DHCP (Dynamic Host Configuration Protocol) servers are providing all the basic information that the client wants to operate on the network like DNS address, Default Gateway, IP addresses, and subnet. masks and many more.
Imagine a bad guy (attacker) comes up and brings a fake DHCP server machine and runs the exact same subnet as other PCs on the network. now what will happen? the PC broadcast for DHCP request and our attacker servers may send a DHCP reply from its fake DHCP machine with its own IP address to pretend as the default gateway.
Now when our client receives the reply from the attacker machine. client using the spoofed gateway address and our packets going through the attacker machine first. Yes, maybe the attacker forwards our packets to the correct destination but in the meantime, the attacker examines all our packets and now this scenario becomes a man-in-a-middle attack and our innocent client does not even realize it.
Cisco switches use the DHCP snooping feature to prevent these types of attacks. when the DHCP server is connected to the switch. switch ports our switch has the option of trusted or untrusted. the legally reliable DHCP server can be found on a trusted port and the rest of the ports are untrusted for the DHCP server. when the DHCP server request comes from the untrusted port our switch prevents all the DHCP requests before they flood the VLAN and discard the request and also puts that untrusted port into to err disable state automatically. DHCP snooping keeps track of the complete DHCP binding.
let's see the configuration of the DHCP snooping attack and how to prevent it from attacking.
Topology: -
 |
| cisco packet tracer |
Goal:
- configure the topology as per the diagram on the cisco packet tracer
- configure an IP address on router 1
- configure DHCP server on router 1
- make sure all our clients get all the basic information IP addresses, subnet mask, default gateway, and DNS addresses.
- configure attacker machine with DHCP server
- Restart our client (PC) with STATIC to DHCP and verify whether the basic information has been changed or not (IP CONFIG /ALL)
- now configure our switch to prevent attackers with DHCP SNOOPING
- To prevent the attack, restart our PC with static to DHCP.
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#ip address 10.0.0.1 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#ip dhcp pool SERVER
Router(dhcp-config)#network 10.0.0.0 255.255.255.0
Router(dhcp-config)#default-router 10.0.0.1
Router(dhcp-config)#dns-server 10.0.0.80
Router(dhcp-config)#exit
Router(config)#ip dhcp excluded-address 10.0.0.1
Router(config)#ip dhcp excluded-address 10.0.0.80
Router(config)#exit
make sure all our client get all the basic information IP addresses, subnet mask, default gateway and DNS address
(FROM PC 1)
Packet Tracer PC Command Line 1.0
C:\>ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address................: 000B.BE81.0DD7
Link-local IPv6 Address.........: FE80::20B:BEFF:FE81:DD7
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 10.0.0.1
DNS Servers.....................: 10.0.0.80
DHCP Servers....................: 10.0.0.1
DHCPv6 Client DUID..............: 00-01-00-01-D6-19-05-C4-00-0B-BE-81-0D-D7
Bluetooth Connection:
(FROM PC 2)
Packet Tracer PC Command Line 1.0
C:\>ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address................: 000B.BE81.0DD7
Link-local IPv6 Address.........: FE80::20B:BEFF:FE81:DD7
IP Address......................: 10.0.0.2
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 10.0.0.1
DNS Servers.....................: 10.0.0.80
DHCP Servers....................: 10.0.0.1
DHCPv6 Client DUID..............: 00-01-00-01-D6-19-05-C4-00-0B-BE-81-0D-D7
Bluetooth Connection:
(FROM PC 3)
:\>ipconfig /all
FastEthernet0 Connection:(default port)
Connection-specific DNS Suffix..:
Physical Address................: 0060.472C.94D8
Link-local IPv6 Address.........: FE80::260:47FF:FE2C:94D8
IP Address......................: 10.0.0.4
Subnet Mask.....................: 255.255.255.0
Default Gateway.................: 10.0.0.1
DNS Servers.....................: 10.0.0.80
DHCP Servers....................: 10.0.0.1
DHCPv6 Client DUID..............: 00-01-00-01-D9-76-38-6D-00-60-47-2C-94-D8
- configure attacker machine with DHCP server
ATTACKER(config)#interface gigabitEthernet 0/0
ATTACKER(config-if)#ip address 192.168.10.1 255.255.255.0
ATTACKER(config-if)#no shutdown
ATTACKER(config-if)#exit
ATTACKER(config)#ip dhcp pool MIB
ATTACKER(dhcp-config)#network 192.168.10.0 255.255.255.0
ATTACKER(dhcp-config)#default-router 192.168.10.1
ATTACKER(dhcp-config)#dns-server 192.168.10.80
ATTACKER(dhcp-config)#exit
ATTACKER(config)#ip dhcp excluded-address 192.168.10.1
ATTACKER(config)#ip dhcp excluded-address 192.168.10.80
ATTACKER(config)#exit
- Restart our client (PC) with STATIC to DHCP and verify the basic information has been changed or not (IP CONFIG /ALL)
(verify the basic information has been changed or not (IP CONFIG /ALL)
FROM PC 1
 |
| ATTACKER GOT PC 1 |
FROM PC 2
 |
| ATTACKER GOT PC 2 TOO |
FROM PC 3
 |
| ATTACKER GOT ALL OUR PCs |
- now configure our switch to prevent attacker with DHCP SNOOPING
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping vlan 1
Switch(config)#interface fastEthernet 0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#exit
Router(config)#ip dhcp relay information trust-all
Router(config)#exit
- after prevent the attack restart our PC with static to DHCP.
from router 2
from router 3
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
Insertion of option 82 is enabled
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
----------------------- ------- ----------------
FastEthernet1/1 no unlimited
FastEthernet2/1 no unlimited
FastEthernet3/1 no unlimited
FastEthernet0/1 yes unlimited
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- -----------------
00:0B:BE:81:0D:D7 10.0.0.5 86400 dhcp-snooping 1 FastEthernet1/1
00:D0:97:B1:1E:E3 10.0.0.3 86400 dhcp-snooping 1 FastEthernet2/1
00:60:47:2C:94:D8 10.0.0.4 86400 dhcp-snooping 1 FastEthernet3/1
Total number of bindings: 3
.png)
3 comments:
Very Useful Information!!
Thanks
Great information
Excellent explanation of IP snooping. Thanks a lot.
Post a Comment