Table of Contents
Advertisement
Filt
10.2 DHCP Attacks
There are two types of attacks that can occur with DHCP:
An attacker could request multiple IP addresses from a DHCP server by spoofing its source MAC
address. This can be achieved by using a tool such as gobbler:
http://www.networkpenet
DHCP server will be ex hausted.
The second method is where the network attacker sets up a rogue DHCP server and responds to
new DHCP requests from clients on the network. The attackers DHCP server could be setup to
send DHCP responses using its address fo r the default gateway and DNS server. This would
allow the attacker to sniff out the client‟s traffic and allowing for a „man-in-the-middle‟ attack.
The Ethernet Routing Switch 5500 offers the following solutions to overcome the issues raised above.
DHCP Snooping
The DHCP Snooping QoS Application operates by classifying ports as access (untrusted) and core
(trusted) and only allowing DHCP requests from the access ports. All other types of DHCP messages
received on access ports are discarded. This prevents rogue DHCP servers from being set-up by
attackers on access ports and generating DHCP responses that provide the rogue server‟s address for
the default gateway and DNS server. This helps prevent DHCP "man -in-the-middle" attacks. The user will
need to specify the interface type for the ports on which they wish to enable this support.
Based on Figure 4 above, enter the following commands to enable DHCP Snooping
5530-24TFD(config)# interface fastEthernet all
5530-24TFD(config-if)# qos dhcp snooping port 1-10 interface-type access
5530-24TFD(config-if)# qos dhcp snooping port 24 interface -type core
DHCP Spoofing
Another method that is used to combat rogue DHCP servers is to restrict traffic destined for a client's
DHCP port (UDP port 68) to that which originated from a known DHCP server's IP address.
The DHCP Spoofing QoS Application will require the identification of the valid DHCP server address and
the ports on which the DHCP Spoofing support should be applied. This will cause two policies to be
installed on these interfaces to perform the following operations:
1. Pass DHCP traffic originated by the valid DHCP server.
2. Drop DHCP traffic originat ed by all other hosts.
Based on the diagram above, enter the following commands to enable DHCP Snooping
Filters and QOS Configuration for Ethernet Routing Switch 5500
January 2013
Figure 4: DHCP Attack Example
ration.com/downloads.html. If the attack is successful, all leases on the
Technical Configuration Guide
avaya.com
37
Hide quick links:
Advertisement
Table of Contents
