DAI is a layer 2 security configuration configured on switches. It detects incoming ARP messages on ports that are not trusted. Dynamic ARP Inspection filters these messages by comparing them to the DHCP snooping binding table and any set ARP ACLs. If the ARP message does not match the table entry, the packet is discarded.
To comprehend how DAI protects attacks, one must first comprehend the concepts of standard ARP and GARP (gratuitous ARP).
Typically, a host employs ARP when it knows the IP address of another host and wishes to discover its MAC address.
PC1 knows the IP address of the router, but it needs the router’s MAC address to access the Internet. So, PC1 sends router 1 an ARP request. ARP request is sent to all devices in the network, however only router 1 accepts it due to the IP address of router 1.
In the response, the router sends PC1 an ARP reply including the MAC address. ARP responses are unicast.
After exchanging messages, both the router and the computer have each other’s MAC addresses in their ARP tables. This is a typical ARP.
What is GARP?
It’s an ARP response. It is transmitted prior to receiving an ARP request.
It is transmitted to an Ethernet destination broadcast address in order for all hosts on the subnet to receive the message. When a host’s MAC address changes, for instance, it sends ARP replies to all other hosts in the subnet so that they can update their ARP tables.
Thus, there is one distinction: conventional ARP replies are unicast, whereas GARP replies are broadcast.
How do attackers use GARP to their advantage?
Let’s comprehend by way of illustration.
There are two computers in this diagram: PC1 (IP: 172.16.2.101, MAC: MAC1) and PC A. (MAC: MAC A). PC A is an attacker in this scenario, sending GARP to other devices on the network. Did you notice that the IP address in this ARP reply is that of PC1?
Typically, a PC sends GARP to alert other hosts that its MAC address has changed, with the new MAC address included in the message, so that all other hosts can update their ARP tables.
However, attackers use GARP in a negative way. Here, the goal of the attacker is to transmit a GARP so that other hosts update their ARP with a spoofed MAC address. As a result, when they send a message, PC A will receive it, save a copy, and then pass it to the intended receiver, PC 1.
This is a man-in-the-middle assault. To prevent this form of man-in-the-middle attack, switches are set with DAI.
How does dynamic ARP inspection (DAI) counter attacks?
DAI compares the origin IP and origin MAC address fields of the ARP message to the DHCP Snooping binding database for untrusted ports. If the ARP message is located in the table, DAI accepts it; otherwise, it is discarded.
DAI filtering according to the DHCP binding table
This is the identical example as previously, with the exception that DAI is now configured on switch 2. Therefore, when PC A sends an ARP, it first examines the origin IP and origin MAC address in its DHCP binding table. As shown in figure 172.16.2.101, IP is mapped to MAC 1, although ARP messages originate from IP 172.16.2.101 and MAC A. As the origin IP and MAC address do not match an item in the DHCP binding table, the packet is dropped.
DAI additionally analyses the source MAC field in the Ethernet header and the origin hardware field in the ARP message to filter ARP messages. Only when both fields have the same value will DAI accept the message.
DAI, like DHCP snooping, uses the concept of trustworthy and untrusted ports. Endpoints are regarded as untrusted ports, but other network devices, such as servers and routers, have trusted ports.
Read Also: How to enumerate for privilege escalation on a Linux target with LinPEAS
Utilize rate limiting to prevent Denial of Service attacks
DoS attacks are possible due to the fact that DHCP snooping and DAI are both performed by the switch CPU. By submitting a high quantity of requests, an attacker can accomplish their objective. CPU has limited memory; it cannot process a huge number of requests simultaneously. A port must be specified to prevent this rate-limiting message command from being sent.
