ARP table item solidification
If Attacker sends fake ARP packets to Gateway as UserA, this will cause incorrect UserA address mapping relationships to be recorded in Gateway's ARP table, which will cause users to fail to receive normal data packets.
In order to defend against such spoofing gateway attacks, the ARP entry curing function can be deployed on the gateway device. After the gateway device learns ARP for the first time, the user is no longer allowed to update this ARP entry or can only update part of the ARP entry, or confirm the validity of the ARP entry update message by sending unicast ARP request messages.
The three ARP entry curing modes provided by the device:
● fixed-all mode:
If the MAC address, interface, or VLAN information in the ARP packet received by the device does not match the information in the ARP table, it directly discards the ARP packet. This mode is suitable for scenarios where the user's MAC address is fixed and the user's access location is relatively fixed.
● fixed-mac mode:
If the MAC address in the ARP packet received by the device does not match the MAC address of the corresponding entry in the ARP table, the ARP packet will be discarded directly. If it matches, but the interface or VLAN information of the received packet does not match the corresponding entry in the ARP table, the interface and VLAN information in the corresponding ARP entry can be updated. This mode is suitable for scenarios where the user's MAC address is fixed but the user's access location changes frequently.
● send-ack mode:
①If the ARP message A received by the device involves the modification of the MAC address, interface or VLAN information of the ARP table entry, the device will not update the ARP table entry immediately, but first send a unicast ARP request message to the user corresponding to the existing MAC address of the ARP entry to be updated for confirmation.
②If the device receives ARP response message B within the next 3 seconds, and the IP address, MAC address, interface, and VLAN information in the current ARP entry are consistent with the ARP response message B, then the ARP message A is considered to be an attack message, and the ARP entry is not updated.
③If the device does not receive an ARP response message within the next 3 seconds, or the received ARP response message B is inconsistent with the IP address, MAC address, interface, and VLAN information in the current ARP entry, the device will then send a unicast ARP request packet to the source MAC corresponding to the ARP packet A just received.
④If the ARP response message C is received within the next 3 seconds, and the source IP address, source MAC address, interface, and VLAN information of the ARP message A and the ARP response message C are consistent, Then it is considered that the existing ARP entry is invalid and the ARP message A is a legitimate message that can update the ARP entry, and the ARP entry is updated according to the ARP message A.
⑤If the ARP response message is not received within the next 3 seconds, or the source IP address, source MAC address, interface, and VLAN information of the ARP message A and the received ARP response message C are inconsistent, Then the ARP packet A is considered as an attack packet, the device will ignore the received ARP packet A, and the ARP entry will not be updated.
This mode is suitable for scenarios where the user's MAC address and access location change frequently.
Dynamic ARP inspection
Attacks against ARP in the network are endless, and man-in-the-middle attacks are one of the common ARP spoofing attacks.
To defend against man-in-the-middle attacks, you can deploy the DAI (Dynamic ARP Inspection) function on the Switch.
Dynamic ARP inspection uses binding tables to defend against man-in-the-middle attacks. When the device receives an ARP packet, it compares the source IP, source MAC, VLAN, and interface information corresponding to the ARP packet with the information in the binding table. If the information matches, it means that the user who sent the ARP packet is a legitimate user, and the ARP message of this user is allowed to pass. Otherwise, it will be considered as an attack and the ARP message will be discarded.
Note: The dynamic ARP inspection function is only applicable to DHCP Snooping scenarios. After the DHCP Snooping function is enabled on the device when a DHCP user goes online, the device will automatically generate a DHCP Snooping binding table; for users with statically configured IP addresses, the device will not generate a DHCP Snooping binding table, so you need to manually add a static binding table.
After the dynamic ARP detection function is deployed on the Switch, if an attacker connects to the Switch and tries to send a forged ARP packet, the Switch will detect this attack based on the binding table and discard the ARP packet. If the dynamic ARP detection discarded packet alarm function is also enabled on the Switch, when the number of ARP packets discarded due to mismatching the binding table exceeds the alarm threshold, the Switch will send an alarm to notify the administrator.
ARP anti-gateway conflict
To prevent attackers from spoofing the gateway, you can enable the ARP anti-gateway conflict function on the gateway device. When the device receives an ARP packet, there is one of the following conditions:
① The source IP address of the ARP packet is the same as the IP address of the VLANIF interface corresponding to the incoming interface of the packet.
② The source IP address of the ARP packet is the virtual IP address of the inbound interface, but the source MAC address of the ARP packet is not the VRRP virtual MAC.
At this time, you can also enable the function of sending gratuitous ARP messages on the device, and send correct gratuitous ARP messages to all users through broadcast, and quickly correct the wrong gateway address mappings recorded by users that have been attacked.
Send gratuitous ARP message
If the Attacker counterfeit gateway sends a forged ARP message to UserA, this will cause the wrong gateway address mapping relationship to be recorded in UserA's ARP table, and normal data cannot be received by the gateway.
In order to avoid the above-mentioned hazards, the function of sending gratuitous ARP packets can be deployed on the gateway device to regularly update the user's ARP table entry so that the user's ARP table entry records the correct gateway MAC address.
MAC address consistency check in ARP packets
The MAC address consistency check function in the ARP message is mainly applied to the gateway device to prevent ARP attacks in which the source/destination MAC address in the header of the Ethernet data frame and the source/destination MAC address in the ARP message are different.
After deploying this function, the gateway device will check ARP packets before performing ARP learning. If the source/destination MAC address in the header of the Ethernet data frame is different from the source/destination MAC address in the ARP message, it is considered an attack message and discarded; otherwise, ARP learning continues.
DHCP triggers ARP learning
In the DHCP user scenario, when the number of DHCP users is large, the learning and aging of large-scale ARP entries by the device will have an impact on the performance of the device and the network environment.
To avoid this problem, you can deploy DHCP on the gateway device to trigger the ARP learning function. When the DHCP server assigns an IP address to the user, the gateway device directly generates an ARP entry for the user according to the DHCP ACK message received on the VLANIF interface. The prerequisite for this function to take effect is to enable DHCP Snooping.
The gateway device can also deploy dynamic ARP inspection at the same time to prevent the ARP entries of DHCP users from being maliciously modified by forged ARP messages.