1. DHCP spoofing attacks
1. a DHCP attacker can also provide SERVER services in a VLAN.
2. DHCP attackers will respond to the DHCP Client's sending request information.
3. attackers will allocate IP addresses and other information and default gateways to DHCP clients.
Note: Multiple DHCP servers in a VLAN may cause Address allocation conflicts.
Ii. DHCP spoofing attack (DHCP SnoopingDHCP listener)
1. DHCP Snooping allows you to configure the trusted and untrusted ports.
2. The Untrusted port cannot process DHCP response messages.
3. DHCP Snooping is configured on the (access layer) switch of the upstream link of the DHCP Server.
3. configuration steps
Switch (config) # ip dhcp snooping // enable DHCP Snooping
Switch (config) # ip dhcp snooping information option // enable option 82
// 82 option function: before sending a DHCP request to the DHCP server, the Supervisor Engine adds the entry module, port, VLAN, and MAC address of the switch to the packet.
Switch (config-if) # ip dhcp snooping trust // configure the trust Port
Switch (config) # ip dhcp snooping vlan // VLAN for DHCP listening
Switch # show ip dhcp snooping
Iv. IPSG (IP Source Protection)
Ip source guard forms an ip source binding table based on the dhcp snooping function and only works on Layer 2 ports.
IPSG provides a detection mechanism to ensure that the packets received by a single interface can be received by each interface. If the check succeeds, the data packet is licensed; otherwise, the activity against the policy will occur. IPSG not only ensures that the IP addresses of terminal devices in the 2nd layer network do not conflict or occupy, however, it also ensures that unauthorized devices cannot access the network by using their own IP addresses or the network is abnormal.
DAI (DynamicARPDetection)
ARP binding
Static ARP binding on PC:
C:> ARP-s 192.168.1.1 00-50-8b-f0-0c-3e // ARP static binding
C:> ARP-d // clear the current ARP list
C:> ARP-a // view all current ARP lists
Static ARP binding of the Router:
Router (config) # arp 192.168.2.69 0001.1111.1111 arpae0/0 // bind
Router # show arp // view the ARP list
Router # clear arp-cache // clear the ARP list
Dynamic arp inspection is a technology that can verify the security characteristics of ARP packets in the network.
DAI is also based on dhcp snooping binding database. It is also divided into trusted and untrusted ports. DAI only checks the ARP packets of untrusted ports, you can intercept, record, and discard ARP packets that do not match the IP address-MAC address ing relationship entries in the snooping binding. If dhcp snooping is not used, you must manually configure the arp acl.
Although dhcp snooping is used to prevent illegal dhcp server access, it plays an important role once the client obtains a valid dhcp offer. When dhcp snooping is enabled, the obtained IP address and the mac address of the client are recorded under the corresponding interface. This is a basis for ARP inspection detection by another technology. ARP inspection is used to detect arp requests and prevent invalid ARP requests. The table created in the previous dhcp snooping is the legal standard. The table is created when the dhcp server responds normally, including the correct arp information. If there is arp attack information at this time, ARP inspection technology can be used to intercept this illegal arp packet. In fact, using this method can also prevent users from arbitrarily modifying IP addresses, resulting in address conflicts and other problems.
650) this. width = 650; "src =" 51cto.com/uploads/allianz 110929/135k3b18-0.jpg "border =" 0 "/>
1. Configure the protection function of SW1
SW1 (config) # ip dhcp snooping // enable DHCP Snooping
SW1 (config) # ip dhcp snooping information option // enable 82
SW1 (config) # ip dhcp snooping vlan 10, 20 // VLAN for DHCP listening
SW1 (config) # ip dhcp database flash: dhcp. db // Save the DHCP binding information to dhcp. db
SW1 (config) # ip dhcp snooping verify mac-address
SW1 (config) # interface f0/21
SW1 (config-if) # switchport mode access
SW1 (config-if) # switchport port-security
SW1 (config-if) # ip verify source port-security
SW1 (config) # interface f0/23
SW1 (config-if) # switchport mode access
SW1 (config-if) # switchport port-security
SW1 (config-if) # ip verify source port-security
Optional // SW1 (config) # ip source binding 255..0000.0001 vlan 10 172.16.1.1 interface f0/2
Optional // SW1 (config) # ip source binding 255..0000.0002 vlan 20 172.16.2.1 interface f0/1
SW1 (config) # ip arp inspection vlan 10, 20 // ARP Detection Based on VLAN10VLAN20
SW1 (config) # ip arp inspection validate src-mac dst-mac ip // target MAC and IP address based on the source MAC
// Configure the DHCP server
The DHCP-SERVER is done using a router
Router (config) # ip dhcp pool vlan10 defines the address pool
Router (config-vlan) # network 172.16.1.0 255.255.255.0 defines the network segment and address range used by the address pool.
Router (config-vlan) # default-router 172.16.1.254 defines the default gateway of the client.
Router (config-vlan) # dns-server 218.108.248.200 defines the dns of the Client
Router (config-vlan) # exit
Router (config) # ip dhcp pool vlan20
Router (config-vlan) # network 172.16.2.0 255.255.255.0
Router (config-vlan) # default-router 172.16.2.254
Router (config-vlan) # dns-server 218.108.248.200
Router (config-vlan) # exit
Router (config) # ip dhcp excluded-address 172.16.1.100 172.16.1.254 // configure the reserved address segment
Router (config) # ip dhcp excluded-address 172.16.2.100 172.16.2.254
Router (config) # interface e0/0
Router (config-if) # ip address 172.16.3.1 255.255.255.0
Router (config-if) # no shutdown
Configuration on the vswitch
SW1 (config) # interface vlan 10
SW1 (config-if) # ip address 172.16.1.254 255.255.255.0
SW1 (config-if) # ip helper-address 172.16.3.1 // send a request to the DHCP-SERVER in Unicast Mode
SW1 (config-if) # interface vlan20
SW1 (config-if) # ip address 172.16.2.254 255.255.255.0
SW1 (config-if) # ip helper-address 172.16.3.1