Requirement:
Mitigating ARP-Spoofing attack launched with Dsniff, a Kali linux tool
Solution:The attack can be mitigated with ARP inspection feature of the Aruba switch.
It is tested with firmware version KB.16.06.0008 on Aruba 3810M 24G 1-slot Switch (JL071A)
Requirement :
The ARP Inspection feature uses the information from the "DHCP Snooping Binding Database", so DHCP-Snooping has to be configured before enabling ARP Inspection.
If the clients are not getting IP address from the DHCP server, then we have to create manual entry in the DHCP snooping binding database, using the command :
ip source-binding <VLAN_ID> <GATEWAY_IP> <MAC_OF_GATEWAY_IP> <INTERFACE_CONNECTING_TO_GATEWAY>
Configuration:
L3 Switch (Working as a DHCP Server)
vlan 1 ---> Acting as a default gateway
name "DEFAULT_VLAN"
untagged A1-A24
ip address 10.1.1.1 255.255.255.0
dhcp-server
exit
!
dhcp-server pool "DHCP"
network 10.1.1.0 255.255.255.0
range 10.1.1.20 10.1.1.250
exit
dhcp-server enable
L2 Switch (Switch where ARP Inspection and DHCP Snooping feature is enabled)
dhcp-snooping
dhcp-snooping vlan 1
ip source-binding 1 10.1.1.1 0021f7-c40d00 24 --> Creation of manual entry in the DHCP Snooping binding database (Gateway IP)
ip source-binding 1 10.1.1.10 005056-8401ad 23 --> Creation of manual entry in the DHCP Snooping binding database (Victim IP)
ip source-binding 1 10.1.1.21 00074d-8283b4 2 --> Creation of manual entry in the DHCP Snooping binding database (Attacker IP)
interface 24 --> Uplink interface to the L3 switch
dhcp-snooping trust
arp-protect trust
exit
!
vlan 1
name "DEFAULT_VLAN"
untagged 1-24,A1-A2 (A1 is the interface where attacker (linux) is connected, A2 is the interface where Victim is connected)
ip address 10.1.1.4 255.255.255.0
exit
arp-protect
arp-protect vlan 1
============================================================
The dsniff tool script to initiate the attack:
pnb@nsc-xubuntu-11:~$ sudo arpspoof -i eth1 -c both -t 10.1.1.10 -r 10.1.1.1
Please note this is a directed ARP Spoofing attack to a specific victim.
10.1.1.21 --> Attacker IP which is initiating the ARP spoof attack
10.1.1.10 --> Victim IP
10.1.1.1 --> Gateway IP whose MAC address is being spoofed.
VerificationWithout ARP Inspection enabled, after the attacker is running the arpspoof script to initiate the attack :
On windows machine, the ARP entry for the default gateway (10.1.1.1) is showing the MAC address of the attacker:
(GATEWAY IP WITH ATTACKER MAC --> ATTACK SUCCESSFUL)
C:\>arp -a
Interface: 10.1.1.10 --- 0xf
Internet Address Physical Address Type
10.1.1.1 00-07-4d-82-83-b4 dynamic
=========================================================
After enabling ARP Inspection, the attack is being denied
(GATEWAY IP WITH GATEWAY MAC --> ATTACK UNSUCCESSFUL)
C:\>arp -a
Interface: 10.1.1.10 --- 0xf
Internet Address Physical Address Type
10.1.1.1 00-21-f7-c4-0d-00 dynamic
Additionally, on the switch console we can see the attack packets being initiated from the Dsniff tool, by running the following debug command :
debug destination session
debug security arp-protect
========================================================
The ARP Spoofing packets initiated by Dsniff tool :
0:7:4d:82:83:b4 0:50:56:84:1:ad 0806 42: arp reply 10.1.1.1 is-at 0:7:4d:82:83:b4
0:7:4d:82:83:b4 0:21:f7:c4:d:0 0806 42: arp reply 10.1.1.10 is-at 0:7:4d:82:83:b4
0:7:4d:82:83:b4 0:50:56:84:1:ad 0806 42: arp reply 10.1.1.1 is-at 0:7:4d:82:83:b4
0:7:4d:82:83:b4 0:21:f7:c4:d:0 0806 42: arp reply 10.1.1.10 is-at 0:7:4d:82:83:b4
0:7:4d:82:83:b4 0:50:56:84:1:ad 0806 42: arp reply 10.1.1.1 is-at 0:7:4d:82:83:b4
0:7:4d:82:83:b4 0:21:f7:c4:d:0 0806 42: arp reply 10.1.1.10 is-at 0:7:4d:82:83:b4
0:7:4d:82:83:b4 0:50:56:84:1:ad 0806 42: arp reply 10.1.1.1 is-at 0:7:4d:82:83:b4
0:7:4d:82:83:b4 0:21:f7:c4:d:0 0806 42: arp reply 10.1.1.10 is-at 0:7:4d:82:83:b4