default, the rate for untrusted interfaces is 15 packets per second; however, this can be adjusted. Once implemented, DAI prevents attackers from successfully launching ARP poisoning attacks. If you have not enabled this functionality in your network infrastructure, you should consider doing so.

About the author:
Michael Gregg, CISSP, CISA, CISM, CASP, is an "ethical hacker" who provides cybersecurity and penetration-testing services to Fortune 500 companies and U.S. government agencies. He's published more than a dozen books on IT security and is a well-known speaker and security trainer. Gregg is chief operations officer of
Superior Solutions Inc., headquartered in Houston.

This was last published in March 2014

Dig Deeper on Network Security Best Practices and Products