4 Comments on “Which countermeasures can mitigate ARP spoofing attacks?”

1. megatron says:

   November 28, 2017 at 9:57 am

   Disagree. A & D

   DHCP Snooping does nothing for ARP Spoofing (only if used in combination with IP sourceguard does it actually prevent any kind of spoofing).

   Port security can be used to restrict to a single MAC, so if spoofed would errdisable the port as it’s over the limit.

   
   
   
   0

   
   
   
   0
   1. beetleman says:

      November 29, 2017 at 8:38 pm

      B and D are correct. DARPI uses DHCP snooping’s database.

      Port security has no features to mitigate ARP spoofing. Try to find anything about Port security on this page about ARP poisoning: https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html

      You won’t.

      However this:
      “Other security features, such as dynamic ARP inspection (DAI), also use information stored in the DHCP snooping binding database.”

      Which can be found here:
      https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/snoodhcp.html

      
      
      
      1

      
      
      
      0
      1. Amergin says:

         February 27, 2018 at 10:26 pm

         ^^ . This is clearly correct. Based from the whitepaper on ARP poisoning linked above:

         “Note that configuring DHCP Snooping is a prerequisite to configure Dynamic ARP Inspection (DAI).”

         
         
         
         0

         
         
         
         0
2. Oleg says:

   January 5, 2018 at 9:56 am

   Static assignment of allowed mac addresses on the port can definitely mitigate arp spoofing. Agree with megatron. Anyway the question is tricky

   
   
   
   0

   
   
   
   0