What is Dynamic ARP Inspection (DAI)?
Dynamic ARP Inspection (DAI) is a network security feature that prevents forged ARP messages (Spoofing) from manipulating the network. It protects against ARP poisoning and Man-In-The-Middle (MitM) attacks by actively inspecting and validating ARP traffic against a DHCP Snooping binding table.
In OT networks, DAI is essential to prevent an attacker from impersonating a PLC, SCADA server or Historian by forging the ARP tables of other devices.
🧠 What does ARP do and why is protection needed?
- ARP (Address Resolution Protocol) translates IP addresses into MAC addresses
- Without checks, a malicious actor can impersonate another device through ARP spoofing
- This leads to traffic redirection, eavesdropping, data manipulation or session hijacking
🔧 How does Dynamic ARP Inspection work?
| Step | Description |
|---|---|
| 1. DHCP Snooping records IP-MAC bindings per port | Stored in a trusted binding table |
| 2. DAI compares ARP traffic against this table | Only matching ARP messages are allowed through |
| 3. Forged or suspicious ARP packets are blocked or logged | Spoofing attacks are thus prevented |
🔐 Use in OT
| Scenario | Effect of DAI |
|---|---|
| Securing SCADA communication | Prevents an HMI taking over PLC traffic via ARP spoofing |
| Protecting Historian data | Traffic integrity between data source and storage is preserved |
| Physical access to a switch port | Stops malicious laptops from session takeover via ARP poisoning |
| Guest network or supplier VLAN | Protects the OT zone against ARP manipulation from temporary connections |
✅ Best practices
| Action | Why? |
|---|---|
| Combine with DHCP Snooping | Without DHCP bindings, DAI cannot tell which ARP claims are legitimate |
| Use DAI only on untrusted ports | Trusted uplinks can forward ARP without inspection |
| Log violations | Analyse whether you are dealing with malicious or faulty devices |
| Watch out for static IPs | Devices with manual IP settings are not recognised without extra config |
| Persist DAI bindings | Have your switches retain ARP and DHCP tables across reboots (if supported) |
🛑 Without DAI in OT networks:
- Traffic from operator stations can be silently redirected
- Bad ARP learnings cause network instability or performance loss
- Rogue Devices can eavesdrop or inject communication
- Anomaly detection often only sees consequences — DAI prevents them at the port
📌 In summary
Dynamic ARP Inspection is a critical defence against ARP Spoofing in industrial networks. Combined with DHCP Snooping and Port Security, DAI helps restore Layer 2 trust.