Attacks on IP networks can easily be performed using readily available tools found on the Internet today. Malicious users can spoof DHCP server response packets, allowing them to give false information to a user for such fields as the default gateway or domain name resolution servers. Man in the middle attacks can take advantage of ARP, allowing a hacker to redirect user traffic through his own device to and from the default gateway. The hacker can then spy on the private information being sent from the user, without either the user or gateway knowing. A malicious user can spoof an innocent user's IP address, allowing the malicious user to bypass other possible security features of a network that are based on a user's subnet.
The Extreme Networks anti-spoofing solution provides a flexible and secure approach to IP spoofing detection and prevention. To mitigate the effects of these types of attacks on a network, a source MAC to source IP address binding table is created. The three basic tools used to detect source IP to source MAC address associations, based on the entries in the binding table, and take action on violations are:
All three methods can create IP-to-MAC bindings in the binding table, although both DAI and IP source guard can be configured to run in inspection-only mode, limiting the association of IP addresses to MAC addresses to DHCP-snooping. Bindings created as a result of DHCP exchanges with trusted servers (DHCP-snooping) take precedence over bindings created through DAI or IP source guard. Use of all three tools allows bindings to be created for users in a network where DHCP is not in use or where a DHCP exchange has not occurred since the anti-spoofing feature has been enabled.
The actions that may be taken against a violating user include: