Summary of DHCP attack defense

I had the honor to attend the BKJIA technical salon last Saturday and saw many technical peers, the enthusiasm of the lecturers and the enthusiastic interaction of the guests made me feel the enthusiasm of the its' persistent technology and the pursuit of a perfect solution to the problem. When Mr. Lin Peng talked about the DHCP attack case, it reminds me of some explorations I have experienced on this issue. I would like to summarize and share them with you. I also hope you can add better solutions.

DHCP Application Background: to improve network management efficiency and reduce the complex work in network management, we usually set up DHCP servers in the LAN, the server automatically provides Internet services for normal workstations with valid IP addresses. When a common workstation in the LAN is connected to the LAN, it automatically sends Internet parameter request packets to the LAN, once the DHCP server receives the Internet request information from the client system, it will automatically provide the appropriate IP address, network mask address, gateway address, DNS address, and other parameters, after obtaining the corresponding valid address, the client system can access the network normally. Obviously, the stability of the DHCP server directly affects the stability of the LAN network.

If there is another illegal DHCP server in the LAN or the DHCP server suffers a malicious attack, the stability of the entire lan network will be damaged, the Internet access of normal workstations will become chaotic because the available valid IP addresses cannot be obtained. To ensure that the LAN runs stably, we need to find a way to protect the security of valid DHCP servers, so as to avoid the impact of malicious attacks or illegal DHCP servers "!

Here is a legend:

650) this. width = 650; "border =" 0 "alt =" "src =" http://www.bkjia.com/uploads/allimg/131227/0QJQ217-0.jpg "/>

1. solve this problem at the vswitch Layer
The port security of the switch sets a unique MAC address for each client host DHCP request on the specified port. Generally, the DHCP server determines the MAC address of the client through the CHADDR segment in the DHCP request message, generally, this address is the same as the MAC address of the client. If an attacker modifies the CHADDR In the DHCP packet without modifying the MAC address of the client, and implements Dos attacks, Port Security does not work, DHCP sniffing technology can check the CHADDR field in the DHCP request message to determine whether the field matches the DHCP sniffing table. This function is configured by default on some vswitches and some vswitches need to be configured. For details, refer to the related vswitch configuration documents.

In addition, the DHCP Snooping technology is used to create and maintain a DHCP Snooping binding table to filter untrusted DHCP information, which refers to DHCP information from untrusted areas. By intercepting DHCP information in a virtual LAN, a switch can assume a role like a small security firewall between a user and a DHCP server, the "DHCP listener" function creates a DHCP binding table based on the Dynamic Address Allocation and stores the table in the switch. In environments without DHCP, such as data centers, binding entries may be statically defined. Each DHCP binding entry contains the client address (a static address or an address obtained from the DHCP server) client MAC address, port, vlan id, lease time, binding type (static or dynamic ).

When DHCP-Snooping is enabled, the switch listens to the DHCP packet and can extract and record IP address and MAC address information from the received DHCP Request or DHCP Ack message. In addition, DHCP-Snooping allows you to set a physical port to a trusted port or untrusted port. The trusted port can normally receive and forward DHCP Offer packets, but the untrusted port will discard the received DHCP Offer packets. In this way, the vswitch can shield the counterfeit DHCP Server and ensure that the client obtains the IP address from the valid DHCP Server.

Basic configuration command example:

Global command:

Ip dhcp snooping vlan 10, 20 * defines which VLANs enable DHCP sniffing

Ip dhcp snooping

Interface command:

Ip dhcp snooping trust

No ip dhcp snooping trust (Default)

Ip dhcp snooping limit rate 10 (pps) * prevents DHCP DoS attacks to some extent

Manually add a DHCP binding table:

Ip dhcp snooping binding 000b. db1d. 6ccd vlan 10 192.168.1.2 interface gi1/1 expiry 1000

Export the DHCP binding table to the TFTP Server

Ip dhcp snooping database tftp: // 10.1.1. 1/file

Note that the DHCP binding table must have a local storage device (Bootfalsh, ftp, or tftp) or be exported to the specified TFTP server. Otherwise, the DHCP binding table is lost after the switch is restarted, no DHCP request is initiated for a device that has already applied for an IP address during the lease period. If the vswitch is configured with the DAI and IP Source Guard technologies, these users will not be able to access the network.

Note: DOS attacks similar To Gobbler DHCP services can be prevented by using Port Security to limit the number of source MAC addresses. For some users, the DAI and IP Source Guard technologies can also be used to cause network address conflicts. Some Complex DHCP attack tools can generate DHCP requests with a single source MAC address and changed DHCP Payload information. When the DHCP listening function is enabled, the vswitch compares the source MAC address and DHCP Payload information of the DHCP request for a non-trusted port. If the request does not match, the request is blocked.
 

2. solve this problem on the client server layer
Client processing: On the client host, Run "arp-s 192.168.2.45 00-01-02-03-04-05" at the doscommand line prompt to bind the Client IP address and MAC address, run "arp-s 192.168.2.1 00-01-02-6E-3D-2B" to bind the IP address and MAC address of the gateway, or install some ARP anti-virus software on the client host to avoid such attacks.
Once we find that our client cannot access the Internet normally, we can execute the "ipconfig/release" string command at the doscommand line prompt to release the incorrect Internet access parameters we have obtained.

Then try to run the "ipconfig/renew" string command to re-send the request packet for the Internet parameters to the LAN. If the above command returns the error result, then, we can continue executing the "ipconfig/release" and "ipconfig/renew" string commands in the local system running dialog box until the client workstation obtains valid Online parameter information.

Server processing:
Generally, common workstations in the LAN are installed on Windows operating systems. In a LAN environment dominated by Windows Workstation systems, we can use the domain management mode to protect the operation security of valid DHCP servers, and filter out invalid DHCP servers to ensure that the DHCP server does not assign incorrect Internet parameters to common LAN workstations. As long as we add valid DHCP server hosts to the Active Directory in the LAN domain controller, we can ensure that all common workstations in the LAN are automatically taken from valid DHCP servers, the correct Internet parameters are obtained. This is because the common workstation in the domain sends broadcast information to the network. When applying for an IP address, the valid DHCP server in the same domain automatically responds to the Internet request of the common workstation first, if the DHCP server in the specified domain of the LAN does not exist or becomes invalid, the invalid DHCP servers that are not added to the specified domain may respond to the Internet requests of the normal workstation.

Of course, we can also try to achieve more detailed management and control through domain management and ISA security management. Set a single DHCP server in the domain. The DHCP server distributes fixed IP addresses to the client through the MAC address. The ISA Server publishes the DHCP server and limits the client's permissions through different policy settings, in this way, more granular security management can be achieved.

Note: The domain management mode has little practical significance for small-sized local area networks, because small-scale local area networks are mostly working in working groups, in this mode, valid DHCP servers cannot be protected.

This article from the "Drop water stone" blog, please be sure to keep this source http://xjsunjie.blog.51cto.com/999372/634499