The Extreme Networks anti-spoofing solution provides a flexible and secure approach to IP spoofing detection and prevention. To mitigate the effects of these types of attacks on a network, a source MAC
to source IP address binding table is created. The three basic tools used to detect source IP to source MAC address associations, based on the entries in the binding table, and take action on violations are:
- DHCP snooping,
- Dynamic ARP inspection (DAI), and
- IP source guard.
All three methods can create IP-to-MAC bindings in the binding table, although in this case we are looking at the less common requirement where users do not use DHCP or authentication.Dynamic ARP inspection
uses the MAC-to-IP binding database to ensure that ARP packets have the proper MAC-to-IP binding. When an ARP packet enters the switch, the source MAC and IP addresses are compared to the entry in the table. If the packet data conflicts with the binding in the table, the IP change is counted and logged, and any configured actions are taken against the user.
DAI can also be configured to populate the MAC-to-IP binding table. Successfully limiting ARPs to the bound addresses in the table prevents a malicious user from inserting himself in between the end user and a gateway and poisoning network devices' ARP caches or succeeding in MITM (man in the middle)attacks.Duplicate IP Address Detection
In addition to the anti-spoofing tools described above, the anti-spoofing feature can also be configured to log, through SYSLOG and SNMP traps, duplicate IP addresses when they are bound to different MAC addresses. This situation is usually due to a misconfiguration in the network and is generally not indicative of an attack, but can be a worthwhile event to record, as administrative action may be needed to reconcile the condition. These duplicate IP addresses are only detected upon a user's binding change, and do not apply to duplicate IP addresses over ports for the same MAC address (for example, if a single user moves from one port to another).
To configure antispoof with duplicate ip address detection :
set antispoof arp-inspection enable tg.1.1-24 ( enable arp-inspection on the ports )
set antispoof enable ( enable arp-inspection globally )
set antispoof duplicateIP enable
Populating the binding table
The anti-spoofing MAC-to-IP binding table can be populated through DHCP snooping, dynamic ARP inspection, and IP source guard. Regardless of which of these three methods are adding entries to that table, an entry cannot be added if there is not already an entry for the user's MAC address in the multiauth session table.
To configure the system to allow multiauth session table to be populated without using authentication you will need the following config. The auto-tracking agent must be used. It is a form of authentication that authenticates those sessions that are not captured by the other supported MultiAuth authentication agents (quarantine, 802.1x, PWA, MAC, CEP, and RADIUS snooping). Ports that are not authenticated have historically been set to Force-Auth to make all authentication modes inactive. However, for these ports to be tracked using auto-tracking they must have authentication optional on the port.
set multiauth mode multi ( multiauth mode must be multi. It will not work in strict mode)
set multiauth port mode auth-opt tg.1.15 ( port mode must be auth-opt. Force-auth ports will not create a binding )
set auto-tracking enable
set auto-tracking port enable tg.1.15
This is the minimum requirement to get this feature working in this scenario. With this config you will get a binding in the antispoof table for a device when it arps on that port.
To display the binding table:
S4(su)->show antispoof binding
MAC Address IP Address Port Assignment Type
----------------- --------------- ---------- ---------------
5c-26-0a-83-c7-10 10.152.40.44 tg.1.15 IPSG
Here is a example of the logging which happens by default to syslog
<165>Nov 10 11:48:02 10.152.40.16 AntiSpoofMAC: 00:11:88:75:6a:1a Port: tg.1.16 IP: 10.152.40.44 assigned by Dynamic ARP Inspection.
<165>Nov 10 11:48:02 10.152.40.16 AntiSpoofDynamic ARP Inspection has detected a duplicate IP address (10.152.40.44) from MAC station 00:11:88:75:6a:1a on port tg.1.16. 0 IP address change attempts detected for this user