Test Summary of Dhcp threats and arp Spoofing

1. pseudo dhcp server. The working principle of Dhcp is probably that the client first broadcasts the dhcp discovery message. The dhcp server in this section returns the dhcp offer message, and the client sends the dhcp request message again to declare the IP address to be used, the server sends an ack to the client to inform the client that the ack can be used. To prevent pseudo dhcp, you can enable the dhcp snooping function on the vswitch. Any untrusted port (the trusted port is the port used by the dhcp server and must be configured independently ), will reject dhcp offer messages from this port to prevent the pseudo dhcp server.

Enable ip dhcp snooping globally on the cisco switch, and use the command ip dhcp snooping vlan 2 to inform you to use snooping in vlan2. in this way, all ports are untrusted ports, dhcp offer packets are discarded. If a layer-3 switch is used to provide dhcp service, it is no better than configuring a trusted port separately. To configure a trusted port, run the ip dhcp snooping trust command on the physical port.

Remember: the access layer switch must support the dhcp snooping function. The trusted port is configured under the physical port (including the trunk cascade port)

2. DHCP dos attacks. It is mainly to forge a large number of mac addresses to apply for addresses like servers, which consumes dhcp server address pools to achieve DoS attacks from individuals. Generally, two methods are used, but they are not very practical. The first method is to specify some valid mac address pools for the vswitch port. Only hosts in this range can forward through this port. You can also limit the maximum number of mac addresses. In this way, the client cannot forge the mac address to request an ip address. A Cisco switch uses the switchport port-security mac-add command to add a physical port. This method is heavy and cannot meet the mobility requirements. Another method is to combine with the actual authentication system. The authentication system first authenticates the MAC address for the first time. Only when the MAC address is valid can the DHCP Sever be allowed to assign an IP address to the terminal, this mainly uses 802.1x authentication protocol and radius Authentication Server.

3. Sometimes, you do not need to set an IP address to access the Internet. That is to say, you must dynamically obtain the IP address to access the Internet. This method is relatively simple and does not require any settings on the access layer, that is, dhcp snooping is not required for the access layer. You only need to use the following command on the layer-3 switch.

Ip arp inspection vlan 500 // enable arp inspection under vlan500

Ip arp inspection validate src-mac dst-mac ip // valid only when the mac and ip addresses of the source mac are correct

The ip dhcp snooping function must be enabled on the layer-3 Switch to monitor the snooping vlan 500 at the same time. Arp inspection is determined based on dhcp binding information. If you set an ip address instead of Automatically Obtaining the ip address, it will not be captured by dhcp snooping, of course, all arp requests sent from this IP address will be rejected by the gateway (because the source, destination mac, and IP address are both illegal and are naturally considered illegal arp requests ). However, a fixed ip Address can communicate with other machines in the local area network, but cannot learn the mac address of the gateway through arp.

Note: The above dhcp servers are all enabled on layer-3 switches.

4. arp spoofing. There are two possible scenarios: one is to forge a gateway to spoof other hosts in the network; the other is to forge other hosts.

Spoofing gateway. Of course, what's more serious is that both cases exist at the same time and the data forwarding function is started. This is an intermediate

Human attacks (spoofing by both parties) enable packet sniffing (proxy arp function is similar to this, many billing gateways and some transparent firewalls use the proxy arp function ). In a sense, arp spoofing is a proxy arp.

The accesskey provides a dedicated access layer switch that uses ACL to restrict the customer's counterfeit gateway. This acl is used to restrict the port from sending arp notification packets of the gateway address, this effectively prevents spoofing gateways from spoofing other hosts.

(Config) # access-list 1101 deny an untagged-eth2 12 2 0806 20 2 0002 28 4 C0A80001

The ACL is described as follows:

0002 bytes indicates the arp protocol code 0806, 21, and 22 bytes indicates the arp reply. 29-32 bytes indicates the hexadecimal format of the gateway IP address.

Step 2: Apply ACL

(Config) # Firewall enable

(Config) # int e 0/0/1-24 // apply the acl on all ports

(Int) # mac accesskey-group 1101 in traffic-statistic

Of course, if you know what an IP address is for a specific port, it is best to limit the port to only send arp notifications for this IP address. This completely eliminates arp spoofing. But it is obviously less operable.

Another way to prevent arp spoofing is to bind the gateway mac on each host, and bind the IP address + mac to the gateway statically. However, this method is not as good as the previous method. It cannot prevent arp spoofing in the LAN.

If Dynamic IP address acquisition is adopted, the CAPTCHA switch has a new feature that fully controls arp spoofing. It can prevent access to hosts from impersonating gateways, and prevent access to hosts from impersonating other users. The management complexity is low, the switch configuration is simple, and basically does not need to be changed. Mobile Access is supported, the switch can automatically detect the user access location and correctly forward user data;

Ip dhcp snooping enable

Ip dhcp snooping binding enable

Interface Ethernet0/0/1

Ip dhcp snooping binding user-control

!

Interface Ethernet0/0/2

Ip dhcp snooping binding user-control

If it is a static ip address, you need to bind the ip address + mac + port.

Am enable

Interface Ethernet0/0/1

Am port

Am mac-ip-pool 00-1C-23-06-0D-B9 10.10.1.90

Let's talk about cisco switches. Generally, there are many ways to dynamically obtain ip addresses. ip dhcp snooping is configured first and ip arp inspection is configured. At this time, the client cannot forge other hosts to forge the gateway, because these forged arp reply packets are illegal in the gateway, they are naturally rejected. As for the prevention and control of counterfeit gateways, you can only statically bind arp cache tables on your host.

1. Prevent arp scanning. In some cases, arp spoofing can also be blocked. The principle is to send arp packets to physical ports.

Quantity limit. The physical port uses the ip arp inspection limit rate command to limit the number of arp packets allowed per second.

2. Prevention of pseudo mac addresses. If the mac address table of a vswitch is flooded, the performance will be affected. In severe cases, the vswitch will crash because the general cam storage is limited. Therefore, this type of protection can limit the number of mac addresses per port. As for counterfeit prevention, you can only choose port-security, although it cannot meet the requirements of mobility.

Currently, the primary school is a cisco switch, and the access layer brand is too complex and the grades are uneven. Users can automatically obtain the IP address from the cisco layer-3 Switch to access the Internet, I think it is better to enable dhcp snooping and arp inspection on the cisco switch to prevent arp spoofing as much as possible. You have to bind the mac address of the gateway. To effectively prevent arp spoofing and prevent pseudo dhcp server, you must upgrade the access layer switch.

 

This article is from the "Orange3 technology blog"