Dynamic ARP Inspection (DAI)

What Is Dynamic ARP Inspection (DAI)?

When discussing network security, we often overlook a key element known as the Address Resolution Protocol (ARP). ARP is essential for your computer to identify the network address of other devices. However, ARP has its limitations and vulnerabilities, making it far from foolproof. That's where Dynamic ARP Inspection (DAI) steps in.

Think of Dynamic ARP Inspection as a network bouncer. It scrutinizes the identity of data packets conveyed through ARP messages to ensure they originate from trusted devices. This step is crucial since ARP on its own lacks a verification mechanism. DAI addresses this gap by cross-referencing a trusted list of MAC-to-IP address bindings, known as the DHCP binding table. In doing so, DAI acts as a vigilant guard, keeping an eye out for any suspicious activities and ensuring that only legitimate data packets enter the network.

What Is ARP Spoofing?

ARP spoofing, also known as ARP poisoning, is a cyber attack in which attackers transmit fraudulent ARP messages across a local area network (LAN) to link their MAC address with the IP address of a legitimate device. This manipulation grants attackers the ability to intercept, alter, or redirect network traffic aimed at the legitimate device, enabling various malicious activities such as eavesdropping, data theft, and session hijacking.

The impact of ARP spoofing can be substantial, facilitating multiple forms of attacks, including:

• Man-in-the-middle (MitM) attacks: The attacker secretly intercepts and potentially modifies communications between two parties without their awareness.

• Denial of service (DoS): By sending conflicting ARP replies, the attacker can cause network traffic to be dropped or redirected to non-existent hosts.

• Session hijacking: By controlling network traffic, an attacker can hijack active sessions, steal session tokens, cookies, and passwords to gain unauthorized access to applications.

• Malware dissemination: The attacker could alter network traffic to include malicious payloads, resulting in malware infections on the targeted devices.

How Does DAI Work?

In a small network, we have three devices connected to a switch. PC1 (IP: 10.10.10.10, MAC: aa:aa:aa:aa:aa:aa), PC2 (IP: 10.10.10.20, MAC: bb:bb:bb:bb:bb:bb) as the victim and PC3 (IP: 10.10.10.30, MAC: cc:cc:cc:cc:cc:cc) as the attacker. When PC1 needs to communicate with PC2, it initiates an ARP request to discover the MAC address associated with PC2's IP address (10.10.10.20). PC2 responds with its MAC address (bb:bb:bb:bb:bb:bb), which is then stored in the ARP caches of both the switch and PC1, binding the IP address to the correct MAC address.

Spoofing Initiation

The attacker (PC3) sends a malicious ARP packet to PC1, claiming that the IP address 10.10.10.20 matches its own MAC address (cc:cc:cc:cc:cc:cc). Consequently, both PC1 and the switch update their ARP caches to bind the victim's IP (10.10.10.20) to the attacker's MAC (cc:cc:cc:cc:cc:cc). As a result, any packet PC1 sends to PC2 will be redirected to PC3, allowing the attacker to intercept the traffic. The attacker can now read, manipulate, or relay the data to the original destination (PC2). This exposes the network to potential data theft and further attacks, as the attacker knows the MAC addresses of both PC1 and PC2.

The Function of DAI

When any device (Host A) attempts to resolve the MAC address of another device (Host B), it broadcasts an ARP request across the network. Host B will respond with its MAC address along with its IP address. The DHCP server captures these ARP requests and responses, maintaining a table that maps the IP addresses to their corresponding MAC addresses. This table ensures the integrity of IP-MAC mappings within the network.

When Dynamic ARP Inspection (DAI) intercepts an ARP packet (both requests and responses), it validates the packet's information—source IP, source MAC, destination IP, and destination MAC—against the DHCP server's binding table. If the ARP packet's data matches the entries in the DHCP server's table, it can proceed to its destination. If the ARP packet's information does not match the DHCP server's entries, DAI will enforce actions such as dropping the packet, logging the event, or applying rate limiting, thereby mitigating potential ARP spoofing attacks.