Technical Manual
of another host with a particular IP address, and an ARP response comes from the host whose address
matches the request. The requesting host then caches this ARP response. Within the ARP protocol,
another provision is made for hosts to perform unsolicited ARP replies. The unsolicited ARP replies
are called Gratuitous ARP (GARP). GARP can be exploited maliciously by an attacker to spoof the
identity of an IP address on a LAN segment. This is typically used to spoof the identity between two
hosts or all traffic to and from a default gateway in a "man−in−the−middle" attack.
When an ARP reply is crafted, a network attacker can make his or her system appear to be the
destination host sought by the sender. The ARP reply causes the sender to store the MAC address of
the network attacker's system in the ARP cache. This MAC address is also stored by the switch in its
CAM table. In this way, the network attacker has inserted the MAC address of his or her system into
both the switch CAM table and the ARP cache of the sender. This allows the network attacker to
intercept frames destined for the host that he or she is spoofing.
Hold−down timers in the interface configuration menu can be used to mitigate ARP spoofing attacks
by setting the length of time an entry will stay in the ARP cache. However, hold−down timers by
themselves are insufficient. Modification of the ARP cache expiration time on all end systems are
required as well as static ARP entries. Another solution that can be used to mitigate various
ARP−based network exploits, is the use of DHCP snooping along with dynamic ARP inspection.
These Catalyst features validate ARP packets in a network and permit the interception, logging, and
discarding of ARP packets with invalid MAC address to IP address bindings.
DHCP snooping filters trusted DHCP messages in order to provide security. Then, these messages are
used to build and maintain a DHCP snooping binding table. DHCP snooping considers DHCP
messages that originate from any user−facing port that is not a DHCP server port as untrusted. From a
DHCP snooping perspective, these untrusted user−facing ports must not send DHCP server type
responses, such as DHCPOFFER, DHCPACK, or DHCPNAK. The DHCP snooping binding table
contains the MAC address, IP address, lease time, binding type, VLAN number, and interface
information that corresponds to the local untrusted interfaces of a switch. The DHCP snooping
binding table does not contain information about hosts interconnected with a trusted interface. An
untrusted interface is an interface configured to receive messages from outside the network or
firewall. A trusted interface is an interface that is configured to receive only messages from within the
network. The DHCP snooping binding table can contain both dynamic and static MAC address to IP
address bindings.
Dynamic ARP inspection determines the validity of an ARP packet based on the valid MAC address
to IP address bindings stored in a DHCP snooping database. Additionally, dynamic ARP inspection
can validate ARP packets based on user−configurable access control lists (ACLs). This allows for the
inspection of ARP packets for hosts that use statically configured IP addresses. Dynamic ARP
inspection allows for the use of per−port and VLAN Access Control Lists (PACLs) to limit ARP
packets for specific IP addresses to specific MAC addresses.
Dynamic Host Configuration Protocol (DHCP) Starvation
A DHCP starvation attack works by the broadcast of DHCP requests with spoofed MAC addresses. If
enough requests are sent, the network attacker can exhaust the address space available to the DHCP
servers for a period of time. The network attacker can then set up a rogue DHCP server on his or her
system and respond to new DHCP requests from clients on the network. With the placement of a
rogue DHCP server on the network, a network attacker can provide clients with addresses and other
network information. Because DHCP responses typically include default gateway and DNS server
information, the network attacker can supply his or her own system as the default gateway and DNS
server. This results in a man−in−the−middle attack. However, the exhaust of all of the DHCP
addresses is not required to introduce a rogue DHCP server.
•