Address spoofing protections, collectively known as “layer two” protections, thwart malicious attempts to falsify or spoof IP or MAC addresses in order to gain unauthorized access to your network. There are several types of attacks that use these techniques:
A malicious user (or an outside attacker who has compromised your PC) can configure a PC on your network so that it spoofs the MAC address of the gateway router, allowing him to eavesdrop on network traffic. All traffic on his subnet will now come to him first, where he can look for passwords or other sensitive information.
Attackers can also eavesdrop on network traffic by overloading the switch’s MAC forwarding table with thousands of gratuitous ARPs. This effectively turns a switch into a hub, forwarding all traffic out all the ports and allowing the attacker to capture sensitive information.
Attackers can spoof a PC’s IP address to send malicious data to other systems. By using false source addresses, the attackers can bypass access lists or other security controls. They can also launch denial of service attacks against your systems.
Additionally, attackers can set up rogue DHCP servers that hand out malicious DNS server addresses to all the PCs on the network. That way, every DNS query made by those PCs can be manipulated by the attacker, directing traffic to malicious sites.
Layer two protections prevent these kinds of attacks by limiting the ability of PCs to falsify their MAC or IP addresses. Cisco routers and switches have four features to prevent these kinds of attacks: MAC address limiting, DHCP snooping, dynamic ARP inspection and reverse path forwarding. Juniper and other manufacturers have similar features. Whichever you’re using, these features should be configured on all your access switches.
MAC address limiting, as the name implies, limits the number of MAC addresses that can be associated with a single port. While you might be tempted to limit the number of MAC addresses to one (or three if you are using IP phones), setting the value a little higher (10, for example) will prevent false positives while still protecting against attacks.
DHCP snooping protects networks in two ways: first, it filters DHCP replies from rogue servers. Since legitimate DHCP servers should not be connected to user ports, the switch drops DHCP responses from user ports. Only authorized ports (where your real DHCP servers are) are allowed to reply to DHCP discover messages. Second, DHCP snooping rate-limits DHCP requests so that a malicious host can’t tie up all the leases and prevent legitimate hosts from getting IP addresses.
Dynamic ARP inspection (DAI) prevents hosts from spoofing their MAC address. Configured in conjunction with DHCP snooping, DAI associates a particular MAC address to a particular port. If a host generates an ARP request or reply with a different MAC address than what is already associated with that port, the ARP packet is dropped.
Finally, unicast reverse path forwarding (uRPF) prevents IP address spoofing. uRPF is configured on gateway (router) interfaces. When the router receives an IP packet, it compares the packet’s source address to its routing table. If the packet was received on the interface that the router would forward packets to the source address, the packet is forwarded normally. But if the packet’s source address was received on a wrong interface (i.e., the path to the source address is a different interface), the packet is dropped. This prevents address spoofing by insuring that packets are only sourced from valid networks.
I’ve given you only brief descriptions of these features. If you want to learn more, especially how to configure them, here are some useful links:
MAC address limiting
Network addressing protocols, like DHCP and ARP, were never designed to be secure. They assume hosts are benign and that they are who they say they are. All these techniques I’ve described help to ensure the validity of the IP address of all the hosts on your network by preventing hosts from falsifying their addresses. When you use them, you limit an attacker’s ability to move about your network undetected or eavesdrop on sensitive data. They should be a standard part of your network configurations.