ARP Poisoning
An Address Resolution Protocol (ARP) poisoning attack, also known as ARP spoofing,
targets the ARP caches of devices connected to the subnet, with the goal of intercepting
traffic. A malicious host might use one of the following tactics:
- Send ARP packets claiming to have an IP address that actually belongs to another
host.
- Reply to an ARP request with its own MAC address, thereby causing other hosts on
the subnet to store this information in their ARP tables, even replacing an
existing ARP entry.
- Send gratuitous replies without having received any ARP requests.
If the poisoning succeeds, traffic intended for the device under attack is instead routed
to the attacker computer. The attacker has various options:
- Not forward any traffic to the computer under attack or forward some of the
traffic, but not all of it (denial-of-service attacks).
- Forward inspected traffic to the compromised device (interception).
- Modify the traffic and then forward it (man-in-the-middle attack).
Two features protect against ARP poisoning.
Table 1. Comparison of ARP Guard and DAI
Aspect
|
DAI
|
ARP Guard
|
Flow-based
|
No. Applies to all VLAN ARP packets.
|
Flow-based, which can prevent high CPU load.
|
Per port
|
No. Applies to all VLAN ports.
|
Applied per port or VPLS end-point.
|
Rate-limiting
|
No rate-limiting option.
|
Rate limiting is supported.
|
TCAM load
|
Low TCAM load.
|
Medium TCAM load.
|